My user account has been hacked. Microsoft sent me 3 emails saying:
An unknown email was added
My email was removed
My phone number was removed
The hacker bought an Xbox game pass for £58 - because MS keep financial details of buying MSFS the pass was paid without my consent.
I cannot login to Live
I’ve blocked further payments to MS via PayPal
Any advice? I’m very concerned I might lose the ability to run MSFS2024
The payment is pending in my bank account, so no money has been transfered.
Thanks. I’ve filled in the recovery form and MS said no.
Filled it a 2nd time including 2 recent passwords, you can do it twice every 24 hours.
All over the net are stories of accounts lost forever.
Can I switch my MSFS2024 to a new account?
No, that is not possible, as with other purchases.
I can still run the game, and the logbook is intact.
The game logs in, so that might be via Xbox live and not my MS account (which I cannot access now)
If you are still logged in via xbox live, try to quickly change your password there. It’s a Microsoft account issue, not a MSFS issue.
You should focus on recovering the account, not whether you’re able to play MSFS or not.
I’m a retired software engineer, so yes focusing on recovery. But the MS recovery form is a brick wall and it’s impossible to talk to anyone.
I don’t understand Xbox live or even use it?? I just followed the instructions to buy and install the sim.
Xbox live (and the app) is a game distribution platform like Steam and other game stores which uses your MS account. You can log into xbox profile using your MS account.
I assume you didn’t have 2FA enabled on your MS account?
No 2FA. However MS are explicitly clear they cannot recover 2FA accounts “sorry”.
I had no idea MS had kept my back card details. I never use login live, literally, so never perceived a threat.
With 345 million accounts they are a big target. Just 0.1% hacked is 300,000 a year!
If I can’t get into Xbox Live I could be grounded.
Not much you can do then except hoping your recovery form gets handled. Good luck!
If all else fails: new MS account, re-buy MSFS and start over. (and enable 2FA)
Yep. But I object to buying MSFS again, through no fault of my own.
MS know my IP address which probably hasn’t changed since I bought FS24. They can track that to my city. Neither has my PC or home changed, so there is enough info to uniquely locate me and my PC.
The MS servers were hacked.
I might focus on Xplane.
As it seems you have already done, we’d advise continuing to pursue support via the Microsoft Support channels.
For any account issues specifically pertaining to Microsoft Flight Simulator, you’re welcome to contact our own Customer Support Team to let them know of your current scenario: Submit a request – Microsoft Flight Simulator Support
Thanks
The MSFS Team
I caught mine being accessed yesterday also. I have MFA so managed to get into recovery and change the password. No nefarious activities so far so I am assuming they are banking on no MFA and just password.
I just logged into my Microsoft Live account, changed the password, and enabled 2FA.
Signed out of Microsoft Live, then logged in to Xbox Live using the new password, but it didn’t require a 2FA confirmation.
That part is debatable. You are responsible for your own account security. If you’re not careful about passwords and/or 2FA, these things can happen. The internet is full of bad people.
I think this thread should serve as a gentle reminder for everyone to review their account security, not just MS but everything else as well. Treat your accounts like your house, the more awkward you make it to break in, the less chance you’ll potentially become a victim. 
I’m forever lecturing family and friends about having strong, unique passwords for everything, 2FA, MS authenticator app if poss, usually met with, “I’ll never remember that.” 
Yeah, re-use of passwords is one of the bigger risks. MS won’t get hacked that soon (famous last words, probably) but that small store 2 cities over with a new webshop might.
I agree.
I avoided using Live, so never perceived a threat and forgot about it.
What I didn’t realise is that buying FS24 with PayPal meant that, after being hacked, buying an Xbox pass could happen without my approval.
This is a weakness of both Microsoft and PayPal together. You should all be vigilant that PayPal transactions can go through without a password.
They have actively made it “one click” for quick purchase - which is marketing spin for dropping all security checks.
Folks have had their phones stolen and lost over £20,000 in one day via PayPal.
I’m thinking of closing PayPal, my bank app can be used to authorise every big spend and the debit card can be suspended immediately.
There are 5 levels of suspension, so subscriptions could be blocked but taps at the coffee shop work.
To be fair to the users, it’s now incredibly awkward to log into anything even legitimately. For example, at the weekend I wanted to download a piece of free Nvidia software. In order to do this, I had to “register” and give them my email address. Once I had done this, they then sent a link to my email which I had to click on. So I go to my email to log in. It wouldn’t let me use my password and suggested using another method such as system key or PIN. I don’t have a system key, but I do have a PIN which it forced me to set up. So I selected that option - however, it didn’t give me the option of using my PIN, only the system key on a USB stick, which doesn’t exist. I eventually worked out that by opening my email in a different browser, I could finally access it, click the link, and then download the software. Oh, I should add, I had to enter a load of unnecessary personal details first before I could download it.
It’s hoops like these that set up people to follow the path of least resistance - use a password you can remember because if you forget it, resetting it involves five different Fort Knoxes, a text to your phone, an authenticator code that lasts 5 seconds before it changes, etc. The increased security in some areas causes decreased security in others.
My account got hacked a few years back, I tried the recovery forms so many times and it never worked. A member of the Microsoft escalation team emailed me to arrange to call me so we could try and get my account back. They apparently attempted to call me but I never had the calls, so they closed the case. The account is now lost forever, and I lost a lot of money due to having to repurchase all of my add ons again. The password was never changed on that account as when I try to log into it now with a wrong password, it says it’s wrong. If I put the right password in, it wants to send me a code, but unfortunately I don’t have the phone number any more, so I have to go to recovery forms which are an absolute joke. I now make sure that all of my phone numbers are up to date and have 2FA on. I still never know to this day why I never got the phone calls from the escalation team, my spam call filter was switched off but the phone calls never came through when they were supposed to.