Just had my Xbox live account hacked

[ark_ader]

Had my card charged for a new subscription (not due for three months) and they added 6000 points and stole all the rest of the points (2400).

Make sure you have changed all your passwords to something pretty strong.

Playstation network and now trusted Xbox.   

[SavannahLion]

Remind me, how do they steal the points?

[ark_ader]

Remind me, how do they steal the points?

Well it seems they get access to your account, buy live gold points and transfer them to a dummy account.  I don't think this was the case as the  Mo er bought FIFA 12 Gold Jumbo points and got everything as my account lists quite a few -240 - 240 etc.  I don't own FIFA 12.  Lucky I checked online as I have been offline with Live for a few days, due to college revision.

Nice start to the New Year.  Sorry for raging but I am pissed off.  

http://www.telegraph.co.uk/technology/video-games/Xbox/8906043/Xbox-Live-customers-hacked-in-fresh-cyber-fraud-case.html

Keep your passwords changed and block any cards registered to the Xbox live site.  Use redeem codes in future.

Oh and check this out:

http://www.neogaf.com/forum/showthread.php?t=457942

[ark_ader]

Update:

It seems Microsoft Servers have not been hacked but the issues looks from EA games. I got Battlefield 3 for Christmas and you had to login to their Battle.net to get your rankings etc.  You have to give them your gamer tag, and some how they managed to get access to my Xbox Live account and spend 6000 points (and my remaining 2400) on FIFA 12 gear.

No I don't like soccer, and I hate British soccer (its boring) and I do have a FIFA 07 that I got for 99p second hand. 

It appears that this hack has been going on since FIFA 11, and EA did get hacked earlier, so I'm taking a time out and backtracking my steps.  Most of the time it is down to phishing, but my Xbox360 account has a different Live ID than my Hotmail Live ID, so the lead goes cold there.  Passwords are Financial Network Strength, so brute force hacking is ruled out.  So I keep coming back to EA.

People are saying the same thing.  So my warning above reaches out to those who have EA Games accounts to keep passwords different for EA, or like I have done - sever the cord.

Here is some more proof:

http://www.eurogamer.net/articles/2011-10-14-xbl-accounts-hacked-to-buy-fifa-packs

[Ginsu Victim]

I was wondering how fast FIFA would enter the conversation. It has been a constant pain in the ass.

[ark_ader]

Just got the email from Microsoft today.

They investigated and restored my account (thank God) and I got all my points back.  I was awarded an extra month of Live and they are refunding the money taken from my credit card.

In the end it wasn't really Microsoft's fault, but again after review of the situation it seems some hack at Electronic Arts allowed gamertags to be exploited.  Maybe in 5 years we will find out how it was all done.

I still think the issue should go to the serious fraud department at Scotland Yard, as there are plenty of invasions going on without seeing an end.

Best lesson I have learned is to keep your credit card away from the Internet, and pay via a prepaid debit card.

Paypal is only limited to eBay purchases, now.   

[AtomSmasher]

Theres a reason I've never used a credit card (or paypal) on a console.  I always buy point cards from Amazon, then use those cards on the console.  You're emailed the numbers on the card instantly, so you don't have to wait for it in the mail.

[Well Fed Games]

Glad to hear all your points/money were returned.

[ark_ader]

Theres a reason I've never used a credit card (or paypal) on a console.  I always buy point cards from Amazon, then use those cards on the console.  You're emailed the numbers on the card instantly, so you don't have to wait for it in the mail.

Damn right.  I got another email notifying me of my account renewal and they are inviting me to add yet another credit card....I don't think so Microsoft.   

[Malenko]

Damn right.  I got another email notifying me of my account renewal and they are inviting me to add yet another credit card....I don't think so Microsoft.   

so EA ---smurfs--- up, Microsoft fixes the issue, and gives you a free month of live, and you blame microsoft?

[Le Chuck]

They investigated and restored my account (thank God) and I got all my points back. 

God doesn't care about your Xbox Live account.

(at you not with you)  That is perhaps the most obnoxious post I've ever seen and I've read a lot of your trite quips pbj.

[ark_ader]

Damn right.  I got another email notifying me of my account renewal and they are inviting me to add yet another credit card....I don't think so Microsoft.   

so EA ---smurfs--- up, Microsoft fixes the issue, and gives you a free month of live, and you blame Microsoft?

Yes I do.  The person who had access to my account got my personal information that can be used against me or sold to other third parties.  Microsoft is supposed to be secure, we pay enough for that service.  this problem has been going on since last year.  That to me is not good enough.  Maybe for you Malenko.  These hacked accounts are being sold on a Chinese and Polish auction sites.  Some people (in this economy) live quite close on their credit card.  For some person to fraudulently use their card to rack up charges and then expect the card user to pay it.  Unfortunately the Paypal situation is much more serious a situation.

My advice to you Malenko is to do some research before you comment.  People who have had this done to them are real pissed at Microsoft.

They investigated and restored my account (thank God) and I got all my points back.

God doesn't care about your Xbox Live account.

He did and sorted it out for me, you think he doesn't care about you PBJ, but he does. 

[DaveMMR]

Damn right.  I got another email notifying me of my account renewal and they are inviting me to add yet another credit card....I don't think so Microsoft.   

so EA ---smurfs--- up, Microsoft fixes the issue, and gives you a free month of live, and you blame Microsoft?

Yes I do.  The person who had access to my account got my personal information that can be used against me or sold to other third parties.  Microsoft is supposed to be secure, we pay enough for that service.  this problem has been going on since last year.  That to me is not good enough.  Maybe for you Malenko.  These hacked accounts are being sold on a Chinese and Polish auction sites.  Some people (in this economy) live quite close on their credit card.  For some person to fraudulently use their card to rack up charges and then expect the card user to pay it.  Unfortunately the Paypal situation is much more serious a situation.

My advice to you Malenko is to do some research before you comment.  People who have had this done to them are real pissed at Microsoft.

They investigated and restored my account (thank God) and I got all my points back.

God doesn't care about your Xbox Live account.

He did and sorted it out for me, you think he doesn't care about you PBJ, but he does. 

This will end up being the strangest thread in PnR if this continues...

And glad to hear you got your problem worked out, Ark.

[lilshawn]

They investigated and restored my account (thank God) and I got all my points back. 

God doesn't care about your Xbox Live account.

George Bush doesn't care about xbox live accounts.

[Gray_Area]

This will end up being the strangest thread in PnR if this continues...

PnRnN. Hey, that's xlose enough to......

[hypernova]

I signed into my account tonight to find myself a victim of this!

Turned on the 360, and was greeted with the message that "your console was signed in from a different location last time" or whatever it was.  (edit:  I had just played last night, so it happened it the last 20 or so hours.)  After reading this thread a month ago, I knew exactly what was up.  Lo and behold, there is some FIFA achievements on my console.  They used my points to download the "Ultimate Team Packs" or whatever they were.  I did have a credit card attached to the console, but unfortunately for them, it's long since expired.  HAH!  They only ended up with the 2500 or so points I had tied to it.

Sucky thing is the fact that the email address I had tied to it is an old one that I no longer have nor can I get access to it (different ISP provider).  So I can't even get a password change.  I can't sign into my live account on a PC, as they may have changed that.  I had my password written somewhere, but it doesn't work, so I assume they changed it.  (Or I did to something I can't remember).  Could've sworn I changed the email associated with it.  Oh well.

Already called and talked to MS LIVE.  They will be suspending the account and investigating.  Guy on the phone said could take 25 business days, but in reality it's only taking about 3-10.  Ark's experience looks like right in there, at about 5 business days, so that's what I'm expecting.

You know something is up when you're greeted with the message that your ID was signed in from a different console.  Like others have said, I'm not trusting MS or Sony or anyone's consoles when it comes to my CC info.  Glad mine was outdated in this instance.

Will update when all is said and done.  Oh, and assuming I didn't change my password myself, it was rather weak.  Only 6 characters.  I'll go a little stronger next time.

[ark_ader]

Sorry to hear that.

Question:  Did you play any Battlefield3 or any other EA game recently?  Did you create an account with EA to link your Xbox game?

Xbox live gave me a free account for a month.  If I was you I would just keep the code for the extra month.  Your account would be reactivated within 20 days, and another month code will be sent to you with your 2800 points as a another code.

What pisses me off is the unwanted FIFA achievement, and how it reminds me of this invasion.  Also to note I gave my address and mobile number on the account for the CC. 

After the hack I started getting odd phone calls on my mobile and text messages.  I am contemplating having my number switched.

Well M$ will sort it out, and I hope the Chinese hacker gets life in some ---steaming pile of meadow muffin--- hole prison.

[Turvey]

Had my card charged for a new subscription (not due for three months) and they added 6000 points and stole all the rest of the points (2400).

Make sure you have changed all your passwords to something pretty strong.

Playstation network and now trusted Xbox.   

Thank God I have a life. 

[lilshawn]

you know, you guys can just go buy a prepaid card for XBL and NOT use your creditcard right??

why does everybody just plunk their CC into anything these days. it's no wonder crap like this keeps happening.

BTW everybody, i'm going to need you all to post your CC info and mothers maiden names and your pin numbers and passwords and junk here... you know... just to verify you are who you say you are.

[Well Fed Games]

you know, you guys can just go buy a prepaid card for XBL and NOT use your creditcard right??

Best lesson I have learned is to keep your credit card away from the Internet, and pay via a prepaid debit card.

[saint]

So timely enough, I just signed up my son's account on X-box Live. I used a pre-paid card to buy a 12-month gold membership, but didn't have any points. I used PayPal to buy some points. I then immediately changed my PayPal account password.

Anything I should be worried about? They're playing Halo Reach and Dance Central 2 mostly.

[AtomSmasher]

So timely enough, I just signed up my son's account on X-box Live. I used a pre-paid card to buy a 12-month gold membership, but didn't have any points. I used PayPal to buy some points. I then immediately changed my PayPal account password.

Anything I should be worried about? They're playing Halo Reach and Dance Central 2 mostly.

I'm sure you're fine, although since PayPal is connected directly to my bank account, I went ahead and use the added security their security key system.  You link up your phone to your account, then anytime you want to make a paypal purchase, they text you a six digit key you need to enter in along with your password.  I figure the added security makes it more then worth the minor annoyance, plus it's free.
https://www.paypal.com/securitykey

[ark_ader]

So timely enough, I just signed up my son's account on X-box Live. I used a pre-paid card to buy a 12-month gold membership, but didn't have any points. I used PayPal to buy some points. I then immediately changed my PayPal account password.

Anything I should be worried about? They're playing Halo Reach and Dance Central 2 mostly.

If the account gets hacked then whoever will just use your paypal account to buy whatever they want.  Xbox Live doesn't care and the hacker will hammer that account for all its worth. 

Yes you can dispute this with paypal, but it is just added grief.  Go on Xbox Live and stop that paypal account ASAP!

This should put you in the picture..

[hypernova]

I agree with ark.  Remove that information from your Xbox immediately.

Back then, when I put that old CC info in, it was because LIVE was running a special renewal fee for $40 for a year, so I did it.  Like I said, though, no harm this time since it was an obsolete number.

From now on, only prepaid Live and MS Points cards will be used on this thing.

ark:  I did not play BF3.  I've only played these on the 360:  CoD (MW2, MW3, Blops, WaW) Halo 1/2/3, FFXIII.

This incursion doesn't really bother me, as I already pretty much know the outcome.  Just takes about a week or so.  I'll most likely get my points back.  And I just need to get a better password.

Oh yeah, I just remembered.  My daughter went to play campaign on a game, and she had the same message when she signed in, too!  Her ID had been signed in on a different console.  No big deal there either, as there wasn't anything on that ID to do with.  No points, no CC info.  Might just nix her name in case I can't get the password.  She's not on LIVE now anyway.  It expired and she doesn't play enough to warrant the expense.  She still managed to get a 5 point FIFA achievement tagged on it.

[hypernova]

Been doing some small looking around the web...

Seems like some people like me have an old email address attached to the Live account, so they can't change their password, because the hackers already did.  My parents still have that ISP, so I'll try going that route...but this may seem pointless because...

I've found numerous youtube videos, albeit they are over a year old, but all talk of composing an email with certain information, including some hash code.  This code is apparently supposed to fool the MS servers and such into thinking that the email sender is the genuine account holder.  It then sends the username and password of that gamertag for Live.  There's multiple videos for this, each at differing times.  Most seem to be to the uploader or someone he knows, and they "recover" that information for you.  Could be a scam, but I don't know.  Other videos show some program that will do this for you that supposedly works to this day, but the one I found is mired behind numerous surveys.

Point is, is if there's some boneheadedly simple way to fool MS into giving out our ID and password, what's the point of changing the password?  I don't think this is some sort of brute force method.  I don't think this is some phishing scam that millions of us have fallen victim to or any other type of scam.  I think there is a real flaw in their servers that gives up passwords in this fashion.  Even these ones that are years old, if someone with a good knowledge of how to automate that process for thousands upon thousands of users used it, he could have all these IDs, and is checking them one by one via a script or whatever...or maybe they just go through them by hand...I don't know.  So even if MS did fix these problems, if someone stored this information that was vulnerable a year or two ago, they could still be going through them all, taking advantage of any valid ones.

My questions to all of you are:

1.  How old is your Live account?
2.  When was the last time you changed your password?
3.  What's the first character of your gamertag (just to check if it's alphabetical, but I doubt it.)

For me:

1.  Over 2 years
2.  ...Over 2 years
3.  H

I'm definitely interested in your answers, ark.

If you haven't changed it in the last few months, I highly suggest you do so.  In addition, disable automatic renewal, and remove ALL types of payments!

[javeryh]

I was hacked back in December - they drained my account of points (2200) and tried charging my CC but it had expired.  I talked to the MS CSR on a Friday and my account was restored on the following Monday.  It is so obvious they know what is going on but can't seem to do anything to stop it. 

The hack happened WHILE I WAS USING MY XBOX.  This is the insane part to me - someone was able to force me offline and steal my stuff while I was using my console.  That is the crazy part.  I can't believe MS doesn't have some sort of safeguard in place for that.  Let's see... javeryh is logged in from NJ pretty much every night but all of a sudden javeryh is trying to log in from Russia WHILE HE IS IN ONLINE NJ.  Better let him on.  It's madness.

[Samstag]

I've been on Live for about 6 years with the same password.  I've never attached any payment option to the account so I'm not too concerned about getting hacked.

[hypernova]

Come to think of it, those "email" things I've seen sound like a scam by themselves to me.  They want YOUR username AND password.  They certainly go to @live.com email addresses, but I think those are user created.

There still has to be some quick and easy method they used to get my password. 

I think this is worse than PS3's breach of security, because it doesn't seem like too many PS3 owners had their funds stolen.  MS is having this happen over and over, after large wads of cash were taken, and is doing nothing to warn its users.

Like the woman on HoX, my account was supposedly immediately suspended by the CSR guy I was talking to, but I was able to log in for a few more hours afterward.  Finally was suspended after about 4-6 hours.

[ark_ader]

Hypernova:

Over 2 Years

Over 2 years

K

I did get my hotmail frozen two weeks before and Microsoft did ask me for some information on my hotmail account and my old passwords I had on file.

My email I got was from Microsoft but my account for Xbox Live is different to my hotmail one.

The email certificate was from Hotmail and it was verified on two separate machines.  But like I said, the email for hotmail is totally different for the xbox live account.

I sent a file that probably went through a signature check for spam.  My next bit of advice to you is to have your own webserver account and register a domain. Then use that for your email.

If the above was a scam, it was a damn well good enough to believe, thus making me paranoid enough to remove anything personal online ever again.