How can Google know that a Microsoft e-mail account is "not safe"?

Recently, I was forced to log in to my Gmail account with a browser to keep using it.

Then, Gmail noted that the "alternate e-mail address", my 1999 Hotmail one, which I had long ago associated with my Gmail account (in 2004), has been "detected as not secure". I forget the exact phrasing. Something about it being detected as not secure.

I’m 100% sure that I have never used the password for that Hotmail account anywhere else, and that it has not leaked, and that the account was not compromised.

However, I was still locked out of it, since approx. 2014, when Microsoft started demanding that you enter a phone number to access the account, refusing to let me dismiss it. So I was (and remain) "essentially" locked out of it.

Is it possible that, somehow, Gmail could detect this from a third-party service? What else could they mean by "detected as not secure"? Some guesses:

  1. Maybe they have some means of checking the age of the account, and just assume that since it was registered in 1999, it must be abandoned?
  2. Maybe it’s listed in some kind of leak database, even though any password there would not be usable to log in since I never used the password elsewhere and have not been so careless as to leak it.
  3. They are just making random nonsense up because it’s a competitor’s address.

Information Security Asked by Gsnail on December 29, 2020

1 Answers

One Answer

Google is not going to reveal security algorithms to the public, so any guesses here are speculation.

My main guess is that Google sent 1 or more notifications to your alternate address, then decided it was abandoned because one or more of the following happened:

  • The notification was actionable, but you ignored it. Possibly this could have been an e-mail asking you to reconfirm your account.
  • The notification was never opened (this is detectable, but not reliable).
  • Microsoft rejected Google's notification e-mail. This could happen if the mailbox was full or if Microsoft blocked the account from receiving mail due to it being abandoned.

Answered by Brian on December 29, 2020

Add your own answers!

Related Questions

Jenkins malicious process identification

2  Asked on October 28, 2021 by nemanja-martinovic


Does encrypted content in a database need to be signed?

1  Asked on October 28, 2021 by ian-warburton


WhatsApp account got “hacked”/hijacked?

1  Asked on October 28, 2021 by d-a-vorm


iCloud deletion

1  Asked on October 28, 2021 by mp115


Difference between Zeek (Bro) and Snort 3

2  Asked on October 28, 2021 by ustavsaat


Help Understanding PHP Reverse Shells

1  Asked on October 28, 2021 by pdawg


Refresh token using a separate auth server?

0  Asked on October 28, 2021


Is the perfect MITM attack possible?

1  Asked on October 28, 2021 by user238715


What attack vectors does arbitrary JS on a user profile allow?

2  Asked on October 28, 2021 by sellarafaeli


Processing Exceptionally High Volume Singular Flows

1  Asked on March 9, 2021 by reedghost


Ask a Question

Get help from others!

© 2022 All rights reserved.