Victim of Xbox Live phishing scam gets refund, account restored

Saturday, 7th January 2012 21:29 GMT By Stephany Nunneley

Microsoft has restored the Xbox Live account and refunded all unauthorized charges accrued due to a “phishing scam” XBL user SusanT suffered when her account was sold to the highest bidder on a Chinese website.

“While we do not ordinarily comment on specific cases, Microsoft can confirm that the account in question has been reinstated to its rightful owner and all unauthorized charges are being refunded in full,” a Microsoft spokesperson told Kotaku.

The customer, whose account was not locked by Microsoft has promised after contacting customer service several times on the matter, is just one of many reports which have surfaced over the last few months regarding unauthorized Xbox Live account access.

The spokesperson said that in light of the various issues with XBL accounts, the firm is currently reviewing its procedures, as the online safety of Xbox Live members “remains of the utmost importance, which is why we consistently take measures to protect Xbox Live against ever-changing threats.”

“However, we are aware that a handful of customers have experienced problems getting their accounts restored once they’ve reported an issue,” the spokesperson continued. “We are working directly with those customers to restore their accounts as soon as possible and are reviewing our processes to ensure a positive customer support experience.”

The MS representative went on to repeat previous statements made by Microsoft officials, reiterating that “there has been no breach to the security of our Xbox Live service.”

You can read Susan’s account of her latest interaction with Microsoft through here.

In the meantime, change your passwords, don’t use the same log-in anywhere else, and use point cards to buy products from the service instead of your credit card or PayPal for the time being.



  1. Talkar

    It is also a good idea to change your password atleast once a weak, and have the password contain special characters, dummy example : $p455=!W0rD&13tM71n!$. This goes generally for password security. (the password i typed is meant to show what i mean, it isn’t one you should use, since it is very simple, and therefor not secure to use)

    #1 3 years ago
  2. Ireland Michael

    I’ve used simplistic passwords (not just a word, but close enough) on every single account that I’ve ever owned on the internet in my ten years on it, and I’ve never suffered a single hack, infiltration or unauthorised access to any one of them.

    #2 3 years ago
  3. DSB

    I always try to make them as long as possible, but I reckon common sense is the best protection.

    I don’t want to make a million passwords that I have to remember, so I just keep a certain set for well protected sites, and a different one for the ones I don’t trust to be ready for a breach.

    And I don’t ignore it when someone reports a breach, even if they claim not to have lost anything.

    #3 3 years ago
  4. freedoms_stain

    @1, I read an article not so long back about how common password security advice has yielded us a “system” of password creation that is difficult for people to remember (dammit where did I put my numbers and special characters again!?) but actually relatively easy for computers to crack. A better system is 3-4 unadulterated short words that leave a mental picture in your head. Easier for people to remember, harder for computers to crack.

    #4 3 years ago
  5. Talkar

    It comes down to the algorithm used. The algorithms most commonly used, are a more advanced version of bruteforcing. Which as you may know is just trying different combinations of words. Therefore words are usually a bad choice, unless you write in a language that is hardly used in the world, and therefor not in interest of the hackers to implement that language into their hacking tools. But if you use english words, such as PurpleBaconHatCake, they are all words that can be looked up and put together by the program, and thus making it very easy to hack.

    #5 3 years ago
  6. shogoz

    Instead of doing silly things like changing your password (like Microsoft suggests), why not just stop linking paypal accounts and leaving a large sum of credits stacked in your account instead. For those that think i’m wrong for saying that changing their password is silly, do you really think it will increase the time hackers take to hack your account? If people are being hacked regardless then I don’t see what changing your password hopes to accomplish. unless people are dumb enough to tell other people their password. I think to make the internet safer Microsoft should just do another system update. I certainly haven’t logged in more than twice since the ugly dashboard update came out.

    #6 3 years ago
  7. Christopher Jack

    I tend to use the first letter of dozen words in any random sentence while replacing some letters with similar looking numbers. This is an example that I’m just about to write under here:
    T143t1j4twuH. Always capitalizing the first & last letters.
    Although you’ll have to remember the sentence or write it down somewhere on paper.

    #7 3 years ago
  8. John117

    Want a secure password? Write four random words which is easy to remember, like “Happy Horse Sitting Down” More secure than any combinations of letters, numbers and symbols. And hell lot easier to store in the back of your head.

    #8 3 years ago
  9. OrbitMonkey

    If you want a secure password use mine: 2 bee or not two b33. Hasn’t been cracked yet.

    #9 3 years ago
  10. lexph3re

    “However, we are aware that a handful of customers have experienced problems getting their accounts restored once they’ve reported an issue,”

    So are we talking a handful of the effect users or a handful of the collective users? because if it’s collective like over 50 million that’s a lot. If effected users…well we’d still just have to know how many are actually effected by this now wouldn’t we?

    #10 3 years ago
  11. DSB

    @6 I really don’t see a point in hacking random peoples accounts. That’s a lot of work for very little achieved.

    You really just need the capacity to send mass e-mails and the cunning to make them look real. People are usually perfectly happy to fork over their passwords, and even if you only manage to fool 10 percent, if you send out 1000 e-mails, that’s a very good haul, for far less effort, carrying little to no risk. Even if you only get one percent you’ll still have 10 times the effect of a manual hack.

    Why blast open the door when you can just ask for the key?

    @11 Considering that all there is at this point is sporadic reports, it looks like a small minority. The internet tends to have a chicken little effect though.

    #11 3 years ago
  12. ManWithNoName

    I don’t now about passwords much. My recommendation is to never, ever use family names, important dates like marriage and kid’s birthday, pet’s name, anything a simple visit to facebook or other social service can hint at. Also, never, ever answer e-mails from unknown sources.

    It is hard to not use the same password since it is hard to remember all of them. My tip is to have one for bank account/credit card/paypal or any other service who can charge you and a different one for trivial sites.

    Please visit

    #12 3 years ago

Comments are now closed on this article.