If your account has been compromised, you may experience one of the following scenarios:
- You notice unauthorized charges.
- You receive a pop-up windows or message, such as an achievement that you don’t recognize or that you've signed in from another location.
- You cannot login to your Microsoft account (formerly known as Windows Live ID) to change your password.
- You notice unrecognized strong proofs associated with your account. (For more information about proofs, see #1 in the More Information below.)
If you encounter any of the above scenarios, follow the steps below:
- Change your Password
- When you suspect something suspicious has happened with your account, you should change your password immediately.
- Go to
and see if you can still log into your Microsoft account.
- If you can, change your password immediately and setup strong proofs (if none exist). We highly recommend setting up an SMS and Trusted PC under Account Information section, then go to step 2.
- If you cannot sign in to your Microsoft account to change your password or if you notice unrecognized strong proofs, skip to Step 3.
- Check your bill
- Go to
and check for any suspicious purchases. As with any billing statements, you should check this on a regular basis.
- Contact Windows Phone Support, if needed.
Contact support if:
- There are unauthorized charges on your account.
- You are unable to change your password.
- Your gamertag has changed.
We can guide you through the next steps. To help us, please have the following information ready:
- The Microsoft account associated with your gamertag.
- An alternate email that is different than the one associated with your Microsoft account.
- You may also need the credit card associated with your account.
To contact Windows Phone Support visit
Follow this checklist to make sure your Windows Phone account is as secure as possible.
- Add additional security proofs to your Microsoft account
Your Microsoft account allows you to create your own spare set of keys or "proofs" in case you lose your password or access to your account using the following four methods:
- Mobile number. Adding a mobile phone number can help us verify that this is your account. Also, if you forget your password, you can use this number to reset your password.
Tip We strongly recommend that you set this up now as the primary way of retrieving your account back to you in the event it gets compromised.
- Trusted PC. A unique proof that lets you link your Microsoft account with one or more of your personal computers. Then, if you ever need to regain control of your account by resetting your password, you simply need to be using your computer and we will know you are the legitimate owner.
- Email address. Used to support password reset notifications. You can have one or more email addresses associated with your account.
- Secret question. If you forget your password, we'll ask for your secret answer to verify your identity. Only you should know your secret question and secret answer.
Tip Use an answer that is completely irrelevant to the question being asked. For example, if your question is "Mothers' birthplace," then use Windows98se as your secret answer.
To add password reset information:
- Go to the
webpage, and then sign in with your Microsoft account.
- Create a strong password on your Xbox LIVE account
Using a simple password that is in a dictionary or the name of your pet dog can be very easy to guess. Create a strong password that includes a combination of uppercase and lowercase letters, numbers, and special characters (for example, #, $, %, ^, &, and *).
Tip Think of a memorable sentence from your favorite film, book or song lyric then take the first letter of each word in the sentence, then add meaningful numbers and add special characters to make the password strong then
to see how strong your password is.
- Use different usernames and passwords for different sites
Use different usernames and passwords to different online sites, especially important sites which hold financial or personal information. If you use the same username and password everywhere, and they're stolen, you could lose access to all of your accounts at once.
- Take caution when using your Microsoft account in public places or a shared computer
If you check your Outlook.com account, sign into xbox.com, or use another service which requires you to use your Microsoft account credentials on a public computer (such as an Internet café), take caution in that these computers may not offer the same protection that you might have at home. We recommend that if you are looking to use a public computer that you use a single-use code instead of your password when signing in with your Microsoft account.
Find out more about how to set this up here.
If you do have to use your regular Microsoft account password, remember to sign out and close any browsers when finished.
- Avoid sharing personal information
Share your Microsoft account only with people you know and trust. Treat your personal information online the same way you would offline--follow the same rules as you do in the real world as you do online.
- Never share any personal details about you or your account
Do not give your full name to strangers over the Internet. Do not put your full name in any public facing profile.
Keep your physical address private. Telling someone what school you go to or what neighborhood you live in can be enough to locate more information about you. Think of all the personal information that you have likely posted to social networking sites such as Facebook, MySpace, or OneDrive that someone could use to pose as you. Do not put your full physical address in your profile.
Do not give out your primary Microsoft account as an email address to strangers. Set up a secondary email account at
, which you can use for communication with unknown people, mailing lists, etc. Maintain a strong password on the secondary email account as you do for your primary account.
Do not unnecessarily reveal information about yourself or your accounts. Be wary of anyone asking you for information that they do not need.
Do not share your password or personal information with anyone contacting you who is presenting themselves as a customer support agent or affiliated with Windows Phone, Xbox, or Microsoft. If you are concerned that the contact might not be legitimate, contact Windows Phone, Xbox, or Microsoft Support. Microsoft will never ask for your password in email, through instant messaging, or over the phone. Enter your Microsoft account password only at known Microsoft sites or on the phone.
- Install or update your Virus, Spyware, Malware protection software for your computer
Make sure you are running your virus protection software, and that it is up to date. If you don’t have any protection software installed we strongly recommend you do so now.
Microsoft Security Essentials
is free Antivirus software available for download that also protects against spyware and other malicious software.
- Update your web browser and PC with latest security fixes
To ensure your web browser and computer is up to date with the latest security fixes, check to make sure you have the latest updates from
- Make sure your browser phishing filters are turned on
Enabling these in your web browser helps detect phishing websites, protects you from downloading or installing malware (malicious software), and can alert you of any potential scamming websites. Normally these are turned on by default; however it's best to double check:
- Internet Explorer: Select the "gear" icon on the tool bar, select Safety, and then select Turn On Smart Screen Filter.
- For all other browsers: Check the browser's online help.
- Only log in to Microsoft trusted websites with your Windows Live credentials
Is the website an official Microsoft site? Beware of websites which ask for your Windows LIVE account details, especially sites which offer deals that are too good to be true, such as free Microsoft Points. Check the address bar in your browser before entering any details. You can identify common Microsoft sites by the following addresses:
- Don’t click links in emails, go to the site directly and log in
If you see a link in a suspicious email message, don't click on it. You can generally spot suspicious emails by
- Alarmist messages and threats of account closures.
- Deals that sound too good to be true.
- Bad grammar and misspellings.
Instead, type out the address in your web browser to see if you are going to the actual company’s website.