Sections

New cases of Xbox Live account hacking come to light

Friday, 6th January 2012 14:48 GMT By Stephany Nunneley

More reports of Xbox Live accounts being illegally accessed have come to light this week, with the latest claim coming from a user who discovered her account had been sold through a site operating out of China to a Polish Xbox Live user.

Apparently, after discovering that quite a few unauthorized purchases had been made through XBL using PayPal, the user contacted Microsoft Customer Service. After being assured her account was deactivated while an investigation was conducted, she went about her business. However, she found that 72 hours later, her account was not blocked by MS, and more money had been stolen from her account through PayPal. You can read her entire story through the link.

What she describes is just another occurrence in what has become a growing concern since October, when Ars first reported that hackers had gained access to XBL profiles and purchased points as well as FIFA 11 and FIFA 12.

Despite the obvious evidence of unauthorized access, Microsoft denied XBL had been compromised despite a “limited” number of outside account access.

However, a couple of months later, late December to be exact, Shacknews’ Xav de Matos discovered that his account had been hacked into as well, and was told by a Microsoft executive he had become a victim of a “phishing scam”.

Both Microsoft and EA told de Matos that each company was currently “working on the situation.” Meanwhile, more XBL users have contacted de Matos, stating they were currently experiencing issues with their accounts as well – some through Windows Live even, and the purchase was the Collector’s Edition of Rift.

All of this is nothing new, though, as account hacks have been reported as far back as November 2010 when The Sun (thanks, MCV) ran a feature focusing on the hack. Microsoft again quickly dismissed the issue, claiming it was a phishing scam affecting user accounts.

It is still unclear how the XBL accounts are being accessed, so until the situation is remedied, it would probably be in users’ best interest to purchase point card from retailers to buy XBL content instead of using PayPal or a credit card.

Breaking news

25 Comments

Sign in to post a comment.

  1. Ireland Michael

    Phishing =/= hacking.

    It’s either that or a key-logger on their PC.

    #1 2 years ago
  2. djhsecondnature

    @1 – Or it was a hack…

    #2 2 years ago
  3. Joe Musashi

    Seems like this is more than mere phishing. Lots of interesting insight @ GAF. Including how it’s not possible to remove your credit card details from a gold XBL acct until the renewal date (wtf?!).

    JM

    #3 2 years ago
  4. SplatteredHouse

    Because of their inaction, after insisting that the account was deactivated, she had done what she could, but she suffered further damage through their negligence.

    How bad. A series of further reports cropped up during end of last week on this subject.
    @1: it would seem to me, as there are increasing numbers of these incidents being reported, perhaps it will soon be time to cease to continue being as dismissive about the reasons for them.

    #4 2 years ago
  5. Ireland Michael

    This is a handful of individuals out of millions of users. It’s most definitely phishing or key-logging.

    I don’t even need to bother humouring any other possibility, as they will be little more than hot air assumptions.

    #5 2 years ago
  6. Stephany Nunneley

    @3 My better half just removed his CC information from his XBL account just fine not an hour ago.

    #6 2 years ago
  7. Da Man

    This has been going on for years, chinese are selling these ‘stolen’ accounts with points and content tied to them.

    They get you banned, but lots of people buy them in EE countries, since games cost way too much. It’s being obtained through phishing, social engineering and just users having poor passwords, pretty much along the same lines as those Halo3 Recon scams, MW messages sent from modded 360s and the such. Many share the same Live ID between their general hotmail and Xbox, which makes it even easier.

    Btw, this is how Major Nelson and stepto were ‘hacked’ : http://www.ripten.com/2011/04/03/steptos-blog-handed-over-to-hacker-irony-ensues-brycew/

    #7 2 years ago
  8. Joe Musashi

    @5 Well to each their own.

    This is the GAF topic which has some interesting things to say (and many excitable reactions, naturally) on this. It’s up to each individual to protect their online details as much as any corporation – so some may find it useful.

    @6 Sounds promising. :)

    JM

    #8 2 years ago
  9. OrbitMonkey

    It may not be hacking, but it’s obvious some knowledgeable crims are targeting 360 users. Maybe Microsoft could run a online safety ad or something. A tutorial for newer users?

    #9 2 years ago
  10. Da Man

    #9, Since you asked.. there was even a whole episode with Major discussing the basics, featuring Toulouse, where he explained how you can use the security questions to create a second password, simpleton-proof tutorial.

    #10 2 years ago
  11. Psychotext

    It’s not phishing or keylogging Michael. I set up my missus’s account with a completely unique password (that she didn’t even know) and have entered it only directly into a 360 since the account was created.

    It happened on her account late last year… and if it’s phishing then they’ve somehow got into my brain without me actually knowing about it. That, or they’ve literally managed to hack one of our controllers / 360s.

    Now social engineering of some support bod in a random country (most of these accounts seem to be getting recovered to the far east), that could be quite another story.

    #11 2 years ago
  12. djhsecondnature

    @5 – I know of people who have either not used the accounts for months, or are far too savvy to be caught out by phising scams.

    The number of reports of this is becoming increasingly larger by the day, to the stage where ignoring it is now ignorance than it is to “humour” it.

    #12 2 years ago
  13. Psychotext

    Cause aside… that they allowed more money to be taken from this woman when her account was supposedly locked is utterly disgusting. Even if they couldn’t lock her account (Seriously? What levels of ineptitude have you being unable to lock an account in a system you completely control?), they should have at least had the decently to either unlink her payment options or contact her so that she could try and do something about it (like cancelling her payment providers).

    #13 2 years ago
  14. lexph3re

    See I’m pretty much done explaining this stuff to people on what is and isn’t hacking. Mainly because people just have to justify what they believe is right. Now matter what level of hacking you view it from it’s hacking.

    But whatever i’ll just keep doing what im doing

    #14 2 years ago
  15. DSB

    The thing that springs to mind with these stories is my experiene from WoW. People got “hacked” all the time, but you could pretty much be sure that it was their own fault every single time.

    Even intelligent people managed to get their accounts stolen. I’m extremely paranoid about fishing schemes, and I’m always likely to delete e-mails from either Blizzard, Paypal or a similar place unless they’re immediately verifiable, and as a result, I’ve never had any account compromised.

    Of course people are always going to say it’s never their fault, and of course they’re going to say it’s everything between God and Chinese military hackers, but usually there’s a pretty logical explanation.

    Naturally you also have the breach element. Even though it’s rarely reported, any breach of personal information will lead to succesful thefts, especially if people don’t take precautions. It’s hard to say whether Microsoft has suffered one or not, but the fact that the media is picking up on every report doesn’t say a lot in itself. I’d think it would be hard for a business as big as Microsoft to keep it a secret, and it would be a pretty bad strategy to try.

    Personally I always take steps to change all my passwords whenever a breach is reported. I’ve never had an account compromised.

    @4 With the emphasis on the words “being reported”, I guess. After Gawker and PSN lost peoples info, there weren’t a lot of reports of people suffering abuse, but it’s always going to be an inevitable result of breaches like that.

    If people know who you are, they can and will succesfully claim to be you if enough competent attempts are made.

    Of course, wether Microsoft has suffered a breach or not is nearly impossible to tell.

    #15 2 years ago
  16. Banazies

    ATTENTION!!!! This has happened to my account within the last couple days. I had no problem working with Microsoft on locking my account on Jan. 4th, due to being charged 74.99 for xbox live points I did not purchase! However the next day I noticed that there were two charges for 49.99!!! I called them back and was told that my account was NEVER locked… However, I couldn’t access it te day they locked it. They couldn’t ask my security question because it was in Chinese. I set my security question up with Microsoft the day I reported the initial charge of 74.99, IT wasn’t Chinese and I don’t know Chinese. Alas, I am thoroughly convinced that Microsoft Xbox Live has suffered a breach! My Xbox account was locked, unlocked and changed to Chinese, if hackers can change what technical support can do, then its not just my account it’s their system. I am really pissed with Microsoft, I am totaling up to about 175 bucks now, I can’t erase my bank information from the xbox live account because it needs to be investigated, so I had to cancel all my bank cards, pay pal AND HOPE that there was no other information that was compromised.

    #16 2 years ago
  17. Da Man

    Simple, the tech support guy was possessed by a demon. That’s what you get for celebrating New year and consequently honoring Janus.

    #17 2 years ago
  18. DonnerKebab

    FYI – it’s still going on.

    A friend’s account has just been hacked (yesterday) and his password changed, MS points wiped, and worst of all a ton of points bought on his CC. This wasn’t from phishing – seems like a straight hack as he is very security conscious (password changes etc). Just saying so people are aware.

    Hope VG247 can keep on MS’s case about this.

    #18 2 years ago
  19. Gadzooks!

    It’s phishing and it isnt going to stop.

    #19 2 years ago
  20. Christopher Jack

    @19, No its not, accounts are simply being hacked, nothing more. I personally blame the whole Windows sign in bullshit, a universal password for completely different services is a terribad idea.

    #20 2 years ago
  21. Gadzooks!

    Nah, it”s phishing.

    #21 2 years ago
  22. Christopher Jack

    Any informed person would be aware to not send passwords over the net, you’d have to be an idiot to fall for a phishing scam like this, no matter how elaborate.

    #22 2 years ago
  23. Gadzooks!

    Lol.

    #23 2 years ago
  24. DSB

    I noticed that there’s a huge problem with Xbox Live yesterday.

    I’m still using my hotmail account from over a decade ago, and my password and e-mail address are also the username and password for Xbox Live.

    So if people are using the same password for their e-mail that they use on every other site, it would be a snitch to swipe it with a phishing scam.

    Again, looking at WoW, I’m guessing that 99% of the cases of “hacking” that takes place there, pretty much every day, is a result of some idiot giving away his password due to a phishing e-mail, or buying gold, or telling a “trusted friend”.

    Live has Microsoft Points. My guess is that if you sent people a “great offer” for some of those real cheap, of course requiring an “account”, you’d end up with a lot of passwords, in the cases where e-mail and password is a match.

    I think that’s a terrible system. The reason why I keep different passwords for different things is so that can’t happen, but yet Microsoft insists on linking the two. There’s no excuse for linking an active e-mail account with one that (potentially) contains credit card data.

    That’s too easy to exploit, and I find that more likely than consistent, repeated brute force attacks, which would carry a lot more risk for those perpetrating them, and I have a hard time seeing a major corporation being able to cover up a major security breach, especially one that fucks up as much as Microsoft.

    #24 2 years ago
  25. polygem

    http://www.vg247.com/forum/topic.php?id=5671&page=1

    #25 2 years ago