Patrick Marshall answers your personal technology questions each week.

Share story

Q: On Monday morning, Nov. 26, one of my credit-card providers called me to inform me of potential unauthorized use of my Visa card early that morning. I did not make these purchases. I then checked my email and one of my three email addresses had some bad news in it. Starting at 4:16 a.m., my email had emails indicating that my profile and email address password was changed, that a foreign email address was added, that my and emails were deleted, and finally that my cellphone number was also deleted from my profile.

I’d really like to know if possible how my Microsoft profile was hacked and if it occurred from a brute attack though or through one of my Xboxes, which use the same profile sign-in and passwords, or if it was from a website or YouTube video I may have inadvertently looked at. I also rarely use my Xboxes, but my college-age sons did while they were home during the Thanksgiving break.

I have enabled 2-step verification on my Microsoft account and computer devices (I wasn’t aware it existed). Is there anything I need to do to protect my Microsoft profile including the Xboxes and Xbox Live?

— Tom, Sammamish

Related Tech Q&As

Read more from Patrick Marshall here >>

A: Unfortunately, the only way to determine where the hacker gained access is through analysis of network logs, and even then a talented hacker may evade detection. While log analysis might be possible in a work environment on a corporate network, it’s not feasible in your situation. And yes, those Xboxes are internet-connected computers and they can be hacked, too.

No measures ensure absolute security. But the main steps to take to reduce your vulnerability in addition to 2-step verification are:

1. Make sure you’ve got reliable anti-virus and anti-malware software running, as you have done. That will provide some protection against malware you may have acquired, but it won’t protect you against being hacked in the first place.

2. Don’t visit suspect websites and don’t click on links in emails if you aren’t sure about their source.

3. Make sure other users aren’t violating the rules in #2. (Yes, I’m thinking about those college-age Xbox players.)

4. Make sure your network is running a firewall and that your Wi-Fi is secure. I recommend not broadcasting the Wi-Fi station identifier and using WPA2 security. Also, make sure to change the administrator’s login for the router.

5. A virtual private network provides additional security, encrypting transmissions between your computer and the internet.

Q: When trying to log into my credit-union account, for more than a week I have been getting an “Invalid Password” message. I’ve tried everything this credit union has suggested, such as deleting cookies and browser history, never using a saved address. Do you have any suggestions as to what else I can do (Windows 10, latest Explorer)? I have used Chrome (doing the same as with Explorer), and it works most of the time, but not always. And I also get an occasional “User ID not recognized” message (although I can clearly see the user ID is correct).

The credit union claims it is a user problem, but I have friends who experience the same difficulty. We are on the verge of jumping ship to another financial institution, since we cannot use the online system.

— Mary Anne Schefe, Des Moines

A: Been there. And almost always — but not always — it turns out that I’m entering the wrong password. Often it’s a difference in capitalization or a subtle typo.

Once you’re absolutely sure you’re entering the correct password, or even if you’re tired of trying to figure it out, ask the credit union to reset your password. They’ll go through some routine for ensuring you’re who you say you are and then they’ll issue a temporary password. Once you’re back into your account you’ll want to change the password to something only you know.