365 account hijacked by IT company

Forums › IT Pro and developers › 365 account hijacked by IT company

Dynamic

4015 posts

Uber Geek
+1 received by user: 1850

ID Verified

Trusted

Lifetime subscriber

#268593 27-Mar-2020 14:40

Hi Team

Any tips around recovering a 365 tenancy hijacked by their IT company?

We've been called by an ex client who have been locked out of their 365 tenancy by their Auckland-based IT company (apparently over a billing issue, though I have no detailed knowledge of this). The IT company involved has learned of the company owner's password (this knowledge was not authorized) and changed the owners Global Admin password. After the owner reset the password and regained access, the company blocked his account (all accounts, I suspect) so password resets can no longer be done.

I've reached out to the 4 distributors who transact CSP in NZ to ask them to see if they have this client on their books, so they can potentially help as of course they have Delegated Admin rights.

Any other suggestions? I'm also going to reach out to Microsoft and have them investigate this, though I have not yet located the appropriate channel to start this.

Cheers

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

1 | 2

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#2448100 27-Mar-2020 14:58

You best bet is, did they change re recovery email address of the Global Administrator? If not you will be able to get in that way

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

Dynamic

4015 posts

Uber Geek
+1 received by user: 1850

ID Verified

Trusted

Lifetime subscriber

#2448103 27-Mar-2020 15:00

With the account blocked, you can't use the recovery options. Thanks for the thought, though.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

mrdrifter

589 posts

Ultimate Geek
+1 received by user: 294

ID Verified

Trusted

#2448106 27-Mar-2020 15:02

There are more than 4 CSP providers in NZ by the way, so it could be one of a range of org's that might be listed as a support partner. If it's the same crowd causing issues, then the best bet is Microsoft, the downside is if they don't have a dedicated account manager, they will need to go through business support via phone.

I've had to work through this before, but we had a dedicated account manager on the MS end.

nztim

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#2448107 27-Mar-2020 15:02

Dynamic:

With the account blocked, you can't use the recovery options. Thanks for the thought, though.

Ohhh so they didn't just change the Global Administrator Password they created their own and Disabled the current one?

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

Dynamic

4015 posts

Uber Geek
+1 received by user: 1850

ID Verified

Trusted

Lifetime subscriber

#2448108 27-Mar-2020 15:03

Of course I can't see that, but yes it appears to be the case.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Dynamic

4015 posts

Uber Geek
+1 received by user: 1850

ID Verified

Trusted

Lifetime subscriber

#2448109 27-Mar-2020 15:04

Thank you, @mrdrifter

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

New World

Shop on-line at New World now for your groceries (affiliate link).

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#2448246 27-Mar-2020 17:21

Name and shame!

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#2448247 27-Mar-2020 17:24

Lias:

Name and shame!

That would be exeedingly stupid, given all parties stories to this are not known.

Ruphus

469 posts

Ultimate Geek
+1 received by user: 181

#2448252 27-Mar-2020 17:28

Lias:

Name and shame!

Yes please. That's an absolutely shocking way to treat their customers.

Dynamic

4015 posts

Uber Geek
+1 received by user: 1850

ID Verified

Trusted

Lifetime subscriber

#2448262 27-Mar-2020 17:39

I'd like to @Lias, believe me. At the moment we have 'if it waddles like a duck and quacks like a duck, then you can be pretty sure it's a duck'. We're approaching Microsoft for audit information to confirm the source.

This sort of thing gives the industry a bad name. If a client isn't paying, you can remove their licenses. That's all.

Another example that I've come across but fortunately never had to execute is that if a client doesn't pay for a computer that you have delivered and you decide to repossess it, remove the hard drive and leave it on site or courier it back to the client promptly. The data is theirs and you have no right to it or to withhold it.

An amusing one I did have a couple of years back was an angry Scotsman who refused to hand over a new client's server credentials until 100% of the outstanding bills had been paid. I asked the guy nicely to send the client a statement so we could get the issue resolved, and I made sure to be around the client when this arrived, just in case this was a warning shot that the client was going to be a bad payer. The client we had won had an outstanding balance of $210 and payment wasn't due for another 9 days. In that case the client just paid the bill, but as the password was the property of the client, it should not have been withheld.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

frankv

5705 posts

Uber Geek
+1 received by user: 3666

Lifetime subscriber

#2448274 27-Mar-2020 17:44

Police complaint.

It is illegal to deny something access to their computer system, even if you believe they owe you money. Likewise, acquiring an using a password is illegal.

Mighty Ape

Shop now at Mighty Ape (affiliate link).

Dynamic

4015 posts

Uber Geek
+1 received by user: 1850

ID Verified

Trusted

Lifetime subscriber

#2448293 27-Mar-2020 17:47

@frankv I agree. It's gone to lawyers already, and the Police will be next if this is not resolved promptly.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

1101

3141 posts

Uber Geek
+1 received by user: 1143

#2448763 28-Mar-2020 12:47

frankv: Police complaint.

It is illegal to deny something access to their computer system, even if you believe they owe you money. Likewise, acquiring an using a password is illegal.

Yes they can, sort of. I can see it being legally complex
"repairer’s lien"

Dont see why the police will get involved , its a civil issue . They have other things to do
We dont have all the facts . We dont know how they got the password or if they allways had it (hard to believe they just somehow obtained it)
No help at all , sorry.

I would contact the IT company involved , they may actually be helpful & give the other side of the story .
You may be trying to help a company that is completely in the wrong here.
Ive had that, companies wanting help because of repercussions after they didnt pay their IT bills .

Dynamic

4015 posts

Uber Geek
+1 received by user: 1850

ID Verified

Trusted

Lifetime subscriber

#2448848 28-Mar-2020 14:01

I spoke to the owner of the IT company involved, and he confirmed there was money outstanding. I asked if he or his company had done anything which would prevent the client accessing their data, and he was evasive. The third time I asked him, while keeping my tones smooth and calm the entire time, he said no they had not done anything to prevent the client accessing their data. From my perspective this is clearly a lie.

The client has started clearly that they will pay all outstanding money within 24 hours of access being restored. The IT firm is stonewalling. I wonder if they realise they have painted themselves into a corner and may be unsure about how to get out of the situation without admitting guilt.

I would argue that the "repairer’s lien" does not apply in this circumstance, as they have actively taken something that they do not own, as opposed to a mechanic holding a car that he has repaired and awaiting payment.

We've been dealing with this client for a couple of years to a greater or lesser extent, and they have been one of our best payers.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#2448850 28-Mar-2020 14:12

If they are prepared to pay then I suggest they pay 75 percent as a good will gesture with a written guarantee to the other I.T company they will pay once they have access to the data and tenant securely and say they will not peruse the matter further with the authorities.

Not ideal but solves the issue and everyone moves on.

1 | 2