Xbox Account Hacked? How to Recover and Secure It (2026)

Your friends are messaging you about strange DMs and party invites you never sent.

T

Technobezz

Senior Editor

Jun 6, 2026
11 min read

Contents

Don't Miss the Good Stuff

Get tech news that matters delivered weekly. Join 50,000+ readers.

Your friends are messaging you about strange DMs and party invites you never sent. You opened your email to a sign-in alert from a country you have never visited, and now your password no longer works at all. That sinking feeling is real, but so is the good news: an Xbox account is a Microsoft account underneath, and Microsoft has a defined recovery path that gets most people back in. Work through the steps below in order, starting with the fastest fixes, and treat your account as recoverable rather than lost.

Before you touch anything, two rules will keep you safe. Start your recovery on a device, browser, and network you have signed in from before, because Microsoft weighs that familiarity when it verifies you. And never create a brand-new account to "report" the hacked one; everything you need to do happens through the existing account and Microsoft's official tools.

Confirm the Compromise and Spot What the Attacker Touched

First, get clear on what actually happened so you do not waste time. The classic signs are friends receiving messages or invites you never sent, sign-in alerts showing logins from unfamiliar devices or locations, and your usual password suddenly being rejected. Any one of these is enough to act on.

If you can still sign in, you are in the easier scenario and can move straight to changing your password. If the password has already been changed and you are locked out, do not panic; that is exactly what the Microsoft account recovery form exists for, and it is covered below.

One safety note worth setting now: real Microsoft and Xbox support will never ask you for your password, a verification code, or a two-step verification code. Anyone who does, by message, call, or email, is an attacker. Do not pay for any third-party "account recovery service" either; the official self-service tools are free and are the only ones that actually work on a Microsoft account.

Change Your Password and Lock Out the Intruder

If you can still receive a verification code on your registered email or phone, reset your password immediately. Both Xbox Support and Microsoft say to do this the moment you suspect a compromise, because a new password cuts off the attacker's active session.

  1. 1.Open the "Reset your password" page from the Xbox or Microsoft sign-in screen.
  2. 2.Enter the email, phone number, or Skype name on the account.
  3. 3.Choose where to send a security code (your registered email or phone), then enter the code Microsoft sends.
  4. 4.Set a brand-new strong password that you do not use anywhere else.

Microsoft must verify your identity before it lets you reset, which is why a working email or phone on the account matters here. Choose a password that is unique to this account so a leak somewhere else cannot be reused against you again.

Use the Microsoft Account Recovery Form When You Are Locked Out

If the attacker already changed your password and the normal reset will not work, Xbox Support directs you to the Microsoft account recovery form. This is the official locked-out flow, and it lives at account.live.com/acsr.

  1. 1.Open account.live.com/acsr and enter the Microsoft email, phone, or Skype name you are trying to recover.
  2. 2.Give a different, working contact email where Microsoft can send the result.
  3. 3.Pass the robot check.
  4. 4.Answer as many identity questions as thoroughly as you can, such as old passwords, the account creation date, and purchase or product details you remember.

Guessing is fine here. Wrong answers do not count against you, so fill in everything you can rather than leaving fields blank. Submit the form from a device and location you have used before, since that history strengthens your case. Microsoft reviews the form and emails the result to your contact address within about 24 hours.

One critical limitation: this recovery form will not work if two-step verification is turned on. Microsoft states plainly, "If you've turned on two-step verification, you can't recover your account this way." In that case your way back in is through your second verification method, which is why the recovery code and backup contacts described later matter so much.

Review Recent Activity and Flag Every Sign-In That Was Not You

Once you are back in, find out where the attacker has been. Sign in to the Security basics page at account.microsoft.com/security and select "Review activity" to open the Recent activity page. It shows sign-ins from the last 30 days, with device, app, and location details for each one.

In the unusual activity section, expand any sign-in you do not recognize and select "This wasn't me." Doing so prompts you to change your password and update your security info on the spot. For the entries that genuinely were you, confirm them with "This was me" so the record stays accurate.

Clear Malware Before You Trust the New Password

If a virus or keylogger is sitting on your PC, it can quietly steal your new password the moment you set it. Microsoft's hacked-account guidance is to scan your device clean before relying on any password change.

  1. 1.Open Windows Security.
  2. 2.Go to "Virus & threat protection."
  3. 3.Choose Scan options.
  4. 4.Select "Full scan," then "Scan now."

Let the scan finish and remove anything it flags. Only then is it safe to assume the credentials you just created are truly yours alone.

Undo the Settings an Attacker Quietly Changed

Hijackers often plant changes so they can keep reading your mail even after you reset the password. Microsoft's guidance is to review your account settings for anything the attacker may have altered.

Pay particular attention to connected accounts, email forwarding settings, and automatic replies. A hidden forwarding rule or auto-reply can silently copy or redirect your incoming mail, including future verification codes, so remove anything you did not set up yourself.

Remove Trusted Devices and Refresh Your Security Info

Next, cut off any device the attacker may have marked as trusted. On the Security settings page, change your password again if anything still feels off, then remove all trusted devices so a stranger's machine cannot skip verification.

After that, update your security contact info so only an email address and phone number you control remain on the account. Microsoft notes that keeping this contact info current whenever your phone or email changes is important; stale recovery details are how people get locked out later.

Turn On Two-Step Verification and Add Several Backups

With the account clean, the single best thing you can do to keep it is turn on two-step verification (2SV). Go to account.microsoft.com/security, open your sign-in and security settings, and turn on two-step verification, then follow the prompts, such as scanning a QR code with Microsoft Authenticator.

Do not stop at one method. Microsoft recommends associating at least three pieces of security info, for example two different email addresses plus a phone or an authenticator app, so you cannot get locked out. With only one method, losing it can mean permanently losing the account. Keep in mind too that Microsoft has announced it will begin phasing out SMS as an authentication and recovery method for personal accounts, so an authenticator app is the more durable choice.

Generate a 25-Digit Recovery Code as Your Last-Resort Key

A recovery code is the backstop that saves you if you ever lose every other sign-in method. While signed in, go to account.live.com/proofs/manage/additional, scroll to the Recovery code section, and select "Generate a new code."

Print the 25-digit code and store it offline, not on a device you sign in with. You cannot retrieve an existing code later; you can only generate a new one, and the moment you create a new code, any previous code stops working. Store it somewhere physical and private, like a locked drawer, so it is there when nothing else is.

When You Still Cannot Get In, Reach Xbox Support

If the self-service flows have not worked, Xbox Support offers a Virtual Agent and a contact page for compromised accounts. Start from the official Xbox contact page rather than any link sent to you by a stranger.

Set your expectations correctly, though. When two-step verification is enabled, support agents are not allowed to reset passwords or change account details for you; they will direct you to the self-service recovery form. Genuine agents will never ask you for your password or a verification code, so guard those even while you are getting help.

Frequently Asked Questions

How long does it take to get my Xbox account back?

If you can still receive a security code, a password reset is immediate. If you have to submit the Microsoft account recovery form at account.live.com/acsr, Microsoft reviews it and emails the result within about 24 hours. In the worst case, if two-step verification is on and you have lost your security info with no backup contact method, regaining access can take up to 30 days.

Why does the recovery form say it cannot recover my account?

The account recovery form does not work when two-step verification is turned on. Microsoft states, "If you've turned on two-step verification, you can't recover your account this way." In that situation you must recover using your second verification method, such as Microsoft Authenticator or your 25-digit recovery code.

Will Microsoft or Xbox support ask me for my password or a code?

No. Real support will never ask for your password, a verification code, or a two-step verification code, and support agents cannot reset your password or change account details when 2SV is enabled. Anyone requesting these is an attacker, and you should not pay any third-party "recovery service" either.

What if I lose all my security info and have no recovery code?

This is the scenario to avoid, because with only one sign-in method you can permanently lose the account. That is why Microsoft recommends keeping at least three pieces of security info, such as two email addresses plus a phone or an authenticator app, and generating a 25-digit recovery code stored offline. If you do lose everything with no backup contact method, regaining access can take up to 30 days.

Should I do all of this on my regular computer?

Yes. Start recovery on a device, browser, and network you have signed in from before, because that familiar history helps Microsoft verify your identity. Always confirm you are on the genuine official domain before entering credentials or uploading ID, and never create a new account to report the hacked one.

How do I check whether the hacker is still reading my email?

After regaining access, review your account settings for changes the attacker may have made, especially connected accounts, email forwarding settings, and automatic replies. A hidden forwarding rule or auto-reply can silently redirect your mail, including future verification codes, so remove anything you did not set up yourself.

Share