Honestly, what you’re seeing doesn’t surprise me. What most people don’t realize is that we are all under constant attack. Every account, every server, every machine connected to the internet. It’s slow and unrelenting.
But it’s also normal.
I have some suggestions for what you should do, but closing your account isn’t one of them.
Become a Patron of Ask Leo! and go ad-free!
Recent activity in Outlook.com
Your Hotmail account is now handled by Outlook.com, and is a Microsoft account, also formerly known as a “Windows Live” account. As of this writing, information about recent activity is available via this URL:
You may be asked to confirm your identity with an extra step involving re-entering your password, or a code sent to a phone number or alternate email address on record.
Look closely, and you’ll see someone attempted to use this account to sign in to a Microsoft app on an Xbox. While I have an Xbox, I’ve never once used this example account to sign in there. Note that it was an “Unsuccessful” sign-in, so no action was required.
The only time you need to secure an account, in my opinion, is when you see successful sign-ins that aren’t you. A string of “Unsuccessful sign-in” entries — failed login attempts — are the system working as it should: hackers and others are being denied access to your account.
We are all under constant attack
All our accounts, computers, servers, and connected devices are under constant attack. Attacks may be slow or fast, targeted at specific accounts, or just trying things randomly, but they are never-ending.
Hackers or bots or who knows who else try to access any account by any means they can find. They’re typically unsuccessful, but it only takes once to get hacked. And from their perspective, even if they trigger millions of automated attempts and get in to only one account, they’re successful.
Secure your account
The single most important thing you can do is secure your account with a good password.
The longer the better and the more random, the better. Ideally, you use a password manager like LastPass, enabling you to choose passwords so random there’s simply no way to remember them.
And of course, never, ever use the same password on more than one site. Very often these automated hacking attempts are hackers exploiting data they found somewhere else. Perhaps a different account or service has been hacked, and they’re trying the password they found there at every other account they can think of that might be related.
That approach can be surprisingly successful.
Consider two-factor authentication
I also strongly suggest two-factor authentication for any account you consider to be sensitive. With two-factor authentication, hackers can have your password and still not get in, since they can’t prove possession of the second factor.
I need both my password and a number generated by an application on my smartphone in order to log in to my Outlook.com account.1 It proves I am in position of my second factor: my smartphone. Even if a hacker gets my password, they still can’t log in, because they don’t have that second factor.
Lots of failed login attempts?
In your scenario, I really don’t think there’s anything to be truly concerned about. The failed login attempts indicate that the system is working as it should.
It’s just a reminder of how important password and account security really is.
1: Technically, only the first time I log in to a new machine, should I so choose. After that, the machine can be “trusted”. For hackers, every time is the first time.