I was using a friend’s account to play on a friend’s server for a month or two. Well, I did have my own account back in the day. It’s just that I effectively gave it to a friend, and this was only complicated by the purchase of Mojang by Microsoft.

So, I decided to buy my own account. I did not want to pay $30 as I do not agree with any of the changes made to Minecraft since Microsoft, so I purchased an account from G2G’s Hellen Wong for $6. Good deal right?

After payment, they provide you login details to the Microsoft account and a backup email attached to it. When you log into the Microsoft account, it will ask to send a code to the backup email. The backup email is a Russian web service I have never heard of before. You login, find the code, paste, and boom - you’re into the Microsoft account.

What you will quickly realize is that these are compromised accounts. On the first account I purchased, the account was a polish user. Their home address was still there, a few devices were logged in, and there was some saved web activity. On the second Italian account, there was even a credit card saved.

What you do next, I would learn, is to change as little info as possible while maintaining access. If you change too much, Microsoft will realize what has happened and lock the account and you’re out six bucks. This means you change the backup email (seller instructs you to not use a gmail account - maybe google and microsoft work together?) in my case I used a proton email. It will probably ask to add a phone number to the account, you can add one but it’s best you remove it after logging in so the number is not “burned” if the account is locked. You remove all devices attached to the account, revoke all apps that have access to the account, change password, and make a new recovery code. Don’t change the name, date of birth or home address.

If you can deal with it, there’s no reason to change the language either. Use your browser’s translate or Google translate. Take screenshots of all of the original information on the account before changing anything. If the account is locked and you go through the recovery process, Microsoft will ask you for all that info and more.

Surely Microsoft can fingerprint your device but they don’t visibly save location data to the account from mobile logins, probably because IP alone is insufficient to geolocate users. Especially mobile IPs which are often changing by chance or user choice (iCloud private relay, VPNs, etc) Therefore, use of a mobile internet connection/device without a VPN could be a safer way to interact with these accounts.

Conclusions

This is a bad idea and it’s a harmful market. I was against the merging of Minecraft accounts with Microsoft accounts and this is a great example of why. Instead of a market of compromised Microsoft account with tons of personal information being sold, you would lose a single “copy” of Microsoft. Either Microsoft needs to dramatically step up their account security or separate the two services because it is ridiculous how people are being taken advantage of.

I felt bad after I participated in this scheme, so I emailed what I thought may be the original owner of the account and offered to give it back for free. I never heard back, but it’s possible the email on the account came from the russian seller and so there would be no way to contact them except by mail.

If I had to guess, they are getting their account login stolen by bad Minecraft launchers or other third-party services that invite them to log in. The bad guys then change the backup email, but nothing else (they are actually really lazy, it’s surprising more users don’t get their account back prior to it being sold) and then you buy it.