FIFA Ultimate Team XBL account hijacks were "not a hack"

By Fred Dutton Published 10 November, 2011

Microsoft insists user security is "ingrained in its DNA".

A recent spate of Xbox Live account hijackings involving unauthorised FIFA Ultimate Team pack purchases are not due to a system exploit or hack, Microsoft has clarified.

Speaking in an interview with Eurogamer, Microsoft's online safety director Doug Park insisted that the problem didn't represent "a new attack vector".

"It's not a hack, it's really just a different way to monetise stolen accounts," he explained.

"Any service has compromises. Facebook has compromises, WOW has compromises. What they're really doing is trying to make money off those compromises. So FIFA is a very popular title - it's just a new way for the bad guys to make money. It wasn't, based on our investigation... we didn't see anything new. It was just a different avenue."

When pushed for more information on exactly what the thieves are up to, Park suggested that a run-of-the-mill data phishing scam was the cause, though wouldn't go into specifics.

"I'm not getting into super detail on that, but there are the basics of account compromise. There's phishing, there's social engineering, there's malware. Based off of the industry today, most of it comes off malware and phishing. If they get the accounts, they sell it," he said.

"That's really all they were doing. Whether it's FIFA, or an account with a PlayStation subscription, or an account with a Live subscription, it's all basically the same thing."

So, what is Microsoft planning to do to ensure it doesn't happen again? Xbox communications director Craig Cincotta chimed in, insisting that protecting its users from security threats is "ingrained in the DNA" of Microsoft's business.

"You come in every day and try to stay ahead of these things. There are teams of people who are thinking about this day in, day out," he explained.

"You try to get to the place where you're most prepared and most well informed. That's a constant state. It's not like it's, 'Oh, we've solved that security thing'. No. You just constantly do it.

"Part of it is the responsibility to our user base. If we're going to provide people with the types of functionality and experiences they want, it's our responsibility to stay ahead of the types of exploits that we need to protect people from."

The FIFA issue first raised its head last month, when a significant number of users reported that their accounts had been taken over by cyber thieves and were being used to purchase FIFA Ultimate Team content packs, presumably for re-sale.

At the time, Microsoft announced that it was "working with our impacted members directly to resolve any unauthorised changes to their accounts."

Picture of Fred.

About Fred Dutton

Fred Dutton is Eurogamer's US news editor, based in Washington DC.

Read more articles from Fred by visiting the Fred Dutton archive page.

You may also like...

Comments (29) Latest comment 6 months ago

Comments for this article are now closed, but please feel free to continue chatting on the forum!

  • Gearskin #1 7 months ago

    "Hack" or no, my XBL account is still suspended after falling foul of the event. On the plus side, I got the £85 credited back by the bank quite quickly.

  • kmz #2 7 months ago

    @Gearskin Did you use your XBL password on any non-xbox.com sites? Was it the same as your password to any other service?

  • Der_tolle_Emil #3 7 months ago

    If it was phishing/malware then why did it only affect xbl users? Surely if you are out to get login data by installing keyloggers you try to get as many accounts as possible and not just xbl accounts?

  • Psychotext #4 7 months ago

    I don't care if it's a hack or not, I care that my missus has lost her account and it's taking you a month to investigate it and give it back.

    As for it being a new way for it to monetise stolen accounts, I'd really love to know how she had her account stolen when she's only ever entered the details for it into the 360 and it uses a completely unique password.

    You know, aside from some retard in customer services being social engineered into resetting the account for someone that's not the accounts holder. It's about time Microsoft introduced another level of verification like Steam has.

  • Der_tolle_Emil #5 7 months ago

    @Psychotext: I doubt that customer services has anything to do with it. First of all you'd have to go through multiple supporters because each of them is only responsible for certain regions and second of all the two times I had to deal with them they asked quite a lot of information to verify that I really am the account holder.

    I don't believe the story either, the attack MS is describing just doesn't quite fit. This is quite worrying because they are a) either totally clueless about what has happened or b) try to cover it up.

  • arcam #6 7 months ago

    All MS need to do to stop this is to require the 3-digit security code of the back of a credit card when purchasing points. Yes, they could still clean out out your points balance but they wouldn't be able to make more purchases.

    Why MS don't do that is something you'll have to ask them, but I suspect it has something to do with the auto-renewal features they are so fond of, plus the money that would be lost from kids not being able to spend on their parents' credit card without asking permission first.

  • Psychotext #7 7 months ago

    "I doubt that customer services has anything to do with it."

    Possibly not, but short of someone installing a keylogger on the actual 360 I'm struggling to see what else could have done it, short of a full on leak somewhere.

  • yatesl #8 7 months ago

    This happened to me last week. My Xbox password is different to everything else (including EA), and I've not given it out or clicked any scam links.

    That said, Microsoft were good about it (10 minutes on the phone and they launched an investigation). The only downside is they said it'll take up to 25 days to restore my account (disabling Xbox Lice) - right over the MW3 launch.

  • Der_tolle_Emil #9 7 months ago

    @arcam: Why MS don't do that is something you'll have to ask them, but I suspect it has something to do with the auto-renewal features they are so fond of, plus the money that would be lost from kids not being able to spend on their parents' credit card without asking permission first.

    If that bothers you then you need to switch to another bank. Microsoft is not the only company that does not require the security code on the back of the credit card to use the card - in fact most online shops I know only ask for it the very first time you use the card. Some shops (like Amazon) never ask for the security code in the first place. It's up to the bank to decide whether they accept transactions without the security code.

  • Der_tolle_Emil #10 7 months ago

    @Psychotext: Possibly not, but short of someone installing a keylogger on the actual 360 I'm struggling to see what else could have done it, short of a full on leak somewhere.

    That is what worries me. Installing a keylogger on the 360 is pretty much impossible anyway and I'd bet that your missus never had to enter the password anyway because it was saved - which means that there had to be external access to the data, or as you say, a leak.

  • Xensor #11 7 months ago

    Hmm so accounts and passwords that cannot have been phished or malware'd have been hacked? Yet MS insist it must be some kind of phishing/social engineering/malware and their network is secure? Someone is lying...

    Quick, blame Sony/Canada! :p

  • arcam #12 7 months ago

    @Der_tolle_Emil

    What does it matter that MS aren't the only company that does it? I'm just saying that it would solve the problem, so I'm giving the "teams of people who are thinking about this day in, day out" another idea.

    And I'm really not sure that's true about most online shops - I work in e-commerce, go to conferences etc. and that is not my experience at all. I'm talking about the 3-digit CVV code, not the additional passcode some banks use.
    Edited by arcam at 10/11/11 @ 19:17

  • OneClassyBloke #13 7 months ago

    When my account was hacked, all they did was use the forgotten password link and access my email account in order to change my password so they could access and use my account. How they got access to my email, I have no idea, but I doubt you could really call this a hack. At least in my case, there seemed to be no fault of Microsoft, rather my email provider is the issue.

    My email provider was Virginmedia btw, if anyone wants to see if there's a correlation.

  • Der_tolle_Emil #14 7 months ago

    And I'm really not sure that's true about most online shops - I work in e-commerce, go to conferences etc. and that is not my experience at all. I'm talking about the 3-digit CVV code, not the additional passcode some banks use.

    I'm talking about the CVV code as well but I probably should mention that I live in Switzerland and I am therefor primarily talking about Swiss online shops. However, I am also using PayPal on a regular basis and they don't need the CVV either - I cannot remember if I had to use the CVV the first time but I do know that saving it is not allowed so I guess they don't care for it either; Then again PayPal is officially a bank now so maybe that has something to do with it.

    Of course MS could ask for the CVV every time as well but if banks allow transactions without the CVV I don't blame them. It would only be a minimal barrier if you already have full access to the account. It would help in some cases but it would have never stopped something like this from happening.

  • arcam #15 7 months ago

    @Der_tolle_Emil

    CVV code means it is impossible to make a purchase unless you have access to the actual physical card. So while it wouldn't have stopped anyone gaining access to the account, it would mean that they couldn't make any purchases on it once they had exhausted the points balance.

  • murphy1978 #16 7 months ago

    @yatesl Similar here, my account had a password reset requested on it, but nothing had been done or accessed and I was able to reset my account through security questions. But I certainly did not request a change.

    After reading a few other messages, I have no idea how they accessed my email ID either; however I don't have access to that account as it doesn't exist anymore, which will probably explain why I was OK.
    Edited by murphy1978 at 10/11/11 @ 20:08

  • oceanmotion #17 7 months ago

    The new Xbox.com now has profile protection. Don't know if that is any better seems new.

  • The-Jack-Burton #18 7 months ago

    It's users pennys are ingrained in its DNA, security or the illusion of, is just a by-product of this

  • RodHull #19 7 months ago

    None of what he says makes any sense to me.

  • VibratingDonkey #20 7 months ago

    Instead of brushing this off with statements basically amounting to "well shit happens" and other, more empathetic, but wholly vacuous PR talk, they should inform users that they are adding another layer of authentication to combat the exact exploits mentioned by Microsoft here.
    http://store.steampowered.com/news/5123
    http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html
    http://helpdesk.lastpass.com/security-options/grid-multifactor-authentication/

  • Sunyavadin #21 7 months ago

    Everyone I've seen this happeebn to so far had their EA account hacked, and the personal data attached to that used to reset their xbox live password via customer services...

    I see several steps at which security here can be improved...

  • Bluetooth #22 7 months ago

    MS are trying to cover this up big time, it was the ONLY thing that I put my credit card details in for... I only had it a couple of days, after all. I also always make sure that my email address, if reused for accounts, always has a different password.

  • Murton #23 7 months ago

    The KeyLogger wouldn't have to go on the 360 if the account holder uses any other LIVE service as I believe the accounts are same no? So if the "victim" uses GFWL and the keylogger gets on their PC for example. Not sure about stuff like LIVE Mail and Messenger and whatnot.

    Still, I have to agree with some of the above. By claiming to have no known security flaw and blaming this solely on phishing, social engineering and malware they're effectively saying "it's not our fault, its consumers' fault for falling for scams" and after all of the high profile data thefts in recent months that's not what people want to hear, people want to hear companies being frank and honest about any security flaws and what steps are being taken to prevent further instances, the blame game helps no one and the number of people using the term "cover up" shows that quite well.

  • RexRunti #24 7 months ago

    @Murton
    Still, I have to agree with some of the above. By claiming to have no known security flaw and blaming this solely on phishing, social engineering and malware they're effectively saying "it's not our fault, its consumers' fault for falling for scams" and after all of the high profile data thefts in recent months that's not what people want to hear, people want to hear companies being frank and honest about any security flaws and what steps are being taken to prevent further instances, the blame game helps no one and the number of people using the term "cover up" shows that quite well.

    That's all well and good but what if this is caused solely by phising, social engineering and malware?

    PS Not saying it is or isn't, just what you would expect them to say if it was.

  • Murton #25 7 months ago

    @RexRunti

    That's the thing, they're in a catch 22. Here they are saying "not our fault, it's a scam not a hack" and without something backing it some people are understandibly having a hard time believing it. Strangely enough the best PR might be to go the other way and say that there has been a minor breach that may have been assisted or caused by a phishing scam and steps have been taken to strengthen the security of the network.

    People are naturally fearful of data theft, especially so now, so companies have to be careful to either A: make it look like nothing is wrong or B: make it look like they're always improving, always on alert and this statement doesn't do enough to prove there is no breach and doesn't really have the detail to convince that there is any significant improvement to security following the incident.

    I don't claim to have all the answers, but this statement could have been better, personally I'd probably have exaggerated the breach slightly to claim a victory for my security staff in detecting and shutting down the breach and then go into an increased security spiel, telling consumers it's their own fault if their accounts gets stolen (which is the subtext here) is just bad PR however you look at it.

  • daymun #26 7 months ago

    Surprised only one person has mentioned the link to EA and that it wasn't mentioned in the article.

    I've found the same, many of the people who's accounts were 'compromised' also had their EA account hacked. I know in my case the EA account hacking happened first.

    Not only are they not saying it has anything to do with EA and their potentially terribly porous customer services, they also seem to be trying to brush under the carpet it has anything to do with EA at all, namely the "So FIFA is a very popular title - it's just a new way for the bad guys to make money" statement.

    Not only do I call bullshit, I see this as a pretty crappy way to defend not only themselves but additionally one of the biggest publishers on their platform.

    Just don't ask me why they'd do that.

  • AnotherIdiot #27 6 months ago

    That is what worries me. Installing a keylogger on the 360 is pretty much impossible anyway and I'd bet that your missus never had to enter the password anyway because it was saved - which means that there had to be external access to the data, or as you say, a leak.

    Aside from the password, the password recovery process needs to be secure, maybe the email account used for password recovery was compromised. Also a person logging into their xbox.com account on PC has their password exposed to PC based threats, doesn't have to be a keylogger on the 360 itself. It's a Windows Live account, maybe it was also being used for things like MSN messenger, and who knows what.

  • Machiavellian #28 6 months ago

    @daymun

    It would not be smart if MS tried to accuse another company for this issue without the proof. Such things get you sued not to mention it probably would not make dealings with said company better.

  • Stratix #29 6 months ago

    There is no way my password was simply guessed, and I doubt I have a key logger as: 1. I have had no other passwords used, and 2. I haven't logged into my account in ages. What a load of crap, M$ have failed me.