Unknown OTPs (Spotify + Microsoft) + “account accessed” SMS - possible compromise or just credential stuffing?
Yesterday I received an OTP from Spotify that I did not request. I ignored it assuming someone mistyped their number.
A few hours later, I received another OTP—this time from Microsoft. That raised suspicion, so I checked the login activity on the Microsoft account linked to my phone number. I didn’t see anything unusual, and the email shown there is one I recognize (starts with my name).
However, around midnight I received a more concerning SMS:
“Microsoft: Someone else might have accessed <masked-email-redacted>. Recover at aka.ms/alcs”
The issue is: I do not recognize this email address. It might be something I created 5–6 years ago, but I can’t recall the full ID.
When I try logging into Microsoft using my phone number, I only see my current account—nothing matching that email.
I contacted Microsoft support via their official site. They confirmed the SMS is legitimate, but said they cannot assist unless I provide the full email address. They also mentioned it’s possible the attacker removed my phone number from that account.
Questions:
Is this likely an account recovery attempt chain targeting old accounts tied to my number?
Any way to recover or identify that email ID with partial info?
It feels like I am getting targeted by someone personaly known to me who seems to trying to login to various services using my number.
I had this type of unknown otp recieving issue on my another number earlier and one common trend is that it happens on Saturday or friday mostly.
I never shared any otp but this is the first time they seem to login successfully atleast to one service?
Any input appreciated.