Hacked Outlook or Hotmail account: how to recover it
The short version: try the normal reset at account.live.com/password/reset first. If the attacker owns your security info, switch to the account recovery form at account.live.com/acsr and fill it with as much real account history as you can. Microsoft reviews each submission, usually within a day. The detail below is what makes the difference between approved and rejected.
Start here: the official recovery path
Microsoft gives you two doors. The normal reset works while you still control a recovery channel. The recovery form is the fallback when you do not, and it is a real review with real odds, provided you feed it enough true history:
- Try a normal password reset first. Go to account.live.com/password/reset. If you still control the recovery email or phone on the account, this is the fastest way back in.
- Locked out of recovery too? Use Microsoft's recovery form. If the attacker controls your security info, use the account recovery form at account.live.com/acsr. You will need a working contact email address that is not the hacked account.
- Fill the form with as much history as you can. Old passwords, subject lines of recent emails, names of folders you created, contacts you email often, and any billing details if you have ever bought Microsoft products on the account. The form is scored on volume and accuracy of real history, so more is better.
- Submit carefully and wait for the review. Microsoft reviews each submission, typically within 24 hours, and limits your attempts per day. One careful, detailed form beats several rushed ones.
- Sign out everywhere once you are in. Go to account.microsoft.com/security and sign out of all devices, then change the password again from a device you trust.
If the hacker changed your security info
Microsoft applies a waiting period when security info changes, which slows an attacker consolidating control, and the "security info was changed" alert to your old address contains a link to review the change. If that alert is sitting in another inbox of yours, start there. Otherwise use the acsr form, which does not depend on the recovery channels the attacker now holds.
One Outlook-specific trick to know about: attackers often add their own address as an alias on your account, so even after a password change they can sometimes work their way back. The alias list is part of the cleanup below, do not skip it.
Back in? Lock it down before you do anything else
- Sign out of every session at account.microsoft.com/security, then change the password again from a device you trust.
- Check Outlook rules and forwarding. Settings, Mail, then Rules, Forwarding and Sweep. Delete any rule you did not create, especially ones that move or delete mail from Microsoft.
- Review aliases and security info. Remove any alias, email or phone you did not add, and make sure your own address is primary.
- Check connected apps and devices and remove anything unfamiliar.
- Set a unique password and two-step verification. Our 2FA setup guide covers doing it without locking yourself out.
- Reset passwords on accounts that recover through this inbox, banking first.
If you cannot get back in
If the official process keeps looping, do not pay anyone who cold-calls or advertises instant recovery, and never pay a ransom for your own account. In Australia, report the takeover through ReportCyber at cyber.gov.au, and if money or identity documents are involved, IDCARE provides free, government-funded support. If the account matters too much to gamble on, our assisted recovery works the provider's process for you: verified identity first, then patient, documented escalations. Start here.
Stop the next one before it starts
Getting the account back is the urgent half. The lasting half is closing the back door that let this happen: account recovery. A strong password and two-step verification guard the login, but a "forgot password" flow aimed at a weak recovery channel walks straight past both. Our guide to the recovery gap explains the mechanics, and the email security guide covers the five moves that actually matter. If you want the back door watched for you, that is exactly what SAFE2RECOVER does: we hold and guard the recovery mail for your important accounts, so a reset you did not ask for gets stopped before it lands. Get protected, there is no card required to start.
Frequently asked questions
What is the Microsoft account recovery form and when do I need it?
It is the fallback at account.live.com/acsr for when you cannot pass the normal reset, usually because the attacker changed your security info. You provide a contact email plus as much account history as you can: old passwords, recent subject lines, folder names, frequent contacts, billing details. Microsoft reviews each submission, typically within 24 hours.
The recovery form keeps getting rejected. What improves my odds?
Detail and accuracy. Fill it in from a device and location you used the account on. Add old passwords even if roughly remembered, exact subject lines from your sent mail if any other device still shows them, folder names, and the card details if you ever paid for Microsoft 365 or Xbox on the account. Attempts are limited per day, so make each one count.
The hacker added their own email as an alias on my account. What does that mean?
Attackers add their own address as an alias, sometimes make it the primary, and use it to keep a foothold. After you get back in, open your Microsoft account settings and review every alias and every piece of security info. Remove anything you did not add, make your own address primary, and only then trust the account again.
What should I check in Outlook after recovering the account?
Rules and forwarding first. Attackers set inbox rules that forward your mail out or delete security alerts before you see them. In Outlook on the web, check Settings, Mail, then Rules and Forwarding, and delete anything you did not create. Then sign out all sessions from account.microsoft.com/security, set a unique password, and turn on two-step verification.