NOT SURE IF THIS IS THE RIGHT PLACE TO ASK BUT: Unknown IP Used for Suspicious Login

Hi everyone!

Today, my grandpa asked me to check his Microsoft account because he received a notification about a password change (see the first picture).

I decided to investigate by checking the IP address associated with this change to see if it matched his usual login location. It didn’t. Since he only uses his email on his laptop, it’s highly unlikely this login was his—especially as the IP location was in a very public place.

He managed to reset his password (see the second picture) after some effort, which was fortunate.

I’m not exactly an expert in IP tracking (or anything of the sort), and I’ve only recently started looking into this kind of issue, so I’m unsure if my concerns are completely justified. But I am worried: How could someone have accessed his account and changed the password? Could his data have been leaked? And are his other assets potentially at risk?

Here’s what I’ve done so far to protect his account:

1. Changed his password.
2. Enabled two-factor authentication (2FA) for all logins.
3. Added my email as a backup recovery option in addition to his phone number.

Can anyone advise on additional steps to ensure any of his other sensitive credentials and information is safe? Thanks in advance for any guidance.

If he used the same password and email combination anywhere else, change it.

If that is a login attempt, then changing your password + turning on 2FA should have fixed it.

It happened for me also from Ukrainian IP’s once or twice a day.

After i changed password + turned on 2FA, it stopped.

Its probably bots checking for leaked email addresses + passwords and trying to sign in to check if account is valid. (See IHaveBeenPwned if email was ever leaked)

Check, will check it with him asap!

Huh, didn’t know about the bots. Good to know though! Thanks for confirming I handled right, I truly appreciate it