Is this the hack used to exploit Xbox Live accounts?

By Robert Purchese Published 13 January, 2012

Fraud victim appears to work it out.

Last week we asked if Xbox Live had been hacked. We used the detailed account of Xbox Live fraud victim Susan Taylor to suggest that yes, it had.

After publishing the article, Eurogamer was approached by half a dozen other readers who had experienced similar exploitation on Xbox Live.

All the while, Microsoft staunchly denied any such security breach on Xbox Live.

But now we may have discovered how those Xbox Live accounts were broken into.

Eurogamer was contacted recently by "Jason", a man who claimed to know how to hack into Xbox Live accounts. He offered us an explanation via email last night. But our efforts to validate his claims were cut short by website AnalogHype, which today posted an uncannily similar "how-to", based on information provided by a source named Jason Coutee.

The same Jason? Probably.

Coutee and Eurogamer's "Jason" point the finger at Xbox.com - the website. This allows eight password attempts at a Windows Live ID before CAPTCHA is triggered - the system that presents those squiggly words. A simple password-generating script can apparently be used to exploit this system before CAPTCHA kicks in.

The Windows Live IDs come from playing Xbox 360 games online. Gather Gamertags and Google search them in the hope you'll find related email addresses. Try these as Windows Live IDs and the Xbox.com website will let you know if they're valid - "the email address or password is incorrect" - or not - "That Windows Live ID doesn't exist."

Using these methods you can apparently brute force your way into a near-limitless supply of Xbox Live accounts and use their saved banking details to buy Microsoft Points. That's how it sounds. We haven't tested this, naturally.

Eurogamer has contacted Microsoft about this issue. Microsoft is aware of the issue and Eurogamer is waiting for a formal response.

AnalogHype says that Jason Coutee is a network infrastructure manager who had his own Xbox Live account hacked and used to fraudulently buy 8000 Microsoft Points. He called Xbox Support, who offered to freeze his account but couldn't refund him. He declined the offer and investigated himself, eventually stumbling upon the answer.

Since publishing Susan Taylor's account of Xbox Live fraud, Eurogamer has been contacted by half a dozen other people who were victims of similar exploitation. Thank you, those who have written in. And please do keep letting us know if you've had your Xbox Live account fraudulently used.

Picture of Robert.

About Robert Purchese

Bertie is Eurogamer's Senior Staff Writer. When he's not hunting down news stories he's often found playing with his kids or gabbling about fantasy games and strange online worlds. @Clert on Twitter.

Read more articles from Robert by visiting the Robert Purchese archive page.

You may also like...

Comments (164) Latest comment 4 months ago

Comments for this article are now closed, but please feel free to continue chatting on the forum!

  • Der_tolle_Emil #1 4 months ago

    Well technically this is possible. However, brute forcing your way into an account using a webservice takes quite a while - especially because signing in to Live takes much longer than other websites anyway. Personally I think it's very unlikely that so many accounts were hacked this way.

  • rudedudejude #2 4 months ago

    Microsoft - Disgrace!

    How long have you been working in software & security Microsoft?

  • mvrander #3 4 months ago

    If this had been PSN accounts there would be 300 comments on this story by now.

  • riz23 #4 4 months ago

    This is the sort of journalism I want to read on EG (even if it was handed to yo)

  • sfp_noodle #5 4 months ago

    Quite frankly I just find it disgraceful that MS STILL aren't admitting that they've been hacked, despite there being conclusive evidence all over the web, and in every recorded phone call they've received over the issue.
    Edited by sfp_noodle at 13/01/12 @ 13:48

  • rudedudejude #6 4 months ago

    It's really not that difficult to set up an automated password checker / login attempt script. Leave it running for a few days and Robert's your father's brother.

  • jaywalker3010 Verified Mastering Manager, Square Enix #7 4 months ago

    So if they havent hacked you in 8 attempts they move onto next one? simple solution then dont have `password` as your password!!!

    Its not a `hack` tho in the traditional sense, its just `trying to login as the person over and over`.. a hack to me is something that gains access and pulls info down.. The above is true for ANY website username/login system surely.. Yes MS can make the system not give the `info` away like if the account exists or not, or that CAPTCHA kicks in quicker, but they cannot stop people having simple passwords
    Edited by jaywalker3010 at 13/01/12 @ 13:51

  • 16bitworld #8 4 months ago

    Wouldn't surprise me if true and it would be a security flaw on their side. While not as bad as Sony's (who cares still accounts being breached) they should be forced to compensate anyone and everyone who has been hacked.

  • Widge #9 4 months ago

    Hacked, or exploited?

    I Personally think a hack is a more intrusive breach of a system.

  • Bilstar #10 4 months ago

    Nice find EG. MS wont look too clever if this is proved correct.

  • TrevHead #11 4 months ago

    All MS need to do have the captcha kick in after 1 or 2 failed attempts. Problem fixed.

  • rudedudejude #12 4 months ago

    Is it even possible to unlink your credit card from your account?

    Edit: Ahh yes... Done.
    Edited by rudedudejude at 13/01/12 @ 13:53

  • J0rdan_KZ #13 4 months ago

    This a spectacularly simple way to hack these accounts. I can't believe there's no secondary verification, something along the lines of Steam Guard.

  • sfp_noodle #14 4 months ago

    @Widge

    Well they are signing into Xbox Live accounts that don't belong to them and using customers credit/debit cards to purchase MS points. They are then changing the password so that the original user can't access it. I think I'd define that as being hacked if it happened to me...

  • braydee89 #15 4 months ago

    I'm paying MS to keep me secure, so I hope they move fast on this.

  • the_dudefather #16 4 months ago

    I look forward to the new layer of security where you'll have to pet a randomly generated cat using Kinect to access your xbox live account

  • Eraser #17 4 months ago

    @sfp_noodle There's a difference between being hacked and someone correctly guessing a password.

    I am inclined to agree with Der_tolle_Emil (the very first post). It seems unlikely that brute forcing a password through Xbox.com results in so many positive hits, unless those that doing the brute force had some other way to narrow down the list of possible passwords. Maybe these users had really short passwords?

    The thing XBox.com really should do differently is put the captcha in place at the very first login attempt and have one single response for an invalid login attempt and not differentiate between a non-existing account and an incorrect password.
    Edited by Eraser at 13/01/12 @ 13:57

  • marcusmiller #18 4 months ago

    This is not technically a hack/crack but it is more a case of people exploiting poor passwords. If there is an xbox live account with the GT of Marcus1975 and the password is Marcus1975 then... you kind of deserve what you get.

    So, whilst it does not look like a true hack of the scale on the Sony network, Microsoft, Sony and others need to be doing a lot more to ensure people use secure passwords when this is the only obstacle between an unscrupulous sort accessing someone's bank account.

    As well, with the nature of this, many of these accounts could be kids accounts with their parents credit details behind a daft password like 'ben10' or something else easily guessable.

    It seems crazy that MS would allow this to happen though, surely if someone gets a password wrong 3 times they should have to go through some kind of unlocking system much like on the apple store?

  • Optyk #19 4 months ago

    Is there anyway to change the email associated with your XBL account?

  • Bertie Verified Senior Staff Writer, Eurogamer.net #20 4 months ago

    I'm not much of a hacking boffin, so I really appreciate you correcting any errors I've made regarding such in the text. I'm off for some lunch now but I'll delve into your comments when I get back.

    Incidentally, thank you everybody who has been emailing me information about being exploited on Xbox Live. We were still trying to work out what to do with the information when this happened - so apologies for the silence on our part.

  • grayn #21 4 months ago

    I congratulate all the pedants for getting right to the heart of the issue i.e. whether the word hack is being used correctly.

  • DDevil #22 4 months ago

    Interesting as when my account was done before Christmas my password was unique, not a word and contained a combination of upper/lower case characters and numbers, so it's not just people with crappy passwords getting caught.

  • Spekingur #23 4 months ago

    This just isn't much different than brute forcing your way in to any account connected to the internet.

  • Optyk #24 4 months ago

    Also, until this issue is resolved, it would make sense to unlink and credit cards stored and use points cards until it is fixed.

  • Joco84 #25 4 months ago

    Anyone who gains access to data and information that they should have is a hacker, pure and simple.
    Yes, people should have better passwords, but this is hacking, no matter what way you look at it.
    MS need to take urgent action to resolve this, I find it appalling that in the wake of the PSN break, they take such a laid back attitude to it all.

  • Subdominator #26 4 months ago

    With so many email/password combinations stolen and leaked on the net over the last year I don't think anybody had to actually use brute force on xbox.com to crack accounts. Most people just use one password for all their logins. Just enter those email/password combos on xbox.com and you're sure to find a couple of accounts where you gain access. Or just by sending fishing mails to known Xbox Live members. Even with eight logins brute force simply won't work. What are the chances of getting the right combination out of trillions of possibilities when you have eight tries? They are non-existant.

  • Subdominator #27 4 months ago

    @Optyk That would always make sense since buying points or Xbox Live months with your credit card directly from Microsoft is much more expensive than nearly everywhere else.

  • Subdominator #28 4 months ago

    @Optyk Yes. Did so myself sometime last year.

  • Killham #29 4 months ago

    There's a pretty important detail in the source article that's not clear in EG's summary: after you fail your eight attempts and get a Captcha, you also get a "Try with another ID" link, which removes the Captcha but doesn't actually stop you from entering the same ID again.
    So you just need to write your script to use that loophole, and it's a regular brute force attack.

  • DoctorPolski #30 4 months ago

    Is it me or does 8 seem like a strange number of attempts before Captcha? One response to a failed login that doesn't give away the validity of any other info is a must. Limit the failed attempts maybe? But otherwise this has nothing to do with Xbox Live at all. It could be any of a million other websites.

  • Wash #31 4 months ago

    So this article is suggesting, that a script is managing to correctly guess peoples passwords in 8 attempts? right.... some weak ass passwords, or they have them from somewhere else.

  • Ranger101 #32 4 months ago

    @grayn It's important that the distinction is made, otherwise it's like calling any game with 2 groups of people on a field and a ball-like object "Rugby".

    If people don't know what you're specifically talking about, then there's no real way to address it or to provide accurate advice.

    This is not a hack, it's Brute force unauthorised access. No systems are being subverted through alternate means, the correct channels are being used.

    This highlights that people are using weak passwords, and that Microsoft need to be more careful with the wording of their error codes, and perhaps reduce the number of attempts before tripping Captcha.

    If it was a Sony-style hack, having the worlds most convoluted password, or the most generic error message or 1-trip Captcha would make absolutely no difference.

    Simple fact is, it doesn't appear (at this time) that the normal channels of access are being subverted. Unlike the Sony situation.

    Disclaimer: I am a developer and 360, PS3 owner.

  • Spekingur #33 4 months ago

    @DDevil You have never used it anywhere else? I have gotten my WoW account and my LOTRO account broken into.
    My WoW account was inactive but I had 10 free days that you had to activate associated with the account that got used - my old characters did not get accessed as far as I know but a new one was made and used to advertise a goldseller on a popular server. My LOTRO account got broken into after the move from Codemasters to Turbine.
    These accounts did not share a password and both used all kinds of combination of letters and numbers. They were not used anywhere else. In both cases I was told my computer had been compromised. I knew that was not the case even when I double-checked with malware checks and anti-virus software.

    So either they were brute-forced or login servers got compromised. It's weird that most companies do not give you access to login history of your own account. This is information that they already have and should be easy to display.

  • Snake_2011 #34 4 months ago

    mvrander very pro MS on here.

  • lolercopter #35 4 months ago

    Brute-force attacks are hardly hacks, they are just trial and error attempts. Provided your password isn't qwerty or your mother's birth date and has a mixture of numbers and letters, you should be safe.

  • customfirmware #36 4 months ago

    people really believe that's how they got into those accounts?? i know around 5 people that this hack has happened to and trust me when i say it's not as simple as guessing someone's password. before it was phishing now it's they are just guessing your password. Microsoft should have sorted this ages ago but still letting their customers lose money. say what you want about the Sony breach but i haven't heard anyone losing money over it.

  • Daddy-Doom-Bar #37 4 months ago

    I tell you what, why don't you post the information here on how to possibly hack accounts. That will stop the bastards, won't it?

  • Tyronne #38 4 months ago

    My account was hacked, all my points used up on crappy football related stuff (fifa 12 related) but thankfully nothing taken on my credit card.
    Pissed of that they are still saying that this a is a small scale thing as it seems to be getting bigger all the time.

  • [maven] #39 4 months ago

    Is no-one actually reading the article? (Wait! Don't answer that!)

    1) Normally, a login-system does not (and should not provide) whether an incorrect login-attempt contained a valid username.
    2) Secondly, after N failed attempts, further tries to log-in are usually prevented (especially to avoid brute-forcing).
    According to the article, neither of these steps were taken for (or were circumventable with) Xbox.com. Both of these exist EXACTLY to make brute-forcing password less feasible.

  • DJKrome #40 4 months ago

    @customfirmware its not guessing a password. It's creating a script to batch enter characters and common passwords until it gets in. Its not like their sitting around typing in Bloodymary and queensknickers

  • Lonewolf2002 #41 4 months ago

    @sfp_noodle

    Microsoft have not been hacked, people are hacking into live accounts. There is a big difference.

  • Fat_Pigeon #42 4 months ago

    Eurogamer forgot to include the fact that the CAPTCHA is reset after a refresh. that's the Major problem here.

    Not quite on the same level as Sony loosing thousands of peoples details .
    Edited by Fat_Pigeon at 13/01/12 @ 14:35

  • Lonewolf2002 #43 4 months ago

    @DJKrome

    How the hell did you get hold of my passwords? :D

  • darkmorgado #44 4 months ago

    @Joco84

    "Anyone who gains access to data and information that they should have is a hacker, pure and simple."

    No they're not. I could easily get hold of information at work that I am not supposed to access, make copies, and keep it for my own reasons. That's not hacking, it's data theft.

    There's a difference.

  • barchetta #45 4 months ago

    So... how many ways are people seeing the fraud has occurred? Via CC statements after the event or receiving unexpected Points purchase notifications from Microsoft etc.?

  • the-bilal-show #46 4 months ago

    @the_dudefather The hilarious thing is that's a pretty good idea(for people with Kinect). It'd be like a Kinect version of those robot checkers that ask if the picture is a cat, a tree or a bus.

  • Toothball #47 4 months ago

    @Widge

    Hacking takes a great number of forms, one of which might be taking advantage of exploits. Social engineering is another popular one, where you simply persuade people to reveal details. There's a lot more to it than just intrusions into supposedly secure systems.

  • SG #48 4 months ago

    He called Xbox Support, who offered to freeze his account but couldn't refund him.

    CUNTS!

  • TheEarlOfZinger #49 4 months ago

    Just as bad as Sony.

  • artibeus #50 4 months ago

    @sfp_noodle A brute force attempt at logins isn't hacking. Yeah, so Microsoft could up their security a little, but customers also shouldn't be so stupid as to use the same email on every site they sign up to. Especially when it comes to storing credit card details.

  • schnide #51 4 months ago

    This isn't something I'd normally say:

    Well written article, Rob.

  • RustyBullet #52 4 months ago

    so basicly some bstard just hacking live user name and passwords not actualy hacking Microsoft. there is a diffrence.

  • cjb_bjc #53 4 months ago

    Yeah, I wouldn't call this a hack, just poor security.

  • Dizzy #54 4 months ago

    >brute force

    Lol... almost impossible TBH. It would takes ages. Looks like users need to pick a more or less secure password then.

    This has nothing to do with being hacked. You can brute force any system on the planet, but not if the passwords of the user are not total bullocks.

    > It's really not that difficult to set up an automated password checker / login attempt script. Leave it running for a few days and Robert's your father's brother.

    Make that a few years with normal passwords.
    Edited by Dizzy at 13/01/12 @ 15:02

  • dirtysteve #55 4 months ago

    I remember when a points purchase was attempted on my account.
    MS had the gall to suggest that I fell for a phishing scam, I'm not a moron, I don't respond to emails with a fucking password.

    Maybe now we'll learn the true extent of this fuckery.

    Also, it's as disappointing to see sneering PS fanboys as it was to see sneering MS fanboys during the PSN outage.

  • Timotei #56 4 months ago

    Hmmm, coincidentally I had an email from Windows Live to my Gmail earlier this week inviting me to be somebody's friend. I don't have an Xbox any more but my account is probably still live. I'd never heard of this person, a young lady in skimpy clothing of course. But it's never happened before.

    Wonder if it's somehow related?

  • danhese007 #57 4 months ago

    If i'm not wrong, most you are saying poor security is better than getting hacked and mind you in the Sony fiasco, a group of highly skilled hackers hacked PSN and stole information of which nothing came out of. No money was stolen, no credit card information has been reported stolen and Sony has considerably strengthened their security.

    In this not a hack its a phishing turned an exploit situation, points (money) has been stolen, paypal accounts have been compromised, credit cards stolen. Microsoft chooses to blame the customers and accuse them of giving their passwords to strangers or using weak passwords and most you are arguing on behalf of Microsoft?

    WOW

  • ToAks #58 4 months ago

    7 months now and counting now...
    and m$ still denies it..

    i'd say this is crazy, people are actually being robbed and its not getting any proper media coverage at all, everyone was scared stiff when PSN was hacked! that if their details would be on the loose and that they would be ripped off, didnt happen now did it?...

  • MattRobson #59 4 months ago

    Wouldnt the MSPoints be assigned to the associated gamertags account not the 'hacker' I know that doesnt really help but surely then the dowloads they make are assigned to the gamertag making them useless to the 'hacker'?

    im also not sure that the full credit card detials are present on xbox.com isnt it a case of *****-*****-****-XXXX [XXXX replaced with 4 digits] or some such? if it isnt... it should be.
    Edited by MattRobson at 13/01/12 @ 15:17

  • FireMonkey #60 4 months ago

    @marcusmiller - Damn! You guessed my kids password

  • EvilAspirin #61 4 months ago

    I wouldn't say that a Brute Force Attack isn't a form of hacking. It's still a form of gaining access to someone's account and it's still exploiting the system, which by definition is all a hack is. Brute Force Attacks are a form of Password Cracking and can be surprisingly quick. With a hash table of common passwords to check against a password of 8 alphanumeric characters can be done in seconds and at worst take about 2 hours. A 10 letter single case password can be done in around day. Even quicker if the workload is being distributed among a network, which they often are. Some devices claim to be capable of checking 2.8 billion password combinations a second.

    I've seen a demonstration at University in the Forensic Computing labs and seriously it's scary how fast your details can be obtained. They even managed to obtain mobile phone contract information on anyone who walked into the room with Bluetooth on nearly instantly.

    Really it's down to the user to make sure their password is strong enough. Long passwords 12+ characters with a mixture of lower case, upper case, numbers and symbols can take a ridiculous number of years to Brute Force and that's generally your best bet for a secure account. Unfortunately we're not exactly great at remembering fairly random 12+ character strings unique for each website or purpose and that's why things like this happen quite often. It's those Hash tables of common passwords that allow access to about 40% of accounts with relative ease...
    Edited by EvilAspirin at 13/01/12 @ 15:22

  • patch #62 4 months ago

    @MattRobson Apparently once your account is hacked, a family pack is purchased, which allows you to give points to other accounts. Once this is done, the other accounts are sold on to unrelated punters.

  • d0x #63 4 months ago

    This is not a hack. Its a crack and its been happening since the internet was invented. Microsoft can't prevent this. All they can do is require a captcha sooner. Even then programs exist that can work the captcha system.

    I see comments about Ms being to blame here...that's not Even close to true. Users with weak passwords are to blame. If your pw can be cracked via brute force in 8 attempts then you're a moron. Hell if it can be cracked in 50,000 attempts you're a moron. Stop using weak passwords people and stop blaming user stupidity on companies.

  • DrStrangelove #64 4 months ago

    All MS need to do have the captcha kick in after 1 or 2 failed attempts. Problem fixed.
    Microsoft can be quite good at some things, however common sense is not among those things.

  • d0x #65 4 months ago

    Why blame Ms? Its not a security flaw its users being stupid. Brute force cracking works on any website.

  • cyber_nicco #66 4 months ago

    My account was compromised, but I believe it was done simply by calling Xbox customer service and fooling them into thinking it was me. I say this because when I called about the charges, they asked why I had called two days earlier (and just before the breach). Needless to say, they never confirmed my suspicions.

    Anyway, they gave me a refund, but now that I think about it, I think it wasn't a complete refund - must give them another call...

  • the-bilal-show #67 4 months ago

    I'm not sure how brute-force attempts work over the internet but I was curious about something:

    I pinged Google and got a 19ms response(can't ping xbox.com). If that's 19ms there and back, that's a maximum of 52 attempts per second, or 6 different accounts. If it's 19ms each way, that's 26 attempts per second or 3 different accounts.

    Can someone help fix my maths?

  • YenRug #68 4 months ago

    @MattRobson You need to read the article from the mother who had her account hacked, posted last week. These "hackers" buy some kind of 'family pack' which allows you to buy MSP on the compromised account and then transfer them to another one from your family list; the sellers are creating fake accounts and selling them on with the transferred MSP.

  • Dizzy #69 4 months ago

    >Some devices claim to be capable of checking 2.8 billion password combinations a second.

    Yes with a high speed direct connection. Try doing that over the internet son.

    Here is a useful "article" for everybody regarding passwords.

    http://xkcd.com/936/
    Edited by Dizzy at 13/01/12 @ 15:38

  • d0x #70 4 months ago

    @[maven] most tell you if the user id is invalid. Steam, banks etc all do. Also a lockout for x time is pointless. The script would hit the next id and go back to the previous after x min. The real issue here is awful passwords

  • d0x #71 4 months ago

    @cjb_bjc yea poor security in the form if weak common passwords. Its time for companies to force upper and lowercase with at least a symbol and number in at LEAST a 12 char pw

  • EvilAspirin #72 4 months ago

    @Dizzy

    Oh yes of course. I was just stating a maximum possible to show that Brute Force Attacks can be very effective. Over the Internet it would be considerably slower than that.

  • bobfish09 #73 4 months ago

    This makes sense and also matches Microsoft's stance. Brute force attacks are not hacking, so Microsoft is correct when they say it hasn't been hacked.

  • YenRug #74 4 months ago

    @the-bilal-show You're working on the basis of only one active window/connection at a time; it will be coded to be trying to access as many possible accounts simultaneously. Say it takes 1ms to actually transmit the relevant data, although it takes 19ms to get there, another 18 attempts will have been sent before the first data request hits the target server.

  • ryohazuki1983 #75 4 months ago

    What makes this method effective compared to other websites is the fact that it tells you whether or not the live ID is valid.

    I work on retail websites and we always make sure the error messages do not give any useful information to a malicious user.

  • Der_tolle_Emil #76 4 months ago

    Too long/complex passwords can be counterproductive - the harder they are to remember (even harder if you use a different password for every account) the higher the chances of people writing them down. Even when using tools to manage your passwords you pretty much create a single point of failure.

    Captchas are the best way. If they are fool proof and cannot be solved by machines then they make simple passwords like 'a' safer than a 10 letter password. The key is randomness - no machine will ever be able to deal with this.

  • GamesConnoisseur #77 4 months ago

    I do prefer to see equal treatment of all companies regarding security flaws and please investigate further and keep at it EG.

    As others say, so far still seem a different order of magnitude between pure hacking to steal users details as per PSN hack last year, and brute forcing into individual XBL login via live website.

    Could this applies to any other logins of any other sites? I believe so, therefore more of what MS doing about it to lessen the chance, new features etc.

    Hacking? I ve seen newspaper reports claiming so, but confusing people on the degree of differences between those two examples, PSN and XBL.

  • threemoh #78 4 months ago

    JASON

  • telboy007 #79 4 months ago

    EG you are digging yourself into a hole with these articles, what happens if you have more to write? HAVE YOU GOT ENOUGH PICS OF THAT CAT!!!! :D

  • Machiavellian #80 4 months ago

    I think people forget that if any internet account that gets compromised where user name and passwords are used, then those same username and password will be used from a host of other sites because people do not change their password from one site to another.

    Most exploiters really do not have to brute force their way into Xbox.com or any web site. You can find places that have streams of username and passwords or people who are selling them and you can write a simple script to go out and hit a bunch of sites to see if something sticks.

  • Arsecake_Baker #81 4 months ago

    @rudedudejude
    No not always!

    This payment option cannot be removed at this time. Go to the Payment method information page to view services associated with this payment option.

  • SG #82 4 months ago

    Microsoft, this is how you deal with a situation like this:

    http://forums.steampowered.com/forums/announcement.php?f=82

  • George-Roper #83 4 months ago

    The XBL account hijacks are closely tied with EA, IMO.

    If you've ever signed up to an EA account for a game, like Mass Effect 2, Dragon Age, etc, it links through to your XBL, PSN and Wii accounts too.

    I've done a fair bit of research on this, the last week or so and one glaring thing that crops up a lot is that EA accounts are usually compromised a day before the same persons XBL account. That's what happened to me too.

    Now, they may just get access to the EA account to grab the console account name details but the EA account will also have a bunch of additional information ont he person that they can use on top.

  • callum9999 #84 4 months ago

    @jaywalker3010 While of course it isn't Microsofts fault whatsoever - they can. They can force you to format your password however they want, think how the banks do it. Must have at least one capitalised letter, must have at least 3 non-consecutive numbers etc. etc.

    The more strict they become, the more annoying it becomes to the users though - but it could easily be argued that they aren't strict enough at the moment (again, not a problem unique to Microsoft by a long shot).

  • arcam #85 4 months ago

    Microsoft has to take some of the blame. If you're offering a service that offers 'one-click' purchases, let alone a system that has suffered multiple successful fraud attempts on a regular basis, you have a duty to implement systems that will help to stop it. It really sounds like MS have done barely anything.

    There are all sorts of techniques that can be used to help stop things like this occurring. A better captcha system would help, and requiring CVS codes or implementing a system like Steam Guard could virtually stop the fraud in its tracks.

    In my opinion Microsoft are placing more importance on users being able to make quick and easy purchases than they are in assuring the security of their systems.

  • Trigg3rHippie #86 4 months ago

    CAPTCHA at 8th attempt? If you doing typos in your password 8 times in a row you're an idiot and you deserve your account to be deleted and arrow in the knee and all that...

  • MrLovePump #87 4 months ago

    I would suggest they did it the normal way people get into live accounts / paypal etc. this is to make a site offering something for free in return to signing up. You would be amazed how many people sign up with the same email / password combo as there live or paypal etc accounts.

  • dancingrob #88 4 months ago

    @George-Roper

    I'm increasingly not convinced by that argument, and have come round to thinking that the reason people use the EA account is that the FIFA packs trick is the easiest way to turn points into real money.

    You'd also expect to see similar issues on the PS3 if the whole problem was at the EA side.

    However, a follow up question would be whether EA accounts provide valuable info (perhaps the email address related to the gamertag?) making this kind of brute force hack easier?

  • natureboy #89 4 months ago

    I thought brute force method was dead. Back in the day when i was obsessed with getting hotmail and yahoo passwords, i would search online and would usually find something like "type this code into the browser...

  • Darren #90 4 months ago

    This is what I call real investigative journalism. Well done, EG!

    So Microsoft need to tighten up security on their Xbox.com site in some way, maybe by introducing secondary passwords or security questions? How difficult can that be? It might be an inconvenience for many but if it prevents some arse-hole hacking into your account then I'm all for it. Hell, I'm happy to have three levels of password protection if need be!

  • DwarfyP #91 4 months ago

    That was always gonna be how they got in, I mean bots manage to spam from Hotmail accounts all the time.

    The question is, how are they taking the points off the account and sending it somewhere else?

  • DwarfyP #92 4 months ago

    @sfp_noodle They haven't been hacked.

    People are brute forcing their way into accounts which they could do on just about any website they want given enough time.

  • mostly #93 4 months ago

    keepass kIds keepass

  • IronGiant #94 4 months ago

    /lawsuit on standby

  • the-bilal-show #95 4 months ago

    @jaywalker3010

    Totally agree with the non-hacking, although I think if they emailed users after a certain number of failed attempts, that would help immensely.

    Also, they could very well enforce stronger passwords like some other websites do. I've signed up to a bunch of services that demand alphanumeric and/or have other rules.

    They shouldn't let people set their password to password or liverpool.

    I'd love it if a site compared my chosen password to a dictionary list at registration and stopped me if it was on there, seeing as they can tell you in an instant if your username is already taken...

  • the-bilal-show #96 4 months ago

    @rudedudejude

    I had to wait until my Gold sub ran out this week before the site would let me unlink the credit card.

    The card had expired already so it may not have been useful but I've been subscribed to a website for about four years that has been able to charge me monthly through the same credit card that has not only expired once already but was even cancelled at one point(bank blocked it after I tried setting up a HK PSN account!).

  • deded #97 4 months ago

    I am sadly reminded of the attitude Microsoft had during the months of RROD stories before they finally admitted there was an issue, and I'm talking here about this issue and the FIFA thefts as well...

  • the-bilal-show #98 4 months ago

    @grayn

    The correct word is pendants

    Also your comment needs more +'s :)

  • Spydy #99 4 months ago

    This is worse than Sony, as points (i.e. money) is being stolen.

  • the-bilal-show #100 4 months ago

    @YenRug

    Yep, I realised a little while after I posted it and feel like a bit of a goof now :)

  • George-Roper #101 4 months ago

    @dancingrob

    However, a follow up question would be whether EA accounts provide valuable info (perhaps the email address related to the gamertag?) making this kind of brute force hack easier?

    That's what I mean.

    If its general knowledge that an EA account is a 'nexus' of account information (in my case it was based on PC gaming but had ties to my XBL and PSN accounts), then its rich data picking to help these cunts get into the accounts.

    However, its also worth noting that when they got into my EA account they changed the email address, then the password, unlike the XBL account where they didn't change a thing.

    If they were only data mining in my EA account, why draw attention to any of it?

  • WizenWolfBain #102 4 months ago

    I suppose all people can do is associate an obscure email address with their gamertag and download a program like keepass to generate a 128bit (or very strong) random password.

    No matter how good someone's Google-fu is, it'd be practically impossible for them to find your obscure email address and then brute force such a strong password (assuming this really is the method). As long as you don't do anything stupid like sign up to forums or websites with that email.

    I've been an Xbox Live member for years, and I've heard a few stories of hacking and social manipulation. From my experience, the most effective way that people used to steal Gamertags was by using Microsoft's own phone support team to their advantage. Find out a basic amount of information about someone from their Gamertag and a little bit of Google-fu. Then have a few attempts at phoning Microsoft and try to fill in the blanks when asked the security questions. Eventually I imagine it'd be pretty easy. It's the most plausible "hack" too.

    Never done that myself, of course. But it's frightening how much you can find about about people from a few relevant searches on Google.
    Edited by WizenWolfBain at 13/01/12 @ 17:20

  • trebellk #103 4 months ago

    This is interesting. It's a big flaw that they are telling you whether it'a valid or not. I hope they take note and take this thing seriously.

  • Spong #104 4 months ago

    Fascinating stuff, keep up the awareness and continue being nosey EG.

    I'm just glad I don't have any credit card details stored online anywhere, much less linked to my XBL account. People can exploit or hack my XBL account as much as they want, there's no money to be pilfered. Any MSP I've ever purchased has been done via store-bought cards & redeem codes, and stories like this merely emphasise the reason why I do it. Sure, it's a hassle only having 2100 or 4200 points to choose from (I gather that buying points via CC offers a wider choice), but I'd rather a trip to the shops and a lack of choice than never truly knowing if my financial details are completely protected online.
    Edited by Spong at 13/01/12 @ 17:39

  • trebellk #105 4 months ago

    @noodle if this is true than actually they haven't been hacked, not in the real sense. But a flaw in their password process is allowing unauthorised access.

    Still not good but why would they admit to something that's not happened?

    i hope they do acknowledge this flaw and deal with it though.

  • Bruce_One #106 4 months ago

    AHA! I KNEW IT!!)

    SEE!?!

    I. WAS. NOT. PHISHED!!!!

    BLOODY MICROSOFT. Cannot be trusted.

  • DJKrome #107 4 months ago

    @Darren lol investigative journalism? They found an article with all the information already there!

  • Bruce_One #108 4 months ago

    MICROSOFT has known this has been happening for months and have not admitted it, making honest gamers look stupid.

    At least Sony admitted their security failings and set about putting it right and compensating everyone, including those who weren't directly affected

  • Casserole #109 4 months ago

    This is far worse than the Sony Network "hack". With that, details were lost. But not many were actually used for fraud. Furthermore, and more importantly, Sony RECOGNISED AND SHUT DOWN the service whilst they plugged the gaps, revamped the service, thus protecting the consumer from any further damage. MS are doing the complete opposite. Not recognising it, despite the overwhelming evidence to the contrary, and still allowing it to continue whilst people are getting hacked and financially inconvenienced every day.

  • andybruiser #110 4 months ago

    I had my Xbox Live account hacked 2 days ago. They managed to take 1500 MS poimts that were already on my account and purchase a further 1000 from my registered card before I noticed.

    Since been in contact with Microsoft who have locked the account and have said that the points should be refunded once they can prove that it was done fraudulently. Have now got no Live access for up to 4 weeks. Back to Skyrim it is then.

  • LOLBox #111 4 months ago

    Post deleted at 17:38:00 15-01-2012

  • steoconnell #112 4 months ago

    Great investigation journalism from EG. You are a great......wait, wait. You were just told all this by some dude? Oh...well...normal EG journalism resumes.

  • bladdard #113 4 months ago

    For those who are still confused, Microsoft have not been hacked, Microsoft security has.

    Simples {squeak}

  • remote #114 4 months ago

    @andybruiser I wouldn't play anything until your account is unlocked again, or you'll lose any achievements you got while offline. Found this out the hard way when my account was hijacked last month. Of course it depends how much you care about achievements.

    On the plus side, when you do get your account back, you'll probably have some new Fifa achievements that the hijackers have kindly earned for you...

  • agparrot #115 4 months ago

    I think the solution lies with those users who posted previously on the Xbox.com security issues, and have done so again here - don't allow one-click purchases, or at least allow your users an option where they can choose for their accounts to not have one-click purchases.

    This would at least mean that even if somebody got into your Live account, they couldn't then use it to buy things unless they had somehow also managed to acquire your credit card details, or in the case of xbox accounts, your paypal details, which would also need an extra step of security added.

    An exploit that allows CAPTCHA to be bypassed entirely is also very silly, and suggestions to improve this failure are also bang on the money.

    The system that holds everyone's data hasn't been hacked then, but even though this is machinated attempts on single accounts, there are clearly ways to make protecting these accounts more effective.

  • remote #116 4 months ago

    Another thing - whether microsoft has been hacked or not, surely this has been happening enough that they should at least be sending out emails to warn people about improving their account security?

  • HeNiCiDe1988 #117 4 months ago

    yeah if this was to do with sony far more people would be giggling, mocking and taking the piss out of sony.

    Sounds like a a serious breach but not something that isnt magic unless they do other things so maybe a serious breach or one that is just a big.

  • Doncommie #118 4 months ago

    Whilst it shouldn't acknowledge the email is valid and ask for captcha sooner I don't get how eight attempts before a captcha make this a security issue. You are still brute forcing passwords which would be very hit or miss.

  • abigsmurf #119 4 months ago

    I can't see brute forcing this way being feasible.

    Yes it could be used potentially to get into a single account but hundreds/thousands? Seems incredibly unlikely to me. How many logins can a script attempt a second? I'd guess about about 1000 (sending and receiving responses takes time and dbs only allow so many connections so even botnets would be minimally effective). That means a 6 digit alphanumeric password would take approx 20 days. For a single account.

    7 digit ones or mixed case passwords would take an impossibly long time. Also, most servers will notice this type of brute forcing very very fast.

    All that for an account which may not even have a CC linked to it?

    Far more likely they're getting the user/passwords from hacked sites and trying them in the Xbox live login.
    Edited by abigsmurf at 13/01/12 @ 19:27

  • scoop #120 4 months ago

    This isn't a Microsoft/Xbox Live hack, it's a password hack/attack.

    Microsoft: bad for having a flimsy system. Customers: stupid (especially an IT engineer ffs!) for not taking better care themselves.

    I've been hacked before, and I won't be again because I'm not dumb enough to leave breadcrumbs of my personal ID lying around anywhere - and not just on the interwebs.

  • Delusibeta #121 4 months ago

    The punchline is that the CAPTCHA is ridiculously easy to circumvent. Just click on the "Try another Windows ID" and you'll get another go. The problem isn't just that the number of attempts a bot has to brute force a password is not 8, it's (theoretically) infinity. Microsoft really should fix this.

  • Delusibeta #122 4 months ago

    @Delusibeta *is. Curse the lack of an editing function.

  • Pirotic #123 4 months ago

    This isn't how they are doing it, they've already investigated this avenue - it takes all of 5 minutes to get a few of the hacked accounts and count how many failed login attempts they have via the live account login server.

    The answer in most cases was zero.

  • MerricK #124 4 months ago

    @jaywalker3010 why are you using the ` when you should be using " (alt + 2) ?

  • photoboy #125 4 months ago

    This doesn't sound plausible to me. If MS display a CAPTCHA after 8 attempts then that will still be true if you are trying to use a dictionary attack. You will get 8 attempts and then have to complete the CAPTCHA every time as well, and this assumes MS don't disable the account when it sees spammy behaviour and I would be surprised if they don't.

    More likely the recent hacks of places like Kotaku and PSN which resulted in passwords being stolen has allowed hackers to try known email/password combinations on Xbox.com and where people were using the same password the hackers have taken control of the account.

    I have to say I don't think it's fair of Eurogamer to try and paint this as MS being hacked. Until I see more damning evidence this seems to me like a simple case of people using the same password everywhere, and that's not something MS can control or be blamed for.

  • Kaminari #126 4 months ago

    @Ranger101 Let's get this clear right now: brute force does NOT work on randomly generated upper/lower alphanumeric strings. Certainly not in 8 passes. Not even with a cluster of supercomputers or PS3s. Let alone on Average Joe's PC. Brute force only works (to some extent) against common "databases" like dictionaries, phonebooks, etc.

    Many people (including in this thread) claim to have used unique passwords with no meaningful words in it. This alone is the proof that weak passwords (which I'm sure exist) are not the only culprits in the XBL exploit.

  • R3tR069 #127 4 months ago

    Early October last year it happened to me, £42.50 points purchased. Unauthorised access filed, still waiting! Asked MS how it happened and they said most likely social engineering - I do try and use different passwords, BS!!
    Will never link my bank card to XBL again!!

  • secombe #128 4 months ago

    Oddly enough a friend on Facebook has just this evening noticed they've lost hundreds of pounds through their XBox Account. MS have suspended their account (for 'up to 25 days') whilst they investigate.

    Cases are occurring pretty frequently, by the looks of things.

  • Baihu1983 #129 4 months ago

    So people are using easy passwords and someone is using a tool to guess them...

  • Baihu1983 #130 4 months ago

    @photoboy pretty much, so many game sites have been hacked over the last year and you can bet so many use the same passwords for multiple things.

  • Labatyd #131 4 months ago

    Wow, claims of press bias and negging people for pointing out the facts. Talk about desperate fanboys.

  • Nephirion #132 4 months ago

    Xbox Live, about as secure as leaving your flies undone ....

  • PatTheMav #133 4 months ago

    The weak captcha protection and anti-brute-force methods (read: non-existing) are a major oversight on Microsoft's part, but this is neither in the same scope nor category than the security breach that Sony had to endure.

    It's comparing apples with oranges and people painting this as being "worse" than Sony's breach are way off and only display an astonishing misunderstanding of both situations.

    While hackers got access to whole databases at Sony, this here just means that you can use a script and some computers to try out the gazillion available email/password combinations that are available on the web (e.g. from the data available since the PSN hack).

    Whether this is the actual reason for the recent breaches is hard to tell, but it serves again to have people check their passwords and use different ones for different sites.
    Edited by PatTheMav at 13/01/12 @ 23:09

  • IvorB #134 4 months ago

    If brute force attacks are having this success rate then MS definitely needs to firm up their security. You can't blame users for this. There's a reason you don't hear about brute force attacks very often despite people having simple passwords. Go try and brute force Amazon accounts; see what happens.

  • Machiavellian #135 4 months ago

    The punchline is that the CAPTCHA is ridiculously easy to circumvent. Just click on the "Try another Windows ID" and you'll get another go. The problem isn't just that the number of attempts a bot has to brute force a password is not 8, it's (theoretically) infinity. Microsoft really should fix this.

    Actually you do not get another go at the same account you tried to login with. without passing in the CAPTCHA. I have just tried this with an Account. If you enter the password wrong and you get the option to 'Try another Windows ID", you also get the CAPTCHA. If you choose another Windows ID and type in the same one using the correct password, it will take you back into the screen asking you to put in the CAPTCHA.

    I did a few other things like copying the page which allows you to login with a different windows live ID and used that one instead of the default but that did not work.

    As far as my simple testing has shone this would not be a good way to brute force your way into Xbox.com and you still only get 8 tries. 8 tries on the same password is really slim in getting into someone account. Unless someone actually knows how they are getting pass the CAPTCHA, so far I do not see it.

  • gandhimaster #136 4 months ago

    @danhese007 the only thing i'd say about that statement would be, that the only reason it hasn't all been released is because anonymous or whoever chose not to release it. Technically, at anytime i'd guess they could....? If this is the way these accounts have been accessed, it seems a little strange. Brute force can't gain access when there is a strong password, and i fail to believe all these different users all had shit passwords. Possible, of course. I hope MS are honest about what's happening and not trying to hide something. At least Sony fessed up. Just not quickly enough....

  • gandhimaster #137 4 months ago

    @remote if this is the reason, standard MS security policy is already the correct one. ie dont choose a weak password, dont use the same email address etc etc. If it's not a brute force attack, then MS may have to change their stance on the subject.

  • DjFlex52 #138 4 months ago

    I was "hacked" in late December and didn't recognize it until January 2. Microsoft closed my account and is refunding the money & points they stole. MS opened my account after 10 days. But what I noticed was that the person who had stole or bought my account still had his email connected to mine, so when I tried to change my password he was getting the email too. Customer support said they couldn't erase his email....unbelievable! I had to resort to making a new hotmail email account and then transfer my gamertag to the new email account. As with everyone else, the hacker used it for FIFA 12.

    My question is: There has to be some connection to EA, right?

  • DjFlex52 #139 4 months ago

    As for weak passwords....my password was 12 characters w/ numbers and used that password only in one othet site. Is that a so-called weak password?

  • coolbritannia #140 4 months ago

    PSN was hacked. This isn't a hack.

  • onyxbox #141 4 months ago

    Microsoft lied about RRoD for years until they had no choice but to own up. What makes anyone think they will treat users any differently with this?

    There's more to this than brute force password guessing IMO. Like someone else suggested it could be some kind of weakness in web services between the likes of EA & MS that's getting exploited.

    If their systems have been compromised then I hope MS have the balls to shut it down (like Sony did) to avoid any further compromises while they ascertain what the problem/exploit is.

  • MaxFN #142 4 months ago

    just do not choose easy passwords and everything will be fine.

  • ChristopherJack #143 4 months ago

    People, please stop getting so argumentative over the definition of 'hack'. If you gain unauthorized access, no matter how trivial, its hacking, get over it. Although its generally related to computers, I'd imagine it'd be fine to hack into a car or house but it doesn't sound right unless you're talking about some computer system behind it.
    Edited by ChristopherJack at 14/01/12 @ 06:50

  • gandhimaster #144 4 months ago

    @DjFlex52 i guess that depends on what the other site's security was like? That site being compromised could cause major issues..

  • ROCK-NYC #145 4 months ago

    HACK = to break into computer security and/or computer networks. (Yes microsoft has been hacked by definition)

  • flanker22 #146 4 months ago

    @ROCK-NYC you're fucking stupid.

  • NathanBlack #147 4 months ago

    My XBox Live account was hacked. I had a strong unique password. They took me for about $200 from my attached credit card, which was reimbursed by my bank. I was locked out for about 2 weeks, and then they restored my account under a different email address. So essentially they made me a new windows live account and associated the old gamertag with it.

    They also claim that they will be reimbursing me for the amount stolen. They comped me a month worth of XBox Live service, and the gal on the line was really nice and helpful for the full restoration part of things.

    I'd be happy to talk about my experience if you contact me.

  • danhese007 #148 4 months ago

    @gandhimaster So you are saying that only reason it hasn't been released is because someone chose not to?

    Same people who released names, home addresses of police officers who were undercover, same people who released paypal infos from servers that they hacked, same people who released bank information, personal email addresses etc of several other servers they hacked? Yea they didn't choose not to

    The only reason i can think of is that the data they collected was encrypted so they couldn't release it.

    Here's the timeline for the PSN fiasco

    http://www.pcworld.com/article/226802/playstation_network_hack_timeline.html

    http://kotaku.com/5798510/the-playstation-network-hack-timeline

  • jammers101 #149 4 months ago

    Here is another simpler suggestion for how it could be done. Someone could set up an Android or Ipad app that lets people log on to talk to Live friends, see achievements etc. and just steal the passwords and logins when they log on. I have heard of a number of apps for different devices that did dodgy enough things, why not this?

    Have all the people who were hacked only ever logged in through the official methods i.e. through the Xbox or on the Microsoft site?
    Edited by jammers101 at 15/01/12 @ 06:55

  • jammers101 #150 4 months ago

    @DjFlex52 Thats actually a really good point. Did your EA account and Xbox Live share the same password?

  • CYPRIOTCleANER #151 4 months ago

    "bastard pussy"

  • bladdard #152 4 months ago

    Isn't it ironic, PSN was exposed by a massive security flaw and yet there aren't any reports of subsequent fraud or identity theft. Microsoft accounts are getting pillaged left right and centre but there is no apparent security breach.

  • zooie123 #153 4 months ago

    Microsoft is full of it. This has been happening for months.. I was hacked in October, took all of my points and purchased over 6000 points. They refunded the 6000 points but never refunded the 1900 points I had on that they used also.. It took them 5 weeks to resolve this. I had one tech tell me that this happens all the time.

  • gandhimaster #154 4 months ago

    @danhese007 to be fair, all media reports stated Sony's data was not encrypted. That was why there was so much panic. It's obviously strange that they didn't, compared to all the other details they did release. I hope it was, of course else my details are out there somewhere. Hopefully MS have been honest here, and there's no actual network breach.

  • Iwa5hack3d2012 #155 4 months ago

    Morning all,

    I was just hit this past Sat, 1-13-12. I knew something was shady, when I checked my Gmail and saw that 2 "Alternate Email" addresses were added to my Windows Live ID/ XBOX account. I called MS ASAP and the support rep said they could lock down my account for 25 days, which would suck hard, or try resetting my password, which I had to login to do and couldn't because someone had already changed it. (Mine also involved upper, lowercase, and a series of numbers, BTW)

    I saw that if I tried having MS e-mail the resetting info, that the "alternate Email" would also get this notification. I didn't want that to happen!

    I managed to get back into Windows Live to reset my password and thought all was well for the night of MW3 gaming until the wee hours, until I woke up the next moring, 1-13-2012 and as usual checked my G-mail to see a crap load of MS "Thank you" for your purchase alerts...Oh CRAP!!

    They sucked away all my nearly 4000 points, which were a Christmas gift from a family member, and 400, 1600, and an attempt at 6000 points. Fortunately the card on file had very little money on it, but now I have to dispute the unauthorized charges, and MS decided to lock down my account after a 2nd "Holy $hi+" call to support.

    So now I am out money, can't play on-line for a month with my daughter(Who rocks @ MW3, for a 7 YO girl..), and wonder if we'll get to save our gamertags and achievments.

    I am SERIOUSLY thinking about creating a new profile, and NOT using and credit/ debit cards, because MS WON'T REMOVE THEM for me. (Since one is tied to a Gold Family Subscription, although I think that $99.99 is "pending" on that card.)

    I'll pay them when they get their $hi+ together! >_<!!

  • Iwa5hack3d2012 #156 4 months ago

    @remote "On the plus side, when you do get your account back, you'll probably have some new Fifa achievements that the hijackers have kindly earned for you..."

    Despite being rather pissed about losing money yesterday, and my Xbox Live account being hacked/locked, this was freaking HILARIOUS!!! LOL

  • BuckEntropy #157 4 months ago

    Irrespective of how one defines "hacking", individual accounts being accessed is still not strictly the same as XBOX LIVE HAS BEEN HACKED!!!

    EG is sensationalizing the story at least as much as they ever did the PSN hack.

    MS's response is still looking a lot worse than it should, it's long past the blank-face phase. Clearly people are feeling like they don't take their problems seriously.

  • GreyF0x #158 4 months ago

    My account was accessed back in October last year, I won't speculate on the cause of the breach, but will say I'm a careful user, and take my account security seriously.

    Two 4000 point bundles were bought with my card. I managed to catch the breach early, and regained control before even contacting Microsoft's support.

    In my initial contact with MS, they seemed very helpful and assured me I would receive a full refund, but that they would need to investigate the case, which could take up to 30 days. During this investigation, not only am I without online support in all my Xbox titles, but all my PC "Games for Windows Live" games are suffering too.

    As of today, (3 months to the day) the account is STILL under "investigation". I've contacted support numerous times, provided them with ample proof of identity, account history etc. Not once have they initiated contact to query anything about the incident. Each call I make ends the same:

    "We're sorry, but we are investigating the incident and will contact you as soon as we can". Initially they would give timescales, but now (even when pressed) they will not commit to anything better than "as soon as possible".

    I am deeply disappointed with Microsoft's handling of this issue, I can't help but think that refusal to comment on timescales, coupled with the every lengthening support queues, suggests this problem is far more widespread than they want to admit.

  • FuseNet #159 4 months ago

    I feel sorry for you, GreyFox. 3 months is quite unusual. It took MS effectively 2 weeks to resolve my case. (The usual stuff: I was hacked + some idiot bought Gold Packs for FIFA 12...). After 2 weeks I got my account back and even the Points the hacker spent. Furthermore I got 2 Months of XBL Gold free of charge as compensation.

    Ok, that would be to easy. I've to admit there was a catch in in it: one MONTH later, MS decided to lock down my account for "Marktplace theft". O_o

    That was hillarious, since the only imaginable reason for the ban could be the "resolved" issue I reported nearly two months before.

    I wrote 2 appeals for the xbox forum. No reaction at all. (Wasn't even published.)
    Fun fact: check out the appeal forum. First of all they tell you "marketplace theft" bans are "100% certain" and there is almost no chance that the ban will be lifted. They even ask you to don't even adress this issue, since they might not lock into it at all.

    Fun fact 2: They have a sticky with a video where the enforcers show how they work and they actually make fun of the people who dare to appeal. Because, of course, they ARE always assumed to be guilty. From a victim's perspective that's just fucked up, instulting behaviour.

    Nevertheless, after 5 days I adressed the issue to stepto@ms directly. No reaction as well. But anyhow... after about 10 days and without receiving any kind of message I was "free" again - and able to use XBLive again. Until today I honestly have no idea if stepto looked into this matter or the enforcement team finally did investigate my appeal and the facts. Even though I wasn't supposed to appeal at all.

    Though extremely annoying, this sounds like smth. like an insane variation of a "happy end".

    But wait! Of course it's NOT as simple as that. There is still EA.

    And EA has banned my EA-Account due to "FIFA 12 ULTIMATE TEAM ABUSE".

    I lack the energy to detail this story. But as far as I have experienced it EAs has the worst costumer support ever. Btw: EA calls it's customer support "customer experience". The wording gave me some bitter laughs. Yes, it's definitely an experience! It's just one where the only person on this planet I'd like to experience it is some guy called John Riccitiello.

    Really, it's a nightmare... It took the "costumer experience" six weeks, several tickets and chatsessions (chat linked to a 404-deadend for weeks!) to even FORWARD this issue to EA Canada. That's been necessary because EAC (FIFA Team) banned me and ONLY they can undo what they've done.

    Early december I was promised a response from the FIFA Team (EAC) within 3-10 working days. Even though (another good one!) it MIGHT take a little longer because it's not "the only compromised account". O'rly!?

    Guess what, as of today, I still have not received? Nice as well: there is no way to even contact these guys @ EAC.

    So... right now, I'm able to use Live again, but excluded to onlinemodes in ANY EA game. That's just wonderfull if your main reason for a Gold Account is to play Battlefield.

    (FYI: Even if you'd like to, it's not possible to connect a new EA Account to the XBL Account.

    F*** them. All of them.

    If anyone is living near Vancouver: Do me a favor and nuke EAC's office. It would be much appreciated. Even if that would mean I'll never ever be able access my EA Account again.

  • Iwa5hack3d2012 #160 4 months ago

    UPDATE: 1-19-2012

    Since I first called MS Support on 1-13-12 about my XBL account being compromised, passwords and secret answers being chaned, as well as points stolen and the card on file used to buy even more points (Wasn't me, BTW), I have my account back, along with my daughter's, although hers wasn't hit, because I am the "Primary."

    I must say, after viewing TONS of posts on-line about the XBOX accounts being hacked, and people having to wait months for their accounts to be back in their control, and well as waiting for refunds for unauthorized purchases, I'm thrilled to have mine back in 6 days...6 days, not a month! :)

    If no one yet again breaks into and steals/ changes my Windows Live ID password, which was changed like 5-6 times during this "hack", I'll be as happy as that guy who saw the "Double Rainbow." LOL (If they do, I'll be pretty pi$$ed!!!)

    MS sent me a couple e-mails, during the week, with codes for MS Point to cover the ones stolen, a couple extra months of XBOX Live, and well as a refund back to my card for the unauthorized charges.

    Now I just need the peace of mind to know it won't be hack into again, so I can redeem those codes...for now, NO WAY!

    Also, everyone I spoke with at MS was quite helpful, as long as you are nice to them (It's not the individual's fault XBL accounts are being hacked into.)

    A BIG "Thank you" to Jason, Rebecca, and the other girl I spoke with on the 13th.

    Time to go get my MW3 frag on! :)

  • lizzie #161 4 months ago

    Hi , I think my sons xbox account was compromised on 11.12.11 and until 13.1.12 when my cc bill hit the doormat. Microsoft after a 2 day investigation are saying there was no unauthorized access and my son must have made the purchases, £233.75 in total !!! He in the meantime was spending points from a redeemed card xmas gift and should still have 520 points left but his account has been wiped clean. His download history matches what he says he has purchased but Microsoft bill and my credit card tell a different story. Surely his download history and what has been billed should match, can anyone advise me.

  • JGDC74 #162 4 months ago

    @lizzie Log into Xbox Live on a PC. There it will show you what the hacker purchased. It won't show on your Xbox as the purchases weren't made on the hacker's console.
    Same thing happened to me a couple of days ago. luckily I'd already pulled my card off there, but all my points were gone. All spent on FIFA 12 packs. Now my account is locked while they investigate. They said I should get my points back, but the culprit won't be prosecuted.
    I'm a very security conscious person and thought this could never happen to me!

  • captain-neilw #163 4 months ago

    Two simple things to stop vast quantities of cash (but not points) being stolen:

    1. Allow people to delete credit card details when they have auto renewal off
    2. Ask for verification when you click on 'purchase xxx' inside the xbox such as the three digit security code or expiry date.

    Why don't Microsoft do this? In my opinion it's because if they did they might get less people buying on 'impulse', i.e. profit before security.

    Yes, I got hacked. No, I've never ever used my xbox live account on the internet and my password was very secure. No I'm not renewing until they do either of the above, which I doubt somehow.

  • captain-neilw #164 4 months ago

    @captain-neilw btw, It's been over a week now, I've rang countless times asking Microsoft to remove the hackers email address which is still in my 'reset email' list and so he can re-login to my account any time he wishes, but they still cannot manage to do it.