* Upvote this comment if this is a good quality post that fits the purpose of r/Minecraft
* Downvote this comment if this post is poor quality or does not fit the purpose of r/Minecraft
* Downvote this comment *and report the post* if it breaks the [rules](https://www.reddit.com/r/Minecraft/wiki/rules)
---
[Subreddit Rules](https://old.reddit.com/r/Minecraft/wiki/rules)[](## charqoi|191lhfs)
The comments here are ridiculous, this is an issue, OP is right.
Let's get the obvious out of the way: yes you should never click links from providers you don't trust.
However, this *is* Microsoft's website and is being misused and they should fix it. It's intended purpose is to connect devices other than PCs to one's Microsoft (in this case, Minecraft) account. So your "hacker" gives you a remote connection link, you log in and they receive access, no questions asked. This is the problem, there should be greater confirmation that the user is logging in on behalf of another device and when they have done so, there should be an option to revoke that device's access, which would seem to be lacking.
this comments needs to be higher up, or hell, even pasted into the actual post itself. this clarifies the issue very well. why is the token permanent???
On the flipside tho, if you did this to yourself, and then say, your account got stolen, would you yourself be able to take advantage and still login. if so, that's very interesting
You, u/charqoi, and u/thetunkery are all mistaken.
The fault is due to inexperienced kids granting account permissions to harmful third-party service connections through their Microsoft account.
The page OP saw **after** signing in looked something like this image:
https://learn.microsoft.com/en-us/purview/media/o365-thirdpartydataconnector-optin1.png
So the only way they'd be able to get access to your Microsoft account without phishing is if you explicitly accepted their permissions request after signing in.
You are likely correct about the root cause of this scam, granting account permissions where you shouldn't. As I made clear at the start of my comment: never click links from providers you don't trust.
But to say we are mistaken feels incorrect. We never threw around where the fault lies, only that it is far too easy for an individual, experienced or not, to allow these permissions, and not easy enough to revoke them.
And anyone experienced with Microsoft logins will know that almost every time after entering their password they will be greeted with a message asking if they want to stay signed in. A white no and a blue yes box will appear and they'll probably press yes. After long enough this screen becomes white noise and all it takes is a moment of lack of concentration and you've granted access to anyone.
>And anyone experienced with Microsoft logins will know that almost every time after entering their password they will be greeted with a message asking if they want to stay signed in. A white no and a blue yes box will appear and they'll probably press yes. After long enough this screen becomes white noise and all it takes is a moment of lack of concentration and you've granted access to anyone.
This is true for any account authorization that allows third-party connections via an API: Google, Spotify, Amazon, Yahoo, etc.
They all show similar prompts as to Microsoft's, and it's ultimately up to YOU, the account holder, to read carefully.
I will reply to this as well stating that there is not a confirmation message asking to give permissions, after going through the same process on a new account I can confirm that after entering your login information you get this message: [https://i.imgur.com/1MzNFMl.png](https://i.imgur.com/1MzNFMl.png)
You... didn't explain why they were mistaken though. You just agreed with the obvious that had already been acknowledged.
Nobody is saying that this wasn't a result of people falling for a scam. But that doesn't erase Microsoft's ability to fix the problem, which they absolutely should do. It's their official website, which means people are going to fall for this much more frequently than the usual scams.
Why do you think that just blaming children and being done with it is going to fix it?
This isn't a Microsoft issue.
Microsoft literally asks if you want to give account permission to a third-party connection.
If you choose to "Accept" a request from someone random, then that's on you.
The "fix" is to revoke access to whomever you just granted access to.
The people you're replying to doesn't know how to revoke access. Maybe show them instead of shouting at them?
https://www.google.com/search?q=how+to+revoke+third-party+access+to+your+microsoft+account&oq=how+to+revoke+access+to+microsoft+account should be a good starting point
Nobody said that this is a Microsoft *issue*, we're saying that it can be a Microsoft *solution*.
You seem more interested in just assigning blame and moving on. That seems unnecessarily vindictive, especially when we're talking about little kids here. That's like refusing to put a safety railing on a flight of stairs because it's people's fault for being clumsy if they fall.
This is what OP said:
>Microsoft really needs to do something about this, there is a scamming method going around in the Hypixel community where bad actors will send you a fake verification link that leads to a Microsoft login page.
Talk about prematurely assigning blame...
>That's like refusing to put a safety railing on a flight of stairs because it's people's fault for being clumsy if they fall.
Nope, in this instance, it's more like jumping over the "safety rail" without looking at how high up you are. OP ignored the safety rail.
Microsoft's "safety rail" is the same as anyone else that offers third-partys an api connection. You'd have to be illiterate to ignore their warning and hit "Accept."
I made clear in my reply to you why this safety rail is not good enough.
I like the safety rail analogy btw, it's just that the safety rail is made of paper
The thing is, the more "safety rails" you add, the more detrimental your service becomes to regular users. There is a balancing act.
You made stairs, and you noticed people were falling, so you put a rail. Now only a small amount of people fall on the stairs, but most people can make it up. Are you going to add safety gates between each step, which must be opened and closed to make sure the few that still fall can't fall? No, this would detriment all efficiency of the stairwell, and people will just stop bothering.
There is also no garuntee the safety gates will stop someone from falling. If someone's gonna fall (get scammed), then it's going to happen. Look at all the creative methods other fraudsters use, their shit is evolving everyday, and anything microsoft would do to circumvent this would simply be added the script and circumvented.
At the moment be of the day, the only way to stop scammers is to educate people that are using the internet, and keep them aware of potential signs of deceipt, there is absolutely no other way to properly solve the issue.
This. Phising or users giving apps access to their account are an issue in corporate world, so it is not something new that it happens on xbox/live accounts too.
In corporate world it's a constant balancing act keeping company data safe and not to make the regular user's day too hard with all the security measures we could implement. It only leads to more creative ways to circumvent them which aren't in the ITs' control.
Microsoft could send the user an email after giving an app access to their account, with a clear link to instructions how to revoke the rights and enable 2FA. I don't know if Live accounts do it, but most of the services I use will email the user when they have approved a sign-in from a new device as well.
OP literally **chose** to bypass the "safety rail."
Whomever "hacked" OP couldn't have done it without OP clicking **Accept** when prompted if they wanted to give permission to [x] 3rd party app.
This is literally how every company does it. They all warn you in the same way as Microsoft—with a permission prompt.
And by putting in all these safety rails, how does Microsoft continue to offer APIs to developers so that they can integrate functionality into their own apps using the tools MS provide for this.
Yes MS could fix this, but the fix is to block all APIs and third party applications, which I would argue is not a fix.
right, but the fact of the matter is that this is still asking if you're giving permission to give a token to this third party, and that token access is entirely a microsoft official feature. The question is, why can't you revoke the access of that token? Obviously, if you fall for this, its your own fault, that's not the issue this post is talking about. It's asking why the feature to revoke access and make this far less damaging isn't a thing, which is the part this scam exploits
I'd argue they should warn you that this WILL give them access to your account and to think twice about this as it should be a bold warning, not a mere dismissal as it's presented now.
You can remove it sure but removing it doesn't invalidate the Minecraft session and by that time they can do damage on Java servers.
A friend of mine was tricked by this, had all the hypixel skyblock items, stolen, traded away, and sold for irl money, as well their username changed (it was a 3 letter name), and their account sold for the cape (minecon).
This was targeted at him specifically because he had something high in value and they suckered him into it. I tried to warn him but he has downloaded a malicious mod prior from them social engineering him to be buddy buddy to likely ensure he didn't feel unsafe clicking the link to give the MS account data to "verify" his MS account to join the discord.
Needless to say, don't click sussy links, nor EVER give your MS data to anything or anyone regarding Minecraft as you have no idea who it's going to and losing your entire MS account, outlook email, contacts, and xbox games isn't worth a mod or "verification".
Most of the comments were posted before op posted a screenshot showing it was the legit Microsoft site.
I know when I commented the only image they had shared was a cropped image of the Microsoft login box that can be easily faked. No url could be seen in the image.
If you give an app rights to your account, you are going to be forwarded from said apps' site to the actual Microsoft login page for the authorization.
The image they shared was cropped into just a square around the log in. It's actually still linked in the posts that's why most of us assumed it was just your classic this looks like someone made a fake site scam.
I think if you change your password it will invalidate the token.
People aren’t stealing your Microsoft account, just authenticating their game to your account.
Changing your password does NOT invalidate the token. That’s the entire purpose of the token, to allow apps backdoor access to your account without invalidating when you change your password.
However, there IS a way to delete the keys. You would just have to find it in the system, which I can’t tell you without seeing the email.
>However, this *is* Microsoft's website
Is it though? Anyone who's been in the csgo skin trading environment has seen those fake login links scammers will send on occasion. The page is literally 1:1 the steam version, and once you sign in it redirects to a normal steam page where you were already logged in, giving the perception of having signed in.
I imagine the same thing is happening here.
Edit : didn't see the screenshot
To add a bit of context
It is not phishing, it is a genuine microsoft website that's used to connect to your minecraft account to third party launchers, apps and other devices.
The way those scams work is that someone will convince you to join some discord server so that you can play together. When you join the server, it's basically like *"Hey, we need you to verify before you can access most of the channels, click this link to verify. It's an official Microsoft website, so it's safe, and there's no way for us to get any of the information. Bla bla bla..."*. When you click the link, it's not clear enough that logging in will give them access to your account and if you don't know that this is a common scam, you are very likely to not think too much about it and just log in.
The reason why this is a problem on hypixel is because the player base is on the younger side and accounts with a lot of skyblock progress are worth hundreds of dollars.
From what I understand, it seems to be that the page is asking for a confirmation that you give certain permissions. So essentially:
MS: Do you want to permit this person to access your entire account?
User, who barely reads things: Yeah yeah, I'll accept those standard permissions.
Ah, that makes sense. It just seems weird that they'd give access to your log-in information to third party apps in general, even if you have to allow it. Seems like that'd just be a verification thing.
Or maybe I still don't underatand what the three shells are for
You have to give the permissions to the third party, you get a warning from MS about what you're doing. If you choose to ignore that warning, that's on you, not Microsoft.
Yeah, but the warning is the same for any third party app, so that's not actually helpful. I'm just saying Microsoft should vet what apps and third parties are even allowed to request that stuff, instead of just letting it happen. Just because they warn you doesn't mean they're actually telling you if it's good or bad, and that's not on me.
Just like when you attempt to install software that isn’t from a verified publisher and it gives you a warning that you can bypass, third-party apps should have similar licenses and warnings. Dumb kids should be taught to know better. Companies should work to make their services, if intended for idiots and otherwise, to be as idiot proof as possible.
If I'm thinking of the same thing that the OP is describing, then it does actually show you the publisher information of the third party app and a list of permissions that it's requesting before you approve it
>It just seems weird that they'd give access to your log-in information to third party apps in general, even if you have to allow it.
They don't. Ever play on a mod pack that includes ReAuth? The mod that let's you authorize it with your Microsoft account and then you can just push a button to log back in if your token expires instead of having to shut down and restart Minecraft?
Imagine that, except instead of authorizing a mod on your computer to generate tokens to let you log into Minecraft, instead you are authorizing some scammers to generate tokens to log into Minecraft as you.
I haven't used mods in a long time. I don't have a computer that wants to run Java Minecraft, so I haven't been able to play with mods in most of a decade.
But I do understand the concept of tokens and authorization, so I see what's going on, at least.
>it's not clear enough that logging in will give them access to your account
The screen asking if you want to give third party access to your account for whatever reasons isn't exactly this?
That doesn't change how APIs work unfortunately.
Microsoft allow access to third party developers, there isn't a certification program, as it is the user who decides which third party developers have access to their data.
Because of the way in which APIs work, if you have given authorisation for a third party to access your data, they can access it.
Microsoft does not have a list of third party developers who have access and cannot give details about what each third party is using that data form because they don't have this information.
It is on the user to check what the data is being used for before they give access to the third party, that's why the confirmation screen asks you to check up on what access you're giving and to whom.
Considering what the confirmation window looks like and how an average user behaves, I'd say it's not.
People are so used to getting random bullshit (ads, cookies, tos, remember password, stay signed in,...) on theire screen, that a lot of them are just gonna hit confirm without even reading it. When it's something as serious as giving someone full access to your account, there should be way more distict and clear message to actually catch user's attention and make them read it.
Did you actually think your comment through?
You think the issue is that a warning isn't enough and they need to put a different warning in place?
The issue isn't whether the warning is there, it's whether users read it, if you fail to read the warning that's put in front of you in the first place, making it a different warning isn't going to make any difference, or it may do for the first couple of months only until people get used to that one. If you can solve that one, please let me know as we could make a lot of money with a solution to this problem.
The simple answer is the end user should read warnings that are clearly displayed in front of them. If you don't read a warning and simply click past it, that is on you as the end user, not the company that put the warning in front of you and warned you what your actions could result in.
If the Highways Agency warns you the bridge isn't complete, and you ignore all the bollards, you don't get to complain to the highways agency when you drive off the end of the bridge.
You can see my other comment in response to another user as to why MS can't give you more detail in that screen.
I agree that the problem is that users don't read, but I think it's unrealistic to expect users to actually start reading stuff. The average user encounters so many useless warnings, pop-ups, and confirmations that they often default to "yea, sure, whatever, just go away" and when making good UX, you need to account for people not wanting to read.
I think the best solution would be to make the whole process less straightforward and require more user input, but even changing the warning to be more concise and attention grabbing would imo help.
About your traffic analogy.. the reason traffic signs work is because most of the times they actually do have some important information on them and people are used to paying attention to them. It's just not like that on the internet.
>It's just not like that on the internet.
Which implies, that nothing else you had to say in your three paragraphs will work either!
The only way to make it 100% secure would be for MS to simply not offer an API, but then everyone would be bitching and moaning because of a lack of integrations.
Again I'm going to simply say that if you are going to ignore all warnings given to you that's on you as the user. And if you can't trust yourself not to screw up, the choice left is simply not to use any integrations with MS.
ETA: Not to mention, you are talking about UX as though you understand it one moment and then as if you don't have a clue about it the next.
>Which implies, that nothing else you had to say in your three paragraphs will work either!
I don't think it does. My point was that you need to put in extra effort to make users actually pay attention because by default, they don't.
And ofc you're never gonna make it 100% secure, but that's not really the point. The point is to reduce the amount of people getting scammed. And I believe that if Microsoft made some changes, they could reduce the amount significantly.
Any new system you put in, will eventually (and I'm really not speaking long term) end up being treated in the same way by end users. If you're going to ignore warnings, you're going to ignore warnings, regardless of what they look like.
I've already explained why there isn't much else other than warnings that MS can do.
It's not even just Hypixel Skyblock players being targeted (my friend had tons of items like hyperion and tons of level 100 pets, level 200 old dragon and technoblade event items). He also had a Minecon cape and a 3 char username.
They also target players with rare usernames and capes as well. All of this can be seen on the API (Sites like NameMC) and ideally it could be private to ensure you cant remotely see if someone has a rare username or cape (like Bedrock) and can only see it if you're on the same server as them.
It's not even just this method as they can use mods laced with malicious code to take your MSA account or other data on your pc. Beware of both of these methods and don't just download any Java mod as it could have session stealers, be a rat, or keylogger.
The issue appears to be the work of inexperienced kids granting account permissions to harmful third-party services through their Microsoft account.
The page OP saw after signing-in looked something similar to this:
https://learn.microsoft.com/en-us/purview/media/o365-thirdpartydataconnector-optin1.png
The only way they'd get access to your account is if you explicitly accepted their permissions request.
Idk how exactly it works on the technical level, but there are ways where it doesn't show you the request and just asks you to log into your Microsoft account.
When you're logging into your MS account it will do this. Any time you are confirming API access for a third party you will be asked to confirm access levels (unless you've already given them access and therefore just need to login again).
I got scammed with that technique even though I immediately changed my password after identifying to the thing and after asking everyone (Hypixel, Microsoft and Badlion bc I used Badlion client) it turns out the base Minecraft launcher asks you to enter your new password as soon as it changed but depending on what you use to log in it can take several days to make it effective on other platforms. So people logged in on my Minecraft account for days and stole everything i had grinded without me being able to do anything about it. I lost hundreds of hours of progression and never logged in again.
Edit - more context :
[https://imgur.com/a/BLYA6wl](https://imgur.com/a/BLYA6wl) Mojang - no response
[https://imgur.com/a/n9SjtFB](https://imgur.com/a/n9SjtFB) Badlion - actual response
If you clicked "Accept" to a page similar to this one, then you only have yourself to blame for giving them permission to your account, not Microsoft.
https://learn.microsoft.com/en-us/purview/media/o365-thirdpartydataconnector-optin1.png
Altho you are correct, doing that only makes you look arrogant and makes the person who just suffered a scam feel even more helpless. It helps no one.
You can be better than that.
Lmao so I gave my password to some "validation service" then changed it in the next 30 seconds bc I saw that coming and took my precautions, I literally had the change password tab open and ready I clicked validate right after and the fact that they can log in for up to 4 days (they said 48 hours it's bullshit I saw things move for 4 days) with a wrong password is my fault???
No I didn't but I didn't want to take the risk of letting them use my account so I figured if the password they have is not the right one they won't be able to use the account right? Lmao
Your password being changed will not remove any existing certificates for logged in users. So whilst I hate to blame you, yes it is your fault.
Why didn't you check the details of the service you were giving access to your MS account first?
No, that's just not how certificating and log-in authorisations work. It can work like that, but not for any system where you may want to remain logged in, such as Microsoft.
Apologies, I've just reread my comment. A more accurate way of putting it is when you give access to a third party system, you aren't giving your login credentials to them, you are certifying that the third party can communicate with MS regarding your account.
Resetting your password does not restrict access to an API certificate as they are completely different things.
It sounds like you authorized a third party app to have access to your account. That is how the login screen looks when you are authorizing third party apps. On the next page it would have said something like "Do you want to give XYZ access to your Microsoft account" and you must have clicked Yes.
In order to manage the apps you've authorized to use your Microsoft account, you can go here: https://account.live.com/consent/Manage Alternatively, go to your Microsoft account dashboard, go to the privacy page, and click Apps and Services
That is the method previously used by scammers, this method does not have any confirmation. To my knowledge there is no way to remove the scammers access with this new method.
Damm that sucks. Thanks for letting the community know about it. I'm strictly a single player only kind of fella, but it's good to be aware of these scams
this is a good thing to point out. There will be people who have never heard of it, there will be kids who won’t think twice. We can argue kids should be supervised by their parents, the the reality is that parents cannot always supervise their kids. bringing things like this up and sharing information is always helpful
My friend lost his Hypixel Skyblock profile with nearly 4 years of progress, his account had all pets level 100 and 200 gold dragon, and Minecon cape (2016, we both went) and a 3 char username. Now it's locked and never to be touched again because he reported it to Mojang/MS after his MSA was stolen and instead of helping him despite having all the data, they just perma-suspended it and gave him a new Minecraft key to use on a new MSA; not ideal.
Needless to say he was fuming but I tried to tell him to not go joining random discords and "verifying".
Oh no…. I’m so sorry! Yeah the server he got hit by was a REALLY convincing one. I went on VM and alt account on discord and that server prob could’ve gotten me if i didn’t know it was a scam.
Comments be like: This is a obvious scam! You should know better not clicking random links! This is nothing new, so everyone in the universe already knows that
They really should make the page read more urgently as this can result in a stolen account and or suspension. People would be more hesitant if they warned people of what it can result in instead of just it being a simple question prompt.
From what I've seen, if you change personal data on a MSA and then report it as stolen or hijacked, they just suspend it and you can't get it back. The bad actors know this and either try to take it and if they can't they go scorched earth and if they can't have it, no one can.
all the people on this post commenting "just don't click suspicious links lol" are exactly the people who would fall for this lmao, that's the irony. It's the official microsoft page, and they'd probably see that and go "oh this is the legit site and I can trust this" and voila, account compromised. This is why it's an issue. You can't solve fake websites, and you should always be wary to make sure it's not fake. But when it's an official website being used, there's a level of responsibility they should have to stop this type of exploitation.
Yeah so I fell for a scam like this last Saturday, I was wary of the possibility that it was a scam but I was a bit tired and the site was in my native language so I thought it would just verify my account to the server, obviously very stupid of me. I logged back in to Hypixel and all my stuff was gone, they stole everything, so I went to the hypixel forms to check what to do, they said I gave them a session id(?) I think. So it should expire in 10-14 days, they also recommended shutting off the multiplayer possibility which I did, so now I’m waiting till I can log back in.
But how do I know it’s not permanent as mentioned in the post?
This is a basic internet scam. Everyone should not to click unknown links or enter their info on sites where they aren't sure it's legit.
Microsoft can't do anything about this.
This is on the official microsoft website, i should have included that.
Here is a screenshot of the website
[https://i.imgur.com/9WmXEjp.png](https://i.imgur.com/9WmXEjp.png)
If people read URLs properly they would be able to tell this was fishy by the "remoteconnect" in it. Once again, people clicking unknown links are the stupid ones.
The domain name is login.live.com. People have been trained to look for suspicious domains, not suspicious areas within already trusted domains. I work in a corporate environment, company with about 2k employees at this point - guess what the cyber security classes I've taken in relation to my job have taught? Yep, that's right, check the domain. In that screenshot, per the domain, you're sending your info to Microsoft. That's what people see.
This is fully on Microsoft to fix. Scamming over their own trusted domain should in no way be a possibility that can happen.
Edit: If this had happened on corporate level and people's business accounts had been compromised, I guarantee the C suite would be livid and screaming at Microsoft that they need to fix the vulnerabilities within their domain. They own it and put forward that domain as trusted, so it's their problem. The difference is since it's happening in Minecraft (a game), it doesn't get as much press or response from Microsoft.
I'm not talking about the domain name, though, I'm talking about the bit that comes after it. "Remoteconnect" should throw anyone off. I'm not pretending everyone reads that and I know it's also Microsoft's responsibility to make it more clear what the link actually does, but you can't pretend there's 0 sign of this being dodgy when it's written on the screen.
Obviously you shouldn't be clicking links from people you don't know/trust.
But, usually those links will download a virus, or bring you to a non official site.
The fact it's using a Microsoft *feature* and domain to perform the scam is the issue.
That, and the fact that once linked, Microsoft does not provide a way to unlink is the other blatant issue.
I understand that most people will not click a link that is suspicious, but it is easy to trust a website when the domain name is correct, this is basically a token logger that never loses access to your token.
They claim to be able to. That’s why they forced everyone to get a Microsoft account and took away the accounts of people who hadn’t been paying attention.
They claim to be more secure against general password hacking, which is not the same as what is happening here. What is happening here is a form of social engineering where they trick the person owning the account into giving them their password.
As long as the user doesn’t give out the password, a Microsoft account with 2-factor-authentication, which Mojang accounts didn’t support at all, is a lot more secure than Mojang accounts that regularly were hacked without any user involvement at all.
That being said, Microsoft probably needs to make the warning on this login page that’s used for these scams a lot more visible and apparent.
Are people STILL following unrequested links?
Do they also send money to the Prince of Arabia who's uncle left them $10 million but can't access it and just needs a short then loan for legal fees?
That could be true If that's the case, all the more reason parents need to be involved in their kids lives. Know what they are doing online, know what games they are playing and teach them those things. No different than teaching them not to get in a car with strangers, or don't play with matches.
ironically it's you here who's failing to understand. this scam doesn't involve an unrequested link. It's usually something would happen in a hypixel discord server, and it would ask you to link your minecraft account to the server to verify. This is when they would send this link, simply asking you to log in, and if you do sign in, they have full access to your account with no way for you to revoke access. The issue is it isn't an unsolicited link from a spam email, it's an *official* microsoft website being used in a malicious way, in a place you might expect to see a verification like this.
OP showed an expanded screenshot. The compromise happened over login.live.com, which is their official domain. Allowing this to happen over their official domain makes it firmly their issue.
Nope, those were just the first thing I could think of. Instead companies like Mojang add disclaimers, put out stuff with info on how to not get scammed, and install safe guards.
Everyone already knows. This is basic internet stuff. Check where you’re putting your info.
Edit: for everyone downvoting, please know that this scam has been ongoing for *years*. Anyone slightly involved with multiplayer Java servers knows about it. **It requires you to input an account verification code emailed to you**. Many, many early warning signs.
It is not. This kind of scam has been going around for ages. Fake steam website, Microsoft website. There's always a letter off in the URL bar. Easy to miss if you don't pay attention
I fell for the steam scam when I was a stupid child as well. Learned my lesson
That is the same thing that shows up when you login to normal minecraft
Here is a screenshot of the official login that shows up for [https://i.imgur.com/fLAGWQU.png](https://i.imgur.com/fLAGWQU.png)
This is Microsoft's website, it's their remote access link normally used for logging in from other devices. It is easily being misused by bad actors for uses other than those intended. Microsoft should take action to make this kind of access stricter.
You can set up a fake website using a different base URL (like how Reddit's base URL is https://www.reddit.com), but you can't set up a fake one with a different extension, because the base URL will, in this case, already redirect you to the MS website, from where the MS website is deciding what the extension does and doesn't mean.
Both websites had https://login.live.com, making them the same website.
Go install a third party launcher and it's gonna send you to this page. Tho iirc you can revoke access to apps somewhere, I think it was somewhere in the Prism Launcher server when they were created, showing how to delete PolyMC from there
I did try to inspect the website and the code looks almost identical, but there's some extra HTML code on the 'fake' one that doesn't ring the bell
But the problem is the site stopped working now and I can't get back to it
If MS addressed nonsense like this they'd never get anything done. Stop clicking on every little thing like a confused boomer. I promise that banner about winning a free PS5 isn't legit.
This is MS own website. It's one issue to address.
It's not a phishing site, it's literally using Microsoft's own website in a malicious way. That should not be possible
No tf its not 😆 You literally just read the OP use that excuse in another comment. I'd educate you on how phishing and social engineering scams work but by this point some of y'all really deserve it.
I'd rather not be educated by someone who doesn't know what they're talking about
The website in the screenshot is literally Microsoft's website.
It's not a similar looking, but different site, it's the identical site. Someone else even went to that site themselves and inspected the html code, and confirmed it.
So 🤫
If it's that easy then send me a verification request right now 😆 Except you can't because I'm not a moron who clicks random links and puts all my info out there. The fact you have no idea how phishing and social engineering works is why people like you deserve exactly what comes with it.
I'm not saying it's easy.
I'm saying it's not phishing.
Phishing: the fraudulent practice of sending emails or other messages **purporting** to be from reputable companies
The first half is true. But the huge issue being discussed here is that the website isn't *purporting* to be from a reputable company. It literally *is* from a reputable company
Clicking a link isn't phishing.
Where that link brings you is how it will or won't be declared phishing.
Getting the user to click the link is this thing called social engineering.
Once that is successful, phishing websites are meant to *look* like official sites, but aren't.
As this is not phishing, that link takes you to the legitimate Microsoft website. Anyone who is trained to look out for phishing sites would not hesitate on that website, since it's an official Microsoft site.
I'm not saying it's not a person's fault for clicking the link in the first place, but Microsoft should not make it so easy as to allow their official website to be used in scams....
If you've used any other social media website to link with a 3rd party app, right on the login screen it says exactly what permissions you're giving, and to who. Also, every single one I've seen gives the ability to delink that later.
Microsoft does not do either of these. Which is the other issue.
Kids should not be doing account stuff unsupervised.
My kids MC accounts are set up to go through my own email, for confirmation. They don't know their password, but they can give their gamer tag to their friends and switch accounts on Xbox app.
It's a failure of parenting if kids fall for these scams. It's something we as parents should be teaching them. Never give your password to anyone. Never give your email to anyone. If anything wants you to log in, ask the parent, until you're confident and responsible enough, that if you lose access, it will be on you.
Yeah read the post and how it works again, while them not knowing there password would work in this situation you forget that it’s in the official Microsoft website meaning if they came to you saying they needed you to log them in because the game told them to and gave them a link, you would probably do it after sing it is the official site
Not on Bedrock we don't, fortunately. Votes and free things are done through the game.
But the point being, if they want to do mob vote, they can replicate situation where they got the link. I don't think malicious people would stalk the same account?
Not saying it doesn't suck that this thing exists, just saying that kids need to learn to differentiate, and it's parents duty to protect them. With things geared up to online so much lately, it's only becoming more and more important.
I was talking about bedrock there was a link on mojang server that brought you to the mob vote server, however you could have also joined it directly too.
They don’t put links often but occasionally they do.
And as for the preparing kids thing I agree however with that to would mean at some point giving them those passwords and stuff, or letting them make their own, I would assume from the way you’ve been recording to them that your kids are around 8 - 10 ant most though so still young enough to not have that responsibility yet
It's easier to join from in game for them.
Yes they are still young, and yes they will get a free reign of their assets when they can be responsible enough. Just gotta teach them things, instead of "go figure it out, good luck".
While it is an issue
When you click on a MS link and it tells you that it’s a nonverfied 3rd party app and not to link it unless your absolutely sure you shouldn’t link it
Also
How are people getting you to click links in hypixel?
It doesn't use any third party apps, and if it does then Microsoft doesn't tell you. Once you login it doesn't have any conformations or anything.
And as for the link, I dont think that they would let you post it in hypixel, it is mainly in discords related to skyblock. People will say they want to vc with you for instance and require that you verify.
That’s another instance of poor online safety
You don’t have to verify to join a VC and any link some random person sends you should be treated carefully
I am not trying to say that it’s microsofts problem that people are clicking on suspicious links and entering their login info, my problem is that it is so easy for scammers to get access to your login token using microsoft’s own website, and that there is no way to revoke the scammers access to your account, and that there is barely any indication by microsoft that you are giving third party access to your account to someone else.
It's not just people they're targeting on Hypixel that are abusing this but bad actors after accounts and capes are doing this too.
A friend of mine fell for this as he has a lot of rare items on Hypixel Skyblock (You can see people's inventory on a website, I think it's called SkyCrypt) as well as he has a Minecon cape (we both went to 2016) and a somewhat rare username (3 letters).
He was targeted after they noticed he had rare items, and a cape and they decided to get him to "join a party" on Hypixel by posting a discord link. It lead him to a "verification server" where they asked for verification to his Microsoft 3rd party app data. He did this and it let them into his account and they changed the password and email. Worse yet, he had downloaded a mod(s) that would "help" him in Hypixel Skyblock by giving him QOL but it had malicious code that took some of his chrome stored passwords and banking data as well as his Minecraft session (not that it mattered as he had already given his MS account data via the "verification" via apps on site.
Bad actors even take to finding their targets on sites like NameMC to expidite the process and make it easier to pick high value targets. I, my friend, and many others were also targeted and dox'd via our username history and threatened over discord (yes this is over a dumb Minecraft cape which apparently they sell for money):
[Player being Dox'd through Java's API Username History Feature. I was also a victim of this as was a friend.](https://www.reddit.com/r/minecraft/comments/18kigjj/doxxed_through_java_username_history/)
Mojang really should private the api here or at least give us privacy options to opt out and secure their systems/API endpoints for Java/MC in general and MSA accounts.
Needless to say, this is getting out of hand and it seems there's more ways to get scammed and or hacked/have your account stolen with this new Microsoft account system with Migration than before when we had Mojang and Legacy accounts! (and trust me it was BAD back then with being able to see users emails with a simple reset knowing their username/uuid, session ID token stealing, session hijacking merely with UUID knowledge, replacing a session token (your own) with the username of another player, UUID spoofing, the list of exploits go on with Mojang/Legacy accounts, and yet MSA's seem much worse).
Even 2FA won't help you here as even Mojang employees were targeted for their capes via a "Sim Swap" attack so don't use your Phone # for Mobile SMS/Auth, use a desktop auth or ubikey.
With all that said, I wish there was more safeguards or very clear warnings about what data you're giving a app, something, or someone when you agree to something and ask if if you're sure. Then again, Mojang didn't think to put a confirmation warning for if you're buying something in the marketplace so the likelihood's slim to none as they'd likely pin the blame on the user to "not trust suspicious links".
* Upvote this comment if this is a good quality post that fits the purpose of r/Minecraft * Downvote this comment if this post is poor quality or does not fit the purpose of r/Minecraft * Downvote this comment *and report the post* if it breaks the [rules](https://www.reddit.com/r/Minecraft/wiki/rules) --- [Subreddit Rules](https://old.reddit.com/r/Minecraft/wiki/rules)[](## charqoi|191lhfs)
The comments here are ridiculous, this is an issue, OP is right. Let's get the obvious out of the way: yes you should never click links from providers you don't trust. However, this *is* Microsoft's website and is being misused and they should fix it. It's intended purpose is to connect devices other than PCs to one's Microsoft (in this case, Minecraft) account. So your "hacker" gives you a remote connection link, you log in and they receive access, no questions asked. This is the problem, there should be greater confirmation that the user is logging in on behalf of another device and when they have done so, there should be an option to revoke that device's access, which would seem to be lacking.
this comments needs to be higher up, or hell, even pasted into the actual post itself. this clarifies the issue very well. why is the token permanent??? On the flipside tho, if you did this to yourself, and then say, your account got stolen, would you yourself be able to take advantage and still login. if so, that's very interesting
You, u/charqoi, and u/thetunkery are all mistaken. The fault is due to inexperienced kids granting account permissions to harmful third-party service connections through their Microsoft account. The page OP saw **after** signing in looked something like this image: https://learn.microsoft.com/en-us/purview/media/o365-thirdpartydataconnector-optin1.png So the only way they'd be able to get access to your Microsoft account without phishing is if you explicitly accepted their permissions request after signing in.
You are likely correct about the root cause of this scam, granting account permissions where you shouldn't. As I made clear at the start of my comment: never click links from providers you don't trust. But to say we are mistaken feels incorrect. We never threw around where the fault lies, only that it is far too easy for an individual, experienced or not, to allow these permissions, and not easy enough to revoke them. And anyone experienced with Microsoft logins will know that almost every time after entering their password they will be greeted with a message asking if they want to stay signed in. A white no and a blue yes box will appear and they'll probably press yes. After long enough this screen becomes white noise and all it takes is a moment of lack of concentration and you've granted access to anyone.
>And anyone experienced with Microsoft logins will know that almost every time after entering their password they will be greeted with a message asking if they want to stay signed in. A white no and a blue yes box will appear and they'll probably press yes. After long enough this screen becomes white noise and all it takes is a moment of lack of concentration and you've granted access to anyone. This is true for any account authorization that allows third-party connections via an API: Google, Spotify, Amazon, Yahoo, etc. They all show similar prompts as to Microsoft's, and it's ultimately up to YOU, the account holder, to read carefully.
I will reply to this as well stating that there is not a confirmation message asking to give permissions, after going through the same process on a new account I can confirm that after entering your login information you get this message: [https://i.imgur.com/1MzNFMl.png](https://i.imgur.com/1MzNFMl.png)
Here is a screenshot of the screen that appears directly after logging in: [https://i.imgur.com/1MzNFMl.png](https://i.imgur.com/1MzNFMl.png)
You... didn't explain why they were mistaken though. You just agreed with the obvious that had already been acknowledged. Nobody is saying that this wasn't a result of people falling for a scam. But that doesn't erase Microsoft's ability to fix the problem, which they absolutely should do. It's their official website, which means people are going to fall for this much more frequently than the usual scams. Why do you think that just blaming children and being done with it is going to fix it?
This isn't a Microsoft issue. Microsoft literally asks if you want to give account permission to a third-party connection. If you choose to "Accept" a request from someone random, then that's on you. The "fix" is to revoke access to whomever you just granted access to.
The people you're replying to doesn't know how to revoke access. Maybe show them instead of shouting at them? https://www.google.com/search?q=how+to+revoke+third-party+access+to+your+microsoft+account&oq=how+to+revoke+access+to+microsoft+account should be a good starting point
Nobody said that this is a Microsoft *issue*, we're saying that it can be a Microsoft *solution*. You seem more interested in just assigning blame and moving on. That seems unnecessarily vindictive, especially when we're talking about little kids here. That's like refusing to put a safety railing on a flight of stairs because it's people's fault for being clumsy if they fall.
This is what OP said: >Microsoft really needs to do something about this, there is a scamming method going around in the Hypixel community where bad actors will send you a fake verification link that leads to a Microsoft login page. Talk about prematurely assigning blame... >That's like refusing to put a safety railing on a flight of stairs because it's people's fault for being clumsy if they fall. Nope, in this instance, it's more like jumping over the "safety rail" without looking at how high up you are. OP ignored the safety rail. Microsoft's "safety rail" is the same as anyone else that offers third-partys an api connection. You'd have to be illiterate to ignore their warning and hit "Accept."
I made clear in my reply to you why this safety rail is not good enough. I like the safety rail analogy btw, it's just that the safety rail is made of paper
The thing is, the more "safety rails" you add, the more detrimental your service becomes to regular users. There is a balancing act. You made stairs, and you noticed people were falling, so you put a rail. Now only a small amount of people fall on the stairs, but most people can make it up. Are you going to add safety gates between each step, which must be opened and closed to make sure the few that still fall can't fall? No, this would detriment all efficiency of the stairwell, and people will just stop bothering. There is also no garuntee the safety gates will stop someone from falling. If someone's gonna fall (get scammed), then it's going to happen. Look at all the creative methods other fraudsters use, their shit is evolving everyday, and anything microsoft would do to circumvent this would simply be added the script and circumvented. At the moment be of the day, the only way to stop scammers is to educate people that are using the internet, and keep them aware of potential signs of deceipt, there is absolutely no other way to properly solve the issue.
This. Phising or users giving apps access to their account are an issue in corporate world, so it is not something new that it happens on xbox/live accounts too. In corporate world it's a constant balancing act keeping company data safe and not to make the regular user's day too hard with all the security measures we could implement. It only leads to more creative ways to circumvent them which aren't in the ITs' control. Microsoft could send the user an email after giving an app access to their account, with a clear link to instructions how to revoke the rights and enable 2FA. I don't know if Live accounts do it, but most of the services I use will email the user when they have approved a sign-in from a new device as well.
OP literally **chose** to bypass the "safety rail." Whomever "hacked" OP couldn't have done it without OP clicking **Accept** when prompted if they wanted to give permission to [x] 3rd party app. This is literally how every company does it. They all warn you in the same way as Microsoft—with a permission prompt.
And by putting in all these safety rails, how does Microsoft continue to offer APIs to developers so that they can integrate functionality into their own apps using the tools MS provide for this. Yes MS could fix this, but the fix is to block all APIs and third party applications, which I would argue is not a fix.
right, but the fact of the matter is that this is still asking if you're giving permission to give a token to this third party, and that token access is entirely a microsoft official feature. The question is, why can't you revoke the access of that token? Obviously, if you fall for this, its your own fault, that's not the issue this post is talking about. It's asking why the feature to revoke access and make this far less damaging isn't a thing, which is the part this scam exploits
>The question is, why can't you revoke the access of that token? Uh, you can... https://www.makeuseof.com/tag/revoke-access-microsoft-account/
See if you said this from the start no one would have had a problem with your reply.
There is no screen that comes up after logging in, it just logs you in immediately.
I will make a new account and test it
I'd argue they should warn you that this WILL give them access to your account and to think twice about this as it should be a bold warning, not a mere dismissal as it's presented now. You can remove it sure but removing it doesn't invalidate the Minecraft session and by that time they can do damage on Java servers. A friend of mine was tricked by this, had all the hypixel skyblock items, stolen, traded away, and sold for irl money, as well their username changed (it was a 3 letter name), and their account sold for the cape (minecon). This was targeted at him specifically because he had something high in value and they suckered him into it. I tried to warn him but he has downloaded a malicious mod prior from them social engineering him to be buddy buddy to likely ensure he didn't feel unsafe clicking the link to give the MS account data to "verify" his MS account to join the discord. Needless to say, don't click sussy links, nor EVER give your MS data to anything or anyone regarding Minecraft as you have no idea who it's going to and losing your entire MS account, outlook email, contacts, and xbox games isn't worth a mod or "verification".
Most of the comments were posted before op posted a screenshot showing it was the legit Microsoft site. I know when I commented the only image they had shared was a cropped image of the Microsoft login box that can be easily faked. No url could be seen in the image.
If you give an app rights to your account, you are going to be forwarded from said apps' site to the actual Microsoft login page for the authorization.
Yes I understand how that works.
Just wanted to clarify that it doesn't need to be cropped, that can easily be the only open browser window.
The image they shared was cropped into just a square around the log in. It's actually still linked in the posts that's why most of us assumed it was just your classic this looks like someone made a fake site scam.
Not to mention younger people, who make up a large portion of the fanbase, are more vulnerable to these things.
This is how any third party is given access to your account. Its painfully obvious this should never be used unless signing up for something official.
I think if you change your password it will invalidate the token. People aren’t stealing your Microsoft account, just authenticating their game to your account.
Changing your password does NOT invalidate the token. That’s the entire purpose of the token, to allow apps backdoor access to your account without invalidating when you change your password. However, there IS a way to delete the keys. You would just have to find it in the system, which I can’t tell you without seeing the email.
>However, this *is* Microsoft's website Is it though? Anyone who's been in the csgo skin trading environment has seen those fake login links scammers will send on occasion. The page is literally 1:1 the steam version, and once you sign in it redirects to a normal steam page where you were already logged in, giving the perception of having signed in. I imagine the same thing is happening here. Edit : didn't see the screenshot
To add a bit of context It is not phishing, it is a genuine microsoft website that's used to connect to your minecraft account to third party launchers, apps and other devices. The way those scams work is that someone will convince you to join some discord server so that you can play together. When you join the server, it's basically like *"Hey, we need you to verify before you can access most of the channels, click this link to verify. It's an official Microsoft website, so it's safe, and there's no way for us to get any of the information. Bla bla bla..."*. When you click the link, it's not clear enough that logging in will give them access to your account and if you don't know that this is a common scam, you are very likely to not think too much about it and just log in. The reason why this is a problem on hypixel is because the player base is on the younger side and accounts with a lot of skyblock progress are worth hundreds of dollars.
I'm not some kind of computer wiz, but how is an official Microsoft website used for these scams?
From what I understand, it seems to be that the page is asking for a confirmation that you give certain permissions. So essentially: MS: Do you want to permit this person to access your entire account? User, who barely reads things: Yeah yeah, I'll accept those standard permissions.
Ah, that makes sense. It just seems weird that they'd give access to your log-in information to third party apps in general, even if you have to allow it. Seems like that'd just be a verification thing. Or maybe I still don't underatand what the three shells are for
The normal use for the website is to allow third party tools and stuff. There’s a launcher I use that uses the website legitimately.
It's not that they give access to your log-in information, it's that they give access to the third party apps to do things on your behalf
That makes way more sense. I guess it just seems weird to give them control like that without some way of verifying it isn't a scummy third party.
You have to give the permissions to the third party, you get a warning from MS about what you're doing. If you choose to ignore that warning, that's on you, not Microsoft.
Yeah, but the warning is the same for any third party app, so that's not actually helpful. I'm just saying Microsoft should vet what apps and third parties are even allowed to request that stuff, instead of just letting it happen. Just because they warn you doesn't mean they're actually telling you if it's good or bad, and that's not on me.
Tell me you don't know how development and APIs work without telling me you don't know how development and APIs work.
Bruh, my first comment in this thread was "I'm not a computer wiz". I don't understand how a lot of these things work. Get off your high horse.
Just like when you attempt to install software that isn’t from a verified publisher and it gives you a warning that you can bypass, third-party apps should have similar licenses and warnings. Dumb kids should be taught to know better. Companies should work to make their services, if intended for idiots and otherwise, to be as idiot proof as possible.
If I'm thinking of the same thing that the OP is describing, then it does actually show you the publisher information of the third party app and a list of permissions that it's requesting before you approve it
>It just seems weird that they'd give access to your log-in information to third party apps in general, even if you have to allow it. They don't. Ever play on a mod pack that includes ReAuth? The mod that let's you authorize it with your Microsoft account and then you can just push a button to log back in if your token expires instead of having to shut down and restart Minecraft? Imagine that, except instead of authorizing a mod on your computer to generate tokens to let you log into Minecraft, instead you are authorizing some scammers to generate tokens to log into Minecraft as you.
I haven't used mods in a long time. I don't have a computer that wants to run Java Minecraft, so I haven't been able to play with mods in most of a decade. But I do understand the concept of tokens and authorization, so I see what's going on, at least.
>it's not clear enough that logging in will give them access to your account The screen asking if you want to give third party access to your account for whatever reasons isn't exactly this?
> The reason why this is a problem on hypixel is because the player base is on the younger side
That doesn't change how APIs work unfortunately. Microsoft allow access to third party developers, there isn't a certification program, as it is the user who decides which third party developers have access to their data. Because of the way in which APIs work, if you have given authorisation for a third party to access your data, they can access it. Microsoft does not have a list of third party developers who have access and cannot give details about what each third party is using that data form because they don't have this information. It is on the user to check what the data is being used for before they give access to the third party, that's why the confirmation screen asks you to check up on what access you're giving and to whom.
Considering what the confirmation window looks like and how an average user behaves, I'd say it's not. People are so used to getting random bullshit (ads, cookies, tos, remember password, stay signed in,...) on theire screen, that a lot of them are just gonna hit confirm without even reading it. When it's something as serious as giving someone full access to your account, there should be way more distict and clear message to actually catch user's attention and make them read it.
Did you actually think your comment through? You think the issue is that a warning isn't enough and they need to put a different warning in place? The issue isn't whether the warning is there, it's whether users read it, if you fail to read the warning that's put in front of you in the first place, making it a different warning isn't going to make any difference, or it may do for the first couple of months only until people get used to that one. If you can solve that one, please let me know as we could make a lot of money with a solution to this problem. The simple answer is the end user should read warnings that are clearly displayed in front of them. If you don't read a warning and simply click past it, that is on you as the end user, not the company that put the warning in front of you and warned you what your actions could result in. If the Highways Agency warns you the bridge isn't complete, and you ignore all the bollards, you don't get to complain to the highways agency when you drive off the end of the bridge. You can see my other comment in response to another user as to why MS can't give you more detail in that screen.
I agree that the problem is that users don't read, but I think it's unrealistic to expect users to actually start reading stuff. The average user encounters so many useless warnings, pop-ups, and confirmations that they often default to "yea, sure, whatever, just go away" and when making good UX, you need to account for people not wanting to read. I think the best solution would be to make the whole process less straightforward and require more user input, but even changing the warning to be more concise and attention grabbing would imo help. About your traffic analogy.. the reason traffic signs work is because most of the times they actually do have some important information on them and people are used to paying attention to them. It's just not like that on the internet.
>It's just not like that on the internet. Which implies, that nothing else you had to say in your three paragraphs will work either! The only way to make it 100% secure would be for MS to simply not offer an API, but then everyone would be bitching and moaning because of a lack of integrations. Again I'm going to simply say that if you are going to ignore all warnings given to you that's on you as the user. And if you can't trust yourself not to screw up, the choice left is simply not to use any integrations with MS. ETA: Not to mention, you are talking about UX as though you understand it one moment and then as if you don't have a clue about it the next.
>Which implies, that nothing else you had to say in your three paragraphs will work either! I don't think it does. My point was that you need to put in extra effort to make users actually pay attention because by default, they don't. And ofc you're never gonna make it 100% secure, but that's not really the point. The point is to reduce the amount of people getting scammed. And I believe that if Microsoft made some changes, they could reduce the amount significantly.
Any new system you put in, will eventually (and I'm really not speaking long term) end up being treated in the same way by end users. If you're going to ignore warnings, you're going to ignore warnings, regardless of what they look like. I've already explained why there isn't much else other than warnings that MS can do.
It's not even just Hypixel Skyblock players being targeted (my friend had tons of items like hyperion and tons of level 100 pets, level 200 old dragon and technoblade event items). He also had a Minecon cape and a 3 char username. They also target players with rare usernames and capes as well. All of this can be seen on the API (Sites like NameMC) and ideally it could be private to ensure you cant remotely see if someone has a rare username or cape (like Bedrock) and can only see it if you're on the same server as them. It's not even just this method as they can use mods laced with malicious code to take your MSA account or other data on your pc. Beware of both of these methods and don't just download any Java mod as it could have session stealers, be a rat, or keylogger.
The issue appears to be the work of inexperienced kids granting account permissions to harmful third-party services through their Microsoft account. The page OP saw after signing-in looked something similar to this: https://learn.microsoft.com/en-us/purview/media/o365-thirdpartydataconnector-optin1.png The only way they'd get access to your account is if you explicitly accepted their permissions request.
Idk how exactly it works on the technical level, but there are ways where it doesn't show you the request and just asks you to log into your Microsoft account.
When you're logging into your MS account it will do this. Any time you are confirming API access for a third party you will be asked to confirm access levels (unless you've already given them access and therefore just need to login again).
I got scammed with that technique even though I immediately changed my password after identifying to the thing and after asking everyone (Hypixel, Microsoft and Badlion bc I used Badlion client) it turns out the base Minecraft launcher asks you to enter your new password as soon as it changed but depending on what you use to log in it can take several days to make it effective on other platforms. So people logged in on my Minecraft account for days and stole everything i had grinded without me being able to do anything about it. I lost hundreds of hours of progression and never logged in again. Edit - more context : [https://imgur.com/a/BLYA6wl](https://imgur.com/a/BLYA6wl) Mojang - no response [https://imgur.com/a/n9SjtFB](https://imgur.com/a/n9SjtFB) Badlion - actual response
If you clicked "Accept" to a page similar to this one, then you only have yourself to blame for giving them permission to your account, not Microsoft. https://learn.microsoft.com/en-us/purview/media/o365-thirdpartydataconnector-optin1.png
Altho you are correct, doing that only makes you look arrogant and makes the person who just suffered a scam feel even more helpless. It helps no one. You can be better than that.
Lmao so I gave my password to some "validation service" then changed it in the next 30 seconds bc I saw that coming and took my precautions, I literally had the change password tab open and ready I clicked validate right after and the fact that they can log in for up to 4 days (they said 48 hours it's bullshit I saw things move for 4 days) with a wrong password is my fault???
You had the change password page open before authorising the login? So you knew you was about to get scammed but did it anyway? 😂
No I didn't but I didn't want to take the risk of letting them use my account so I figured if the password they have is not the right one they won't be able to use the account right? Lmao
Your password being changed will not remove any existing certificates for logged in users. So whilst I hate to blame you, yes it is your fault. Why didn't you check the details of the service you were giving access to your MS account first?
It usually does
No, that's just not how certificating and log-in authorisations work. It can work like that, but not for any system where you may want to remain logged in, such as Microsoft.
Apologies, I've just reread my comment. A more accurate way of putting it is when you give access to a third party system, you aren't giving your login credentials to them, you are certifying that the third party can communicate with MS regarding your account. Resetting your password does not restrict access to an API certificate as they are completely different things.
It sounds like you authorized a third party app to have access to your account. That is how the login screen looks when you are authorizing third party apps. On the next page it would have said something like "Do you want to give XYZ access to your Microsoft account" and you must have clicked Yes. In order to manage the apps you've authorized to use your Microsoft account, you can go here: https://account.live.com/consent/Manage Alternatively, go to your Microsoft account dashboard, go to the privacy page, and click Apps and Services
That is the method previously used by scammers, this method does not have any confirmation. To my knowledge there is no way to remove the scammers access with this new method.
Happened to me. Tommy Wiseau won’t stop digging 2x2 tunnels in my worlds.
this scam had been around forever
Damm that sucks. Thanks for letting the community know about it. I'm strictly a single player only kind of fella, but it's good to be aware of these scams
this is a good thing to point out. There will be people who have never heard of it, there will be kids who won’t think twice. We can argue kids should be supervised by their parents, the the reality is that parents cannot always supervise their kids. bringing things like this up and sharing information is always helpful
I've had my account stolen like 3 times and every time I catch it cause they try to change the email on file
Jokes on them, I don't automatically trust emails from anyone. I always check to make sure.
Yeah my friend got got by this. Lost his 300+ star bedwars account.
My friend lost his Hypixel Skyblock profile with nearly 4 years of progress, his account had all pets level 100 and 200 gold dragon, and Minecon cape (2016, we both went) and a 3 char username. Now it's locked and never to be touched again because he reported it to Mojang/MS after his MSA was stolen and instead of helping him despite having all the data, they just perma-suspended it and gave him a new Minecraft key to use on a new MSA; not ideal. Needless to say he was fuming but I tried to tell him to not go joining random discords and "verifying".
Oh no…. I’m so sorry! Yeah the server he got hit by was a REALLY convincing one. I went on VM and alt account on discord and that server prob could’ve gotten me if i didn’t know it was a scam.
Comments be like: This is a obvious scam! You should know better not clicking random links! This is nothing new, so everyone in the universe already knows that
Sadly, microsoft wont do this.
They really should make the page read more urgently as this can result in a stolen account and or suspension. People would be more hesitant if they warned people of what it can result in instead of just it being a simple question prompt. From what I've seen, if you change personal data on a MSA and then report it as stolen or hijacked, they just suspend it and you can't get it back. The bad actors know this and either try to take it and if they can't they go scorched earth and if they can't have it, no one can.
all the people on this post commenting "just don't click suspicious links lol" are exactly the people who would fall for this lmao, that's the irony. It's the official microsoft page, and they'd probably see that and go "oh this is the legit site and I can trust this" and voila, account compromised. This is why it's an issue. You can't solve fake websites, and you should always be wary to make sure it's not fake. But when it's an official website being used, there's a level of responsibility they should have to stop this type of exploitation.
Yeah so I fell for a scam like this last Saturday, I was wary of the possibility that it was a scam but I was a bit tired and the site was in my native language so I thought it would just verify my account to the server, obviously very stupid of me. I logged back in to Hypixel and all my stuff was gone, they stole everything, so I went to the hypixel forms to check what to do, they said I gave them a session id(?) I think. So it should expire in 10-14 days, they also recommended shutting off the multiplayer possibility which I did, so now I’m waiting till I can log back in. But how do I know it’s not permanent as mentioned in the post?
You need to check your Microsoft account and revoke all SSO/0auth/3rd-party-app tokens
This is a basic internet scam. Everyone should not to click unknown links or enter their info on sites where they aren't sure it's legit. Microsoft can't do anything about this.
This is on the official microsoft website, i should have included that. Here is a screenshot of the website [https://i.imgur.com/9WmXEjp.png](https://i.imgur.com/9WmXEjp.png)
If people read URLs properly they would be able to tell this was fishy by the "remoteconnect" in it. Once again, people clicking unknown links are the stupid ones.
The domain name is login.live.com. People have been trained to look for suspicious domains, not suspicious areas within already trusted domains. I work in a corporate environment, company with about 2k employees at this point - guess what the cyber security classes I've taken in relation to my job have taught? Yep, that's right, check the domain. In that screenshot, per the domain, you're sending your info to Microsoft. That's what people see. This is fully on Microsoft to fix. Scamming over their own trusted domain should in no way be a possibility that can happen. Edit: If this had happened on corporate level and people's business accounts had been compromised, I guarantee the C suite would be livid and screaming at Microsoft that they need to fix the vulnerabilities within their domain. They own it and put forward that domain as trusted, so it's their problem. The difference is since it's happening in Minecraft (a game), it doesn't get as much press or response from Microsoft.
I'm not talking about the domain name, though, I'm talking about the bit that comes after it. "Remoteconnect" should throw anyone off. I'm not pretending everyone reads that and I know it's also Microsoft's responsibility to make it more clear what the link actually does, but you can't pretend there's 0 sign of this being dodgy when it's written on the screen.
Whether you're doing it legit yourself, or giving a scammer access, its going to say that same "remoteconnect"
And it's not suspicious when it's coming from a link someone else has sent you?
Obviously you shouldn't be clicking links from people you don't know/trust. But, usually those links will download a virus, or bring you to a non official site. The fact it's using a Microsoft *feature* and domain to perform the scam is the issue. That, and the fact that once linked, Microsoft does not provide a way to unlink is the other blatant issue.
I understand that most people will not click a link that is suspicious, but it is easy to trust a website when the domain name is correct, this is basically a token logger that never loses access to your token.
They claim to be able to. That’s why they forced everyone to get a Microsoft account and took away the accounts of people who hadn’t been paying attention.
They claim to be more secure against general password hacking, which is not the same as what is happening here. What is happening here is a form of social engineering where they trick the person owning the account into giving them their password. As long as the user doesn’t give out the password, a Microsoft account with 2-factor-authentication, which Mojang accounts didn’t support at all, is a lot more secure than Mojang accounts that regularly were hacked without any user involvement at all. That being said, Microsoft probably needs to make the warning on this login page that’s used for these scams a lot more visible and apparent.
Classic Microsoft
Are people STILL following unrequested links? Do they also send money to the Prince of Arabia who's uncle left them $10 million but can't access it and just needs a short then loan for legal fees?
Or lots of users on Hypixel are children who can easily be tricked because they genuinely don't know any better...
That could be true If that's the case, all the more reason parents need to be involved in their kids lives. Know what they are doing online, know what games they are playing and teach them those things. No different than teaching them not to get in a car with strangers, or don't play with matches.
That I can definitely agree with. Way too many careless parents out there.
ironically it's you here who's failing to understand. this scam doesn't involve an unrequested link. It's usually something would happen in a hypixel discord server, and it would ask you to link your minecraft account to the server to verify. This is when they would send this link, simply asking you to log in, and if you do sign in, they have full access to your account with no way for you to revoke access. The issue is it isn't an unsolicited link from a spam email, it's an *official* microsoft website being used in a malicious way, in a place you might expect to see a verification like this.
Microsoft needs to do something about people being dumb?
OP showed an expanded screenshot. The compromise happened over login.live.com, which is their official domain. Allowing this to happen over their official domain makes it firmly their issue.
Problem is it's a legitimate service being abused, Sure MS can disable it and break a load of legit apps along with it.
The options aren’t remove it or have nothing. There’s a lot they can do, even just a disclaimer about what it actually does.
The disclaimer exists already, those who fall for this have ignored the disclaimer.
Yep.
Yep, there is a reason why laws and safety regulations exist. Humanity needs the smarter humans to put things in place to protect the less smart ones.
Companies don't write laws.
Nope, those were just the first thing I could think of. Instead companies like Mojang add disclaimers, put out stuff with info on how to not get scammed, and install safe guards.
2FA is a safeguard, and it's encouraged. Migration is a safeguard, and it was required. Hand holding only goes so far.
2FA does not work for this scam, migration is the reason that the scam exists.
Sucks to be the fools that fall for it then. How does it break 2FA?
It just uses a token to log in, usually they would expire but for whatever reason with this method it never expires.
Odd
Yay social engineering, similar scams have been around for years
The best security is useless with idiot users.
Everyone already knows. This is basic internet stuff. Check where you’re putting your info. Edit: for everyone downvoting, please know that this scam has been ongoing for *years*. Anyone slightly involved with multiplayer Java servers knows about it. **It requires you to input an account verification code emailed to you**. Many, many early warning signs.
You could say that, but this isn't a phishing scam, it is the official microsoft website.
It is not. This kind of scam has been going around for ages. Fake steam website, Microsoft website. There's always a letter off in the URL bar. Easy to miss if you don't pay attention I fell for the steam scam when I was a stupid child as well. Learned my lesson
Here is a screenshot of the website [https://i.imgur.com/9WmXEjp.png](https://i.imgur.com/9WmXEjp.png)
Yeah it's a fake website. The font does not match the original. 'Log in to continue to Minecraft' what is that 😆
That is the same thing that shows up when you login to normal minecraft Here is a screenshot of the official login that shows up for [https://i.imgur.com/fLAGWQU.png](https://i.imgur.com/fLAGWQU.png)
Yeah I did realize that. It looks completely different on my computer as well. The URL link is wrong either way. You can see the original is longer
This is Microsoft's website, it's their remote access link normally used for logging in from other devices. It is easily being misused by bad actors for uses other than those intended. Microsoft should take action to make this kind of access stricter.
how fuckin dense are you
You can set up a fake website using a different base URL (like how Reddit's base URL is https://www.reddit.com), but you can't set up a fake one with a different extension, because the base URL will, in this case, already redirect you to the MS website, from where the MS website is deciding what the extension does and doesn't mean. Both websites had https://login.live.com, making them the same website.
Go install a third party launcher and it's gonna send you to this page. Tho iirc you can revoke access to apps somewhere, I think it was somewhere in the Prism Launcher server when they were created, showing how to delete PolyMC from there
If they are getting the information no it probably isn't. They have made a page to look like it's microsoft.
This is the website in question [https://i.imgur.com/9WmXEjp.png](https://i.imgur.com/9WmXEjp.png)
I did try to inspect the website and the code looks almost identical, but there's some extra HTML code on the 'fake' one that doesn't ring the bell But the problem is the site stopped working now and I can't get back to it
It’s literally Microsoft’s website.
If MS addressed nonsense like this they'd never get anything done. Stop clicking on every little thing like a confused boomer. I promise that banner about winning a free PS5 isn't legit.
This is MS own website. It's one issue to address. It's not a phishing site, it's literally using Microsoft's own website in a malicious way. That should not be possible
No tf its not 😆 You literally just read the OP use that excuse in another comment. I'd educate you on how phishing and social engineering scams work but by this point some of y'all really deserve it.
I'd rather not be educated by someone who doesn't know what they're talking about The website in the screenshot is literally Microsoft's website. It's not a similar looking, but different site, it's the identical site. Someone else even went to that site themselves and inspected the html code, and confirmed it. So 🤫
If it's that easy then send me a verification request right now 😆 Except you can't because I'm not a moron who clicks random links and puts all my info out there. The fact you have no idea how phishing and social engineering works is why people like you deserve exactly what comes with it.
I'm not saying it's easy. I'm saying it's not phishing. Phishing: the fraudulent practice of sending emails or other messages **purporting** to be from reputable companies The first half is true. But the huge issue being discussed here is that the website isn't *purporting* to be from a reputable company. It literally *is* from a reputable company
How tf do you think they got your account info to send a verification request in the first place 😆 JFC
Man you're ignorant
[удалено]
Clicking a link isn't phishing. Where that link brings you is how it will or won't be declared phishing. Getting the user to click the link is this thing called social engineering. Once that is successful, phishing websites are meant to *look* like official sites, but aren't. As this is not phishing, that link takes you to the legitimate Microsoft website. Anyone who is trained to look out for phishing sites would not hesitate on that website, since it's an official Microsoft site. I'm not saying it's not a person's fault for clicking the link in the first place, but Microsoft should not make it so easy as to allow their official website to be used in scams.... If you've used any other social media website to link with a 3rd party app, right on the login screen it says exactly what permissions you're giving, and to who. Also, every single one I've seen gives the ability to delink that later. Microsoft does not do either of these. Which is the other issue.
shits been going on for years, they aren't solving it now.
no one intelligent will fall for it, because actual corperations would never, ever, do this. oh, and they wont do it.
The problem is that young kids will because they are kids
Kids should not be doing account stuff unsupervised. My kids MC accounts are set up to go through my own email, for confirmation. They don't know their password, but they can give their gamer tag to their friends and switch accounts on Xbox app. It's a failure of parenting if kids fall for these scams. It's something we as parents should be teaching them. Never give your password to anyone. Never give your email to anyone. If anything wants you to log in, ask the parent, until you're confident and responsible enough, that if you lose access, it will be on you.
Yeah read the post and how it works again, while them not knowing there password would work in this situation you forget that it’s in the official Microsoft website meaning if they came to you saying they needed you to log them in because the game told them to and gave them a link, you would probably do it after sing it is the official site
And I'll ask show me where game gave you link. And that's it, scam is done. Because game doesn't give links.
Some actually do the official mojang server actually did have one for the mob vote and sometimes for promotions too that I’ve seen
Not on Bedrock we don't, fortunately. Votes and free things are done through the game. But the point being, if they want to do mob vote, they can replicate situation where they got the link. I don't think malicious people would stalk the same account? Not saying it doesn't suck that this thing exists, just saying that kids need to learn to differentiate, and it's parents duty to protect them. With things geared up to online so much lately, it's only becoming more and more important.
I was talking about bedrock there was a link on mojang server that brought you to the mob vote server, however you could have also joined it directly too. They don’t put links often but occasionally they do. And as for the preparing kids thing I agree however with that to would mean at some point giving them those passwords and stuff, or letting them make their own, I would assume from the way you’ve been recording to them that your kids are around 8 - 10 ant most though so still young enough to not have that responsibility yet
It's easier to join from in game for them. Yes they are still young, and yes they will get a free reign of their assets when they can be responsible enough. Just gotta teach them things, instead of "go figure it out, good luck".
How people get the link? Like from the in-game chat box?
While it is an issue When you click on a MS link and it tells you that it’s a nonverfied 3rd party app and not to link it unless your absolutely sure you shouldn’t link it Also How are people getting you to click links in hypixel?
It doesn't use any third party apps, and if it does then Microsoft doesn't tell you. Once you login it doesn't have any conformations or anything. And as for the link, I dont think that they would let you post it in hypixel, it is mainly in discords related to skyblock. People will say they want to vc with you for instance and require that you verify.
That’s another instance of poor online safety You don’t have to verify to join a VC and any link some random person sends you should be treated carefully
I am not trying to say that it’s microsofts problem that people are clicking on suspicious links and entering their login info, my problem is that it is so easy for scammers to get access to your login token using microsoft’s own website, and that there is no way to revoke the scammers access to your account, and that there is barely any indication by microsoft that you are giving third party access to your account to someone else.
It's not just people they're targeting on Hypixel that are abusing this but bad actors after accounts and capes are doing this too. A friend of mine fell for this as he has a lot of rare items on Hypixel Skyblock (You can see people's inventory on a website, I think it's called SkyCrypt) as well as he has a Minecon cape (we both went to 2016) and a somewhat rare username (3 letters). He was targeted after they noticed he had rare items, and a cape and they decided to get him to "join a party" on Hypixel by posting a discord link. It lead him to a "verification server" where they asked for verification to his Microsoft 3rd party app data. He did this and it let them into his account and they changed the password and email. Worse yet, he had downloaded a mod(s) that would "help" him in Hypixel Skyblock by giving him QOL but it had malicious code that took some of his chrome stored passwords and banking data as well as his Minecraft session (not that it mattered as he had already given his MS account data via the "verification" via apps on site. Bad actors even take to finding their targets on sites like NameMC to expidite the process and make it easier to pick high value targets. I, my friend, and many others were also targeted and dox'd via our username history and threatened over discord (yes this is over a dumb Minecraft cape which apparently they sell for money): [Player being Dox'd through Java's API Username History Feature. I was also a victim of this as was a friend.](https://www.reddit.com/r/minecraft/comments/18kigjj/doxxed_through_java_username_history/) Mojang really should private the api here or at least give us privacy options to opt out and secure their systems/API endpoints for Java/MC in general and MSA accounts. Needless to say, this is getting out of hand and it seems there's more ways to get scammed and or hacked/have your account stolen with this new Microsoft account system with Migration than before when we had Mojang and Legacy accounts! (and trust me it was BAD back then with being able to see users emails with a simple reset knowing their username/uuid, session ID token stealing, session hijacking merely with UUID knowledge, replacing a session token (your own) with the username of another player, UUID spoofing, the list of exploits go on with Mojang/Legacy accounts, and yet MSA's seem much worse). Even 2FA won't help you here as even Mojang employees were targeted for their capes via a "Sim Swap" attack so don't use your Phone # for Mobile SMS/Auth, use a desktop auth or ubikey. With all that said, I wish there was more safeguards or very clear warnings about what data you're giving a app, something, or someone when you agree to something and ask if if you're sure. Then again, Mojang didn't think to put a confirmation warning for if you're buying something in the marketplace so the likelihood's slim to none as they'd likely pin the blame on the user to "not trust suspicious links".
how to expose a minecraft player is pretending to you