I have held off talking about something for quite some time. I do not mess around when it comes to security, especially for my critical accounts. When the actual security of an account has been compromised, as was the case with my Microsoft Account, I do not advertise it.
On December 7th I sat in the Second Cup cafe on Bank Street in Ottawa and wrote an article called A Big, HUGE Microsoft Security FAIL. I wrote about how I had been unable to change my password and that their engine to do so was broken, but that it turned out it was not everyone, it was just me.
‘There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.’
It took several days for anyone at Microsoft to take me seriously, but my issue was finally escalated to a 2nd Level Support Tech named Gary (who, I want to be clear, was a nice guy, and as helpful as he could be under the circumstances). Gary and I got to know each other sometime in mid-December. Remember, the issue started happening the last days of November, I reported it on December 5th, and the case was escalated (grudgingly) around December 9th.
Gary spent a couple of hours trying to help, and then in discussions with the Product Engineering Team trying to get it fixed. By the end of the day he said something to the effect of: “Yeah, neither I not our engineers have ever seen a problem like this. It might take some time, but if you are willing we will work with you to get it fixed.”
Some time… It might take some time… that was on or about December 9th.
I am happy to say that the problem has now been resolved… As I sit and write this, with the resolution less than an hour old, it is 1:15pm, Wednesday March 22.
I spent nearly a decade touting the virtues of Microsoft’s security… and then from the day I informed them that my password had been compromised, and that a glitch in their system was preventing me from changing it, it took 107 days to resolve the issue.
So let’s take a quick rundown of some of the sites and services that are accessed with my Microsoft Account:
- Skype (One of the ways I communicate with hundreds of people)
- OneDrive (All of my files!)
- Microsoft Certified Trainer (MCT) account (including my MCT renewal, courseware downloads)
- Microsoft Certified Professional (including my MCP Transcripts)
- MSDN Subscription (including all my software licenses and keys)
- Windows Store (including credit card information)
- Microsoft Volume License Center (VLC)
- Microsoft Store (including credit card information)
- Microsoft Partner Portal
- MY WINDOWS COMPUTERS
And so, you can see, this is not like having my Words With Friends account compromised… This is extremely serious and far-reaching. This was… everything.
Once a week I would get an e-mail from Gary telling me that they had not yet resolved the issue… but they were still working on it, and he would continue to keep me informed.
On March 6th a hacker compromised my Skype account, and sent a link to dozens of my contacts with malicious content. Naturally those contacts let me know, and I reached out to Gary and told him that now that hackers had indeed compromised my account, they needed to resolve the issue and pronto. Gary replied with: “I have taken a look into your account, to look for any evidence of unauthorized access, and I did not see any. Was any account info changed? Can you still login?”
a few days later that he had not been able to open the embedded picture, and asked that I resend it as an attachment. Thank Heavens for that, because had he taken the next step immediately I would not have been able to renew my Microsoft Certified Trainer (MCT) credential in time.
So when Gary did finally get the picture (as seen above) he wrote (on March 18th):
If you received that message, then it could be that someone attempted to access the account.
To prevent that, I have placed a suspension on the account that will prevent any login activity. While my engineering team investigates this issue, no one will be able to break into the account. I have also left a note on the account so that the attacker will not be able to attempt to remove it.
Wonderful. You are suspending my account now, probably after the damage has been done, but all this is doing is punishing me. FIX THE DAMNED PROBLEM!
On the same day as I received this e-mail I wrote the following one line response:
Gary this is no longer acceptable. I am calling a lawyer.
On Tuesday (March 21) I received Gary’s reply:
In light of this recent reply, I have escalated this issue to a second team within Microsoft, and am awaiting to hear their response.
I understand the frustration, but please know that I cannot do anything to speed up the engineers and Ops teams working on this issue.
Wouldn’t you know it… The following day (that’s today, Wednesday March 22, 2017 – 107 days after I first reported the issue) I received a call from Gary that started with:
Well Mitch, it seems that when you threaten to call a lawyer things get done faster. I think we have solved your problem.
Indeed, before the phone call ended I had successfully changed my password.
One hundred and seven days after I first reported the problem.
One hundred and seven days since I told Microsoft there was a problem with their security.
One hundred and seven days since I told Microsoft that my account had been compromised, that someone had my password, and that I needed their help to secure my data and reputation.
One hundred and seven days. Actually it was only 105 days since I wrote the original article (which will be published shortly after this one, untouched since the original writing).
So why didn’t I publish sooner?
There are a handful… maybe four or five people who know the story and who understand some of my frustrations with this case. These are also people who know I have a great bully pulpit in the form of this blog. They have all asked me ‘Why didn’t you publish sooner?’ Two of them asked why I did not go to the mainstream technology media to let them know about this.
Simple… I have an account that is easy enough to guess, to which I could not change the password. If the wrong people knew about that they would have focused on getting that password and, once they had it, they knew I couldn’t change it. They would have literally owned me.
And so I sat quietly, seemingly patiently, waiting for Microsoft to fix the problem. I waited those 107 days knowing that when it was finally resolved I would a) breathe a big, huge sigh of relief, and b) sit down and write this piece, venting my facts and frustrations.
MICROSOFT! HOW DARE YOU? How can you let ANY problem, let alone one as serious as this, fester for so long unresolved? Do you think you owe me nothing? At this point I am still considering a lawsuit, and if you don’t think damaging my reputation and peace of mind is worth damages in a court of law then you are seriously misreading the system. You should be ashamed of yourselves, and you should be tracking down who is responsible for this travesty, this shame, and firing them.
I got that off my chest. I have, over the past two weeks, asked friends and colleagues for recommendations on lawyers. I might just reach out to one this afternoon. We’ll see.