Microsoft still denying Xbox Live has been hacked

Microsoft is trying to do some damage control this week after more reports of Xbox Live users have been hacked have gone viral on the Internet. The latest case involves a woman who launched her own Tumblr site, Hacked on Xbox, to describe her own experiences after her Xbox Live account was taken over.

The woman, known only as "Susan T", states on her site that earlier this week her Xbox Live account was credited for purchasing $214.97 worth of Microsoft Points along with an Gold Family Pack. She contacted Microsoft who said they would block the account while the company investigated the matter. However later in the week, the same Xbox Live account that was supposedly blocked was used once again, this time to take $124.98 from her bank account to purchase more Microsoft Points.

In an interesting stroke of fate, "Susan T" did manage to chat online with the person who had purchased her Xbox Live account. According to him, the account was put on sale on a Poland-based auction site. However, there is still no word as to how her user name and password were taken in the first place.

On Friday, the day that her story went viral on the Internet, "Susan T" finally got someone at Microsoft to refund her stolen money. Microsoft will also transfer her Xbox Live information over to a new Windows Live ID. However, in a statement to Eurogamer.net, a Microsoft spokesperson continued to deny there were any issues with Xbox Live itself, saying, "Microsoft can confirm that there has been no breach to the security of our Xbox Live service. In recent cases, some Xbox Live members appear to have been victims of malicious scams."

"Susan T" still doesn't believe that her Xbox Live account was taken by any kind of phishing scam or any other kind of third party attack, saying, "While I find it amusing that I have created an out-of-the-ordinary case for Microsoft, I am quite peeved that they are still insisting the abuse of my account was my fault."

Report a problem with article
Previous Story

TV maker Vizio to release Windows PCs in 2012

Next Story

Older Symantec anti-virus source code leaked

39 Comments

Commenting is disabled on this article.

I had my windows live account hacked last night from someone in China and lost my 6000+ live points and the culprit also purchased 4 lots of 2100 live points, an EA Master account and multiple gold accounts using money from my PayPal account that was linked to my WIndows Live ID. I've filed a fraud investigation with Microsoft who told me today that it can take 25 days for the investigation to be completed. I've not received a refund for any of the unauthorised payments taken from my PayPal account nor have I had the 6000+ Live points credited back to me

just because you dont use a computer to set up live doesnt mean u werent phished. how do you know that they didnt simply phish a bunch of gmail accounts, and try each password onto other services to see if they could hit something?

It isn't just 1900. People, things are just clear cut as you think.... For every 1 person who is reporting their account getting stolen, there could easily be 2 more who aren't. We have to take into account all those users who don't log in that often enough to figure out it has happened, and others who don't post online about what is happening in their life. So stop trying to downplay this. This is something MS needs to get a grip on, because it is happening to THEIR customers on THEIR ecosystem.

shakey said,
It isn't just 1900. People, things are just clear cut as you think.... For every 1 person who is reporting their account getting stolen, there could easily be 2 more who aren't. We have to take into account all those users who don't log in that often enough to figure out it has happened, and others who don't post online about what is happening in their life. So stop trying to downplay this. This is something MS needs to get a grip on, because it is happening to THEIR customers on THEIR ecosystem.

iTunes store account hacked:
https://discussions.apple.com/...5383?start=345&tstart=0
https://discussions.apple.com/...383?start=1020&tstart=0

I've been to so many friends pcs where the security questions are so stupid. Like thier profile says they are from Toronto ontario and the security question is where you were born. type in toronto and boom full access to hotmail and xboxlive.

Plus as mentioned above, if xbox live was hacked they would have access to millions of accounts not 1900 lol

I always figured it was some phishing scam till it happened to me and a real good friend of mine. First of all my friend does not even own a computer and has been on xb live since the 360 first came out and theres just no way it coulda been any kind of phishing or trojan in his case.
For me I am so paranoid i use a different email and different password for everything i use online and besides signing up for that account several years ago ive never signed into it cept on my xbox. Somehow though somone managed to get my account and use it for buying fifa 2012 packs. I dont have credit cards tied to my account i just happened for the first time have 2000 points that sat on my account for a month and then boom they were all gone

For the last time Microsoft fanboys. It's not a phishing scam going on. I have a games for windows account that I only created to download the free age of empires and I was hacked. I hadn't even touched my account in over a year when I was hacked.

You people are worst then Apple fanboys with your excuses.

matt4pack said,
For the last time Microsoft fanboys. It's not a phishing scam going on. I have a games for windows account that I only created to download the free age of empires and I was hacked. I hadn't even touched my account in over a year when I was hacked.

You people are worst then Apple fanboys with your excuses.

Firstly, people who disagree with you are not necessarily "Microsoft fanboys", I don't like Microsoft any more than I agree with your post (and the only MS products I own are Windows 7 and a mouse, I don't own or have any desire to own an Xbox).
Now, you're telling me that on a service with millions of accounts, someone who has (according to you) hacked the service, would target an account with no way to gain money from it? (since you never purchased anything I assume you didn't give it your credit card details).
Thankfully you said "For the last time", so I guess you'll take your stupidity elsewhere now.

No I had to add my credit card to download the free game. Thank you Microsoft for that. I also have Windows PC's at home and run Windows Desktops/Servers at work so if you think I had some built-in hatred for Microsoft then your wrong but my customer service from this issue has been unacceptable. Account hacked in October, many calls to support, and still nothing and then they are still trying to blame the people who had their accounts hacked. So please don't respond if you don't know what you're talking about.

matt4pack said,
No I had to add my credit card to download the free game. Thank you Microsoft for that. I also have Windows PC's at home and run Windows Desktops/Servers at work so if you think I had some built-in hatred for Microsoft then your wrong but my customer service from this issue has been unacceptable. Account hacked in October, many calls to support, and still nothing and then they are still trying to blame the people who had their accounts hacked. So please don't respond if you don't know what you're talking about.
Based on the comment below yours (Houtei's), you don't need your credit card tied to your account. As I've said, I don't have an Xbox, but even if you did have to add your credit card details, it's still your fault for adding it to get a free game and for not removing it when you don't use your account.

As for your "please don't <insert action> if you don't know what you're talking about", here's a few for you:
Please don't state that your account was hacked if you don't know that your account was hacked.
Please don't state that it's not a phishing scam when you don't know that it isn't.
Please don't use the English language if you can't use it correctly.

Fact of the matter is, if your account got hacked there's two possibilities: The whole service was breached, in which case all accounts would be hacked, not just a couple of thousand; or your account was breached through an external source (be it an account with the same login details, or someone who knows your login details), in which case it's your own fault and you need to change your passwords, STFU, and be more careful next time.

Edited by Wolfbane, Jan 7 2012, 9:49pm :

So it's my fault that Microsoft required a credit card to be tied to your account to download a free game and then also my fault when I didn't go back and remove the card after I had downloaded the game. So that's your excuse to just blame the consumer for using the service the way Microsoft designed it. I guess it's also my fault that after 2 months I haven't been refunded yet.

What do you even mean by stating we don't know if my account was hacked? Of course it was hacked. I never said Xbox Live was hacked but my account was and that it wasn't phishing as many of the people above and Microsoft were trying to imply. I guess you couldn't defend this so you had to become a grammar troll.

I'm not sure what is happening but it seems you agree with me from your last post that it's not phishing so I don't know why you got all hurt in the first place. I know if this was Sony you wouldn't be getting the same responses on here and the press would be all over it.

Edited by matt4pack, Jan 8 2012, 2:27am :

matt4pack said,
So it's my fault that Microsoft required a credit card to be tied to your account to download a free game and then also my fault when I didn't go back and remove the card after I had downloaded the game. So that's your excuse to just blame the consumer for using the service the way Microsoft designed it. I guess it's also my fault that after 2 months I haven't been refunded yet.

What do you even mean by stating we don't know if my account was hacked? Of course it was hacked. I never said Xbox Live was hacked but my account was and that it wasn't phishing as many of the people above and Microsoft were trying to imply. I guess you couldn't defend this so you had to become a grammar troll.

I'm not sure what is happening but it seems you agree with me from your last post that it's not phishing so I don't know why you got all hurt in the first place. I know if this was Sony you wouldn't be getting the same responses on here and the press would be all over it.

Your Xbox Live account can't be hacked unless you have a stupid password (because it would take far too long to bruteforce any decent password) or Xbox Live itself is hacked.
It's obvious that Xbox Live hasn't been hacked or there would be far more than a few thousand hacked accounts (seriously, a few thousand out of over 30 million? That's easily low enough to be down to stupidity of the owners of "hacked" accounts), so the only way for your account to be compromised is by a phishing scam, a terrible password, or another service you use having been hacked (if you used the same login details on that service). Either way, it's your own fault.
So by saying your account was hacked and that it was Microsoft's fault, you ARE saying Xbox Live was hacked, which it was clearly not.

As for being a grammar troll, I'm not, I simply replied with some similarly stupid statements to the one you used before. If I wanted to be a grammar troll I could have based this reply on the fact that the first sentence of your post was a statement when it should have been a question - completely changing the meaning.

And as for treating Microsoft different to Sony, yes - I suppose we do treat this article about a stupid woman getting her Xbox Live account phished differently to Sony having their entire servers compromised. If you can not see the difference in the circumstances, you should not be posting here at all.

Edited by Wolfbane, Jan 8 2012, 3:52am :

I wish they'd just expire everyones passwords and force a change like you do in domain environments when a breach happens

NOPE, lol... as soon as i read this i was like "oh... i thought something like this only happens to psn" xD
anyways, clearly it is not Microsofts fault - as everyone above and around should have also realized... well stupidity sometimes gets the best of us huh. Nice of Microsoft to refund it..
--EA on the other hand.... they have the WORST customer service on earth - told me id get a refund, two weeks later they aggain confirm i was getting one... 2 years later wheres my 60 dollars EA? oh right... you pocketed it.

A few weeks ago, someone at work was complaining about his Xbox account being hacked, his MS point balance was drained, and it has to be microsoft's fault because of their lax security. A few days later he was telling me about how he was getting Netflix for cheap, because he and a few of his friends were sharing one account. He could not understand why using the same user/pass for his Xbox, Netflix, Amazon, Facebook, etc. accounts was bad.

Nothing wrong with Xbox live, but there is something wrong with this's woman's head because she wouldn't work out why she is scammed twice, while others like me has never been scammed. I have a live account linked to my GFWL and xbox and hotmail services for around 5 years and never has seen anyone except me try to get in.

If XBox Live itself was hacked, then Live.com and Hotmail.com and MSDN and Microsoft's Passport/LiveID systems would have been hacked.

Considering the security that the LiveID system has, even a Microsoft Employee would need a supercomputer and about 2 billion years to crack into an LiveID.

People are doing something that they do not realize is compromising their security. One good hack we recently saw, was users that hotmail on Android, and the Android malware was sending their login information to an unknown server.

Either that or people have kids that are exchanging this information with 'friends' or they are giving out their passwords, using insecure passwords, etc.

It is nice of Microsoft to refund the money, as they should, but Microsoft can't fix stupid.

thenetavenger said,

Considering the security that the LiveID system has, even a Microsoft Employee would need a supercomputer and about 2 billion years to crack into an LiveID.

You are so sure because you wrote LiveID security system ? Judging from the level of security of Windows server/IIS/Windows OS/SQL/IE/MSE... I wouldn't be so sure about Microsoft's LiveID security.

alexalex said,

You are so sure because you wrote LiveID security system ? Judging from the level of security of Windows server/IIS/Windows OS/SQL/IE/MSE... I wouldn't be so sure about Microsoft's LiveID security.

You have facts to back up that statement - or you are just hating?

Susan T" finally got someone at Microsoft to refund her stolen money.

Finally being the operative word, I fought with them for 60days to get refunded, despite them agreeing to refund they never payed a penny. Im on the verge of selling my xbox now after MS refusal to admit this.

No one phished f-all from my account, i run 2 antivirus, malware protection etc, have never given out my pass, use unique pass` per account etc etc.

Like said elsewhere MS wont do nothing till its so obvious it hurts.

Colicab said,

Finally being the operative word, I fought with them for 60days to get refunded, despite them agreeing to refund they never payed a penny. Im on the verge of selling my xbox now after MS refusal to admit this.

No one phished f-all from my account, i run 2 antivirus, malware protection etc, have never given out my pass, use unique pass` per account etc etc.

Like said elsewhere MS wont do nothing till its so obvious it hurts.

If you run two antivirus/malware do you realize this is a security hole itself? Run ONE like MSE that you trust, and don't screw up your computer with an additional running malware solution.

Side question, do you have an Android phone or iPhone that you use your hotmail/live.com/LiveID on?

I am still waiting for a refund from Microsoft too after I got hacked back in November. Like you, I never gave my password out, never fallen into a phishing attack, and have an up to date anti virus software running. My live email address is private, never been posted forums, etc, and yet my Xbox Live account was compromised without even changing my bloody password!

thenetavenger said,

If you run two antivirus/malware do you realize this is a security hole itself? Run ONE like MSE that you trust, and don't screw up your computer with an additional running malware solution.

Side question, do you have an Android phone or iPhone that you use your hotmail/live.com/LiveID on?


+1 I just don't understand people that run multiple solutions like that...

There are people who got their accounts hacked who dont even use a computer who set up their xbox live account strictly thru the console. So explain that? I too got hacked as well. I work in information security and I have one of those retardedly long and difficult passwords to break. I still feel this is all on microsoft just like it was on Sony. The only company that I have seen that owned up to the hackings was Trion the company that does Rift. They owned up to it as soon as it happened so they could make sure their users were not badly effected. I wish microsoft had the balls to do the same.

Gotenks98 said,
There are people who got their accounts hacked who dont even use a computer who set up their xbox live account strictly thru the console. So explain that? I too got hacked as well. I work in information security and I have one of those retardedly long and difficult passwords to break. I still feel this is all on microsoft just like it was on Sony. The only company that I have seen that owned up to the hackings was Trion the company that does Rift. They owned up to it as soon as it happened so they could make sure their users were not badly effected. I wish microsoft had the balls to do the same.

The problem is, they may be some breech in the XBox Live purchase system, but actually obtaining your 'account' would take the NSA several days, and an average person with a supercomputer a couple of billion years.

This is why it is a bit odd that your 'account' was hacked.

Microsoft is NOT Sony, in fact it was Microsoft that Sony called when they couldn't stop the attacks to get their security expertise.

Sony had custom outdated Linux VM running on an unsecure Novell platform using their own horribly insecure database system.

There is a possiblity there is a 'point' of access in the XBox Live system, but your XBox ID is a LiveID, and it getting hacked is rather insanely hard.

thenetavenger said,
... in fact it was Microsoft that Sony called when they couldn't stop the attacks to get their security expertise.....
Is it true o.0? Any source?

It's funny how idiots are soo quick to blame MS when their Live ID gets hijacked instead of blaming themselves for having a ****ty password, or being an idiot.

She probably has a keylogger on her pc, or has signed in to some dodgy web / mobile messaging app that stole her windows live account details.

I know people who will happily enter there windows live details in to anything, despite having a credit card associated with it for Xbox Live.

InsaneNutter said,
She probably has a keylogger on her pc, or has signed in to some dodgy web / mobile messaging app that stole her windows live account details.

I know people who will happily enter there windows live details in to anything, despite having a credit card associated with it for Xbox Live.

Hmmm I don't think it is likely a keylogger as this case it just targets on Xbox live users. If it's a keylogger outbreak, other services like paypal should be hacked as well.

So out of 25 Millions members how many are effected..... are we talking couple of million or 10+ million accounts hacked.

Edited by Neo003, Jan 7 2012, 6:45pm :

Neo003 said,
So out of 25 Millions members how many are effected..... are we taking couple of million of 10+ million accounts hacked.

Nope, a little over 1900 apparently. Sounds to me like a succesful scam they all fell for or malware infested PC's that log their passwords.

MS have people actively monitoring the system round the clock. If a hacker got through, he could probably hack the Pentagon and get away with it.

There is an interview with Stephen Toulouse on Giantbomb.com about the matter if you're interested. The funny thing is the hackers in question often call MS Support and claim the account is theirs to slow things down.