Brute-force password attacks on an outlook account

Handling an unexpected random attack

I didn’t really expect my own Microsoft account to be a subject of attack given that it has minimal use beyond my younger days.

Based on https://haveibeenpwned.com/, there are only 2 main incidents of breaches that were both several years back (2019) and (2016) for collection1 and neopets respectively:

haveibeenpwned is a service by 1password to identify breaches associated with your email accounts

How did I know I was under “attack”?

I did not recognize the following attempts to login which were from IP addresses from countries all over the world:

List of attempts in recent history from Chile, Saudi, Indonesia, Mexico, Kuwait, Philippines and more

Good news is that all are unsuccessful sign-in attempts.

I was alerted by a notification from Microsoft Authenticator over breakfast but surprisingly didn’t notice or see these sign-in attempts through the week and the month.

Where could it be from?

I was thinking:

1. Data breaches — 1collection or neopets. Maybe someone has these credentials and are just attemping brute force attacks
2. Associated devices that I dropped in recycling—I did own a…