Outlook login not working? What caused Microsoft Outlook outage today — and was it Hacked?

Is Outlook Down Right Now?? Eight hundred users hit a wall Monday morning. The login loop started. The panic spread. And for four days before the collapse — Microsoft stayed completely silent. Here is the full story.

Outlook was not hacked. Your account was not breached. Your emails are intact. Microsoft's own authentication servers collapsed — and every fix you attempt on your device is wasted effort until Microsoft repairs their infrastructure. Stop resetting your password. Stop reinstalling the app. Wait.

Is Outlook Down Right Now?

At some point before 9am on Monday, April 27, 2026, Microsoft's Outlook authentication servers began failing. Not slowly. Not partially. The identity verification layer — the system that stands between a user and their inbox — stopped completing its job. It received login requests and returned nothing usable. Users got sent back to the start. Over and over.


By 11am, over 800 reports had landed on Downdetector. More than 60% of affected users could not log in at all. Another 10% reported receiving emails but being unable to open them. The Microsoft Outlook outage was live, spreading, and accelerating — and the company had said absolutely nothing publicly.

That silence — four days of it — is as important as the outage itself. This is the full story of what broke, why it looked like a hack, what Microsoft knew and when, and what this collapse reveals about the infrastructure holding global email together.

The Outlook outage did not appear without warning on Monday morning. Users had been reporting creeping instability for four consecutive days before the authentication layer collapsed entirely. Notifications arrived but went nowhere when tapped. Accounts demanded repeated logins within the same session. The mobile app loaded partially then froze. Each symptom was a signal. None of them triggered a public response from Microsoft.

Thursday, Apr 23 - First user reports of Outlook app glitches and repeated login prompts

Microsoft: silent

Friday, Apr 24 - Notifications arriving but not opening; mobile app freezing on load

Microsoft: silent

Saturday, Apr 25 - Reports of "not sent" errors on desktop despite emails delivering on web

Microsoft: silent

Sunday, Apr 26 - Accounts requiring re-authentication multiple times per session

Microsoft: silent

Monday, Apr 27 - Full authentication collapse before 9am. 800+ Downdetector reports by 11am

Microsoft: confirmed

Microsoft only acknowledged the disruption after users flooded social media and Downdetector with reports on Monday morning. The Service Health dashboard — Microsoft's official channel for communicating outages to its users — published a "service degradation" notice only after the collapse became impossible to ignore. Four days of warning signs produced zero public communication. One viral wave of user complaints produced an official statement within the hour.

"The app has been glitchy for about four days. This is the second time I have had to uninstall and reinstall. Now I cannot get my accounts to authenticate at all." — Downdetector user, April 27

What Technically Broke Inside Microsoft's Outlook Servers

To understand the Outlook outage, you need to understand what authentication actually does. When you open Outlook and enter your credentials, your device does not simply check your password against a list. It initiates a multi-step cryptographic exchange with Microsoft's identity servers — specifically, the Azure Active Directory infrastructure that underpins all Microsoft consumer and enterprise accounts.

That exchange works like this. Your app sends a request to Microsoft's auth endpoint. The server generates a session token — a temporary cryptographic key that proves your identity to Outlook's mail servers. Your app receives the token and uses it to access your inbox. Every session, every sync, every send relies on that token being issued correctly and accepted by downstream services.

On Monday morning, that token generation process broke. Microsoft's auth servers received login requests but failed to return valid session tokens. The apps had no token to present to the mail servers. So the mail servers refused access. The apps, with no valid session and no clear error to display, defaulted to the only action they could take — send the user back to the login screen and try again.

Technical breakdown — what failed and where

Failed layer - OAuth 2.0 token issuance via Azure AD authentication endpoint

Symptom - Auth server receives credentials, fails to return valid session token

Effect on apps - Apps enter infinite login loop — no token means no inbox access

Effect on 2FA - 2FA completes correctly but token still not issued — loop continues

Third-party clients - Apple Mail, Thunderbird fully blocked — no fallback path available

Web version - Partially functional — different auth path gives limited access

Fix location - Server-side only — no local action resolves the issue

The asymmetry between third-party clients and the official web app is particularly revealing. Apple Mail and Thunderbird use IMAP and SMTP protocols to access Microsoft mail servers — but they still depend on OAuth tokens for authentication. When token issuance broke, those clients lost access entirely with no fallback. The official Outlook web app uses a slightly different authentication path that partially survived the failure, giving some users read access through a browser even while their apps were completely locked out.

That difference is not a design triumph. It is an accident of architecture. And it means that the advice to "just use the web version" only worked for some users — those whose accounts happened to land on servers that retained partial function.

Was Outlook Hacked? Why It Felt That Way — and Why It Wasn't

No. Outlook was not hacked. There is no evidence of a security breach, no unauthorised access to user accounts, and no data exfiltration. Microsoft has not issued any security advisory. The authentication failure was an infrastructure collapse, not an intrusion.

But the outage was engineered by circumstance to feel exactly like a breach. Consider what users experienced. Their Outlook login stopped working without explanation. The app displayed warnings that their account was "not authenticated" — language that implies something external changed your account status. Unexpected password prompts appeared mid-session, identical to what happens when someone changes your password remotely. The 2FA step triggered but produced no result, mirroring what a locked-down account looks like after a takeover attempt.

Every one of those signals pointed toward compromise. None of them were. They were all symptoms of a server that could not complete a standard authentication sequence — displaying generic error states because it had no specific error to communicate.

When an infrastructure failure mimics a security breach, users take destructive recovery actions — password resets, account lockouts, recovery email changes — that complicate genuine restoration. Microsoft's error messages were not designed for this failure mode. They communicated the wrong story to hundreds of thousands of people simultaneously.

Multiple users on Reddit described the moment they realised the problem was widespread, not personal. One wrote that they had already changed their password twice and enabled additional security measures before seeing a Downdetector thread confirming the outage. Another said they had called their bank to flag potential email compromise before the Microsoft Service Health notice appeared. The human cost of Microsoft's four days of silence extended far beyond inconvenience.

The Outlook Login Loop Explained — Why Nothing You Try Works

The login loop is the most maddening feature of this Outlook outage. It does not fail loudly. It does not display a clear error. It simply returns you to the beginning — infinitely, patiently, offering no explanation and no exit.

Here is precisely why. Your Outlook app sends your credentials to Microsoft's auth server. The server processes the request. It attempts to generate a session token. The token generation fails — silently, internally. The server returns an incomplete or invalid response. Your app receives it, finds no valid token, and determines the login was unsuccessful. It displays the login screen again. You try again. The server fails again. The loop continues.

Two-factor authentication does not help because it sits inside the broken pipeline. When you enter your 2FA code, it is received and validated correctly. But the next step — converting that validated identity into a usable session token — is where the server fails. Your correct 2FA response vanishes into a broken process and returns nothing. The app sees no token. Back to the login screen.

Uninstalling and reinstalling the app does not help because the app is not broken. It is behaving correctly — requesting authentication, receiving a failure, reporting it as a login error. Reinstalling gives you a fresh copy of an app that will make the same request to the same broken server and receive the same broken response.

Resetting your password does not help because the server does not fail on password validation. It fails after — on token generation. A new password goes through the same broken pipeline and produces the same missing token.

Who Is Affected by the Microsoft Outlook Outage and What Still Works

The outage struck consumer Microsoft accounts — Outlook.com and Hotmail addresses — hardest. Enterprise Microsoft 365 accounts, which use a separate authentication infrastructure, appear largely unaffected. The disruption is concentrated in the consumer identity stack, not the business one.

Geographically, UK users represent the largest concentration of reports on Downdetector, with over 700 reports by 11am. But the outage is global. Reports have come in from users across Europe, North America, and Asia. This is not a regional infrastructure failure. The affected servers serve international consumer traffic.

What still works varies sharply by access method. The Outlook web app — accessed at Outlook.com through a browser — is the most stable route. Some users report full read access there. Others report partial access. Sending emails is unreliable across all methods, with some users seeing "not sent" errors on desktop despite emails actually delivering when checked on the web version. The mobile app and desktop client are most severely affected. Third-party clients are effectively fully blocked.

Microsoft's Response — What the Company Said, When, and What It Left Out

Microsoft's official response came through its Service Health dashboard — a page that most users have never visited and do not think to check during an outage. The notice confirmed "service degradation" affecting Outlook.com and Hotmail. Engineers are investigating the root cause. Rolling updates will be published as the investigation progresses. No timeline for resolution was provided.

That response is technically adequate. It is not honest about the timeline. Microsoft's service monitoring systems would have detected abnormal authentication failure rates long before 800 users filed Downdetector reports. Internal dashboards track token issuance rates in real time. A sudden collapse in successful authentication would trigger automated alerts within minutes of onset.

The gap between when Microsoft's systems knew something was wrong and when the company communicated publicly is not a technical delay. It is a communication choice. And for four days of building instability before today's collapse, that choice was consistently made in favour of silence.

Microsoft has committed to rolling updates. The company has been explicit that local troubleshooting will not resolve the issue before a server-side fix is deployed. That is accurate and useful information. It would have been significantly more useful 96 hours ago.