How can Google know that a Microsoft e-mail account is "not safe"?

Question

Recently, I was forced to log in to my Gmail account with a browser to keep using it.
Then, Gmail noted that the "alternate e-mail address", my 1999 Hotmail one, which I had long ago associated with my Gmail account (in 2004), has been "detected as not secure". I forget the exact phrasing. Something about it being detected as not secure.
I'm 100% sure that I have never used the password for that Hotmail account anywhere else, and that it has not leaked, and that the account was not compromised.
However, I was still locked out of it, since approx. 2014, when Microsoft started demanding that you enter a phone number to access the account, refusing to let me dismiss it. So I was (and remain) "essentially" locked out of it.
Is it possible that, somehow, Gmail could detect this from a third-party service? What else could they mean by "detected as not secure"? Some guesses:

Maybe they have some means of checking the age of the account, and just assume that since it was registered in 1999, it must be abandoned?
Maybe it's listed in some kind of leak database, even though any password there would not be usable to log in since I never used the password elsewhere and have not been so careless as to leak it.
They are just making random nonsense up because it's a competitor's address.

Brian · Answer

Google is not going to reveal security algorithms to the public, so any guesses here are speculation.
My main guess is that Google sent 1 or more notifications to your alternate address, then decided it was abandoned because one or more of the following happened:

The notification was actionable, but you ignored it.  Possibly this could have been an e-mail asking you to reconfirm your account.
The notification was never opened (this is detectable, but not reliable).
Microsoft rejected Google's notification e-mail.  This could happen if the mailbox was full or if Microsoft blocked the account from receiving mail due to it being abandoned.

How can Google know that a Microsoft e-mail account is "not safe"?

One Answer

Add your own answers!

Related Questions

Hardening WMI: Any security benefit to changing Impersonation level & separately, setting ‘Winmgmt Standalonehost?’

Is inputting credit card numbers over a mobile phone secure?

Why does Windows not always force me to confirm my password when changing it?

Is password strength exclusively a function of character set size multiplied by password length-in-characters?

How secure is (permanent) cookie-only authentication?

How does a shared vault in password managers such as 1Password work?

Are call stack addresses predictable with all protections disabled?

Preventing access to encrypted files at all

Deauthorization Bug in messenger application – How serious is this?

How do I share secret key files with Docker containers following 12 Factor App?

Whatsapp suspicious message

How can we limit access to a single computer?

Effect of Firefox’s “Responsive Design Mode” on the browser’s fingerprint

I accidentally downloaded a .bin file, should I be worried?

Is there a security vulnerability in setting a public DNS entry to a private IP Address?

Secure a virtual machine during a lab exercise

HTML Injection to blind SSRF testing retrieves only DNS Query

Plausible reason for a VPN to point to a country different to the one you are connected to?

Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out(remote host ip)

What is the purpose of frequently rotating TLS certificates without changing underlying keys?

Ask a Question