Xbox live accounts being compromised, money taken

If you have an Xbox Live account, you may want to check your credit card statements, Xbox account and recently purchased items from the Xbox Live Marketplace as numerous reports of accounts being compromised have hit the web.

The basics of the hack or possible phishing attack are this: A user will have his/her account compromised; Microsoft points will either be used, or if the account does not have any, purchased on the linked credit card and then used to purchase downloadable content. The amounts range from a few dollars spent to over a hundred in some cases. 

The issue has been circling the web but recently hit the Neowin forums and is also heavily prevalent over at neoGAF. Neowin forum member Scraggles states the following:

I woke up this morning to check my bank account(payday) and realized my total balance was smaller than my expected paycheck. I clicked to look further into the account and found that I was billed almost 80$ from microsoft. I immediately got on the phone with them. While on hold I checked my email to find 4 emails from them. 3 regarding points purchases, and a 4th titled 'Account Switch Confirmation'. That email stated that my region was successfully changed to Russia from the US. 

Scraggles goes on further to say that four of his friends were also affected by the same type of attack. Further, if you contact Microsoft about the issue, it could take over 20 days to get your money back, which could put some in a tough spot if they need to pay bills. 

A user over at neoGAF reports a very similar issue as well. He, along with many others, believe the exploit may be linked to FIFA '11 or '12:

Looks like my Xbox Live Account was hacked this afternoon. When I went to go check my email, about an hour ago, I got something from Microsoft about 4000 MS point activation confirmation. I thought it was odd since I haven't bought points since early May. I go to xbox.com first to make sure everything is "okay." It showed I had 1 point left and the last game I "played" was Fifa '11, which I don't own. 

So I go to change my password and security question and then I log into billing.microsoft.com to see where the points went. Looks like they bought a 4000 point bundle and another 6000 point bundle.

There are many reports of this exploit occurring, too. In fact, Ars Technica reported on the issue about a month ago and believes the factor in common is Fifa '11 and '12. However, there are also reports of users who have never played either one of these games also being compromised. 

Of course, when something this big occurs, most would think that a phishing scam is under way but considering the large amount of users that the exploit is affecting, and the generally Internet savvy users being exploited, it would have to be a well executed exploit. However, the users say that they never entered their information online anywhere that would allow someone to obtain the required information to make the purchases seen above. Microsoft did provide a comment on the Ars Technica story which is below:

“We do not have any evidence the Xbox LIVE service has been compromised. We take the security of our service seriously and work on an ongoing basis to improve it against evolving threats. However, a limited number of members have contacted us regarding unauthorized access to their accounts by outside individuals. We are working with our impacted members directly to resolve any unauthorized changes to their accounts. As always, we highly recommend our members follow the Xbox LIVE Account Security guidance provided at www.xbox.com/security to protect your account.”

A user two days ago was actually able to watch the exploit happen to his account while on the phone with Microsoft. He states:

I just got "Fifa'd" myself. 9200 MS points charged to my account - and then had the privilege of watching the prick appear on my friend's list "playing" FIFA 2012 while on the phone with MS Customer Service. 

I messaged the p**** and he quickly signed off. 

Anyway - MS Customer service tells me my options are:

- Shutdown my account while they investigate the issue. The charges will still be applied to my account until it's resolved and it can take up to 1.5 months.

- Option 2 "Pay the charges", change your password and continue playing Xbox Live.

Of course, with Microsoft rebuffing that the issue is on the their end, it raises the stakes as to what is actually happening. It is clear that users of Microsoft's Xbox Live service are still actively being robbed of either their Microsoft points and real money. It doesn't help that if you do dispute the charges, Microsoft will lock your account for approximately 20 days.

There have been a lot of theories about what is happening. Users that are typically playing an EA game such as Fifa '11 or '12, but others have reported that Battlefield also showed up on recently played games when the individual does not even own the game.

Report a problem with article
Previous Story

iPhone 4S owners complaining about earpiece audio issues

Next Story

Best Buy UK to close after only a year

77 Comments

Commenting is disabled on this article.

Guys its all about PASSWORDS.....dont use password as password.....change your damn passwords now and then and you wouldnt have this problem...i've been using XBL for years without no problems like this becuase i have a 25 char password

trini18 said,
Guys its all about PASSWORDS.....dont use password as password.....change your damn passwords now and then and you wouldnt have this problem...i've been using XBL for years without no problems like this becuase i have a 25 char password

This is what i tought before my wow account got hacked.

It frustrate me to read some of the replies here because i used to think that way too.

My wow password was 8 chars long. 4 totally random letters and 4 totally random numbers. It was a unique password used for my wow account only. The email acount password was unique too and made of 4 totally random numbers and 4 totally random letters. I have a good memory and can remember multiple random passwords without any problem.

The password had never been entered outside of wow application. Never been shared with anybody. My computer is running BitDefender and i never visit warez and illegal web sites. Not using wifi just wires.

I played wow for around 4 years without being hacked and i laughed at the n00b being hacked. Then when my account got hacked i was WTF.

I automatically loged in my email acount to see if the acount was compromised. Nope the log was showing no access outside of my ip. Then i ran a full Bitdefender scan. No virus. I checked all running processes and all processes were legit. I checked my router log and no suspicous activity happened the day before i got hacked.

So before blaming the users you should wait and see.

From what i can read it looks like a lot of tech savy guys got hacked. It can't be all phishing. It may be a problem with xbox live security itself.

LaP said,

This is what i tought before my wow account got hacked.

It frustrate me to read some of the replies here because i used to think that way too.

My wow password was 8 chars long. 4 totally random letters and 4 totally random numbers. It was a unique password used for my wow account only. The email acount password was unique too and made of 4 totally random numbers and 4 totally random letters. I have a good memory and can remember multiple random passwords without any problem.

The password had never been entered outside of wow application. Never been shared with anybody. My computer is running BitDefender and i never visit warez and illegal web sites. Not using wifi just wires.

I played wow for around 4 years without being hacked and i laughed at the n00b being hacked. Then when my account got hacked i was WTF.

I automatically loged in my email acount to see if the acount was compromised. Nope the log was showing no access outside of my ip. Then i ran a full Bitdefender scan. No virus. I checked all running processes and all processes were legit. I checked my router log and no suspicous activity happened the day before i got hacked.

So before blaming the users you should wait and see.

From what i can read it looks like a lot of tech savy guys got hacked. It can't be all phishing. It may be a problem with xbox live security itself.

its bout right time for your account gets hacked...you used 8 chars 4 letters and 4 numbers no special chars just letters and numbers which is no good nowadays to be a password

trini18 said,

its bout right time for your account gets hacked...you used 8 chars 4 letters and 4 numbers no special chars just letters and numbers which is no good nowadays to be a password

Oh boy Neowin at its best.

If you like to type 25 digits every time you want to log ing fine. I don't.

8 digits password made of random letters and numbers with some caps is perfectly secure as long as the system itself is secure.

LaP said,

8 digits password made of random letters and numbers with some caps is perfectly secure as long as the system itself is secure.

I dont need to type my password all the time


did you not say your account got hacked???? so obivously 8 digits is not secured....

oh boy Neowin at its best...

To all people who say this is phishing this is also what Blizzard says everytime an account is compromised.

Yet many battle.net accounts are hacked outside of phishing and key logging.

I personally applause Sony for being honest and not blame the users.

No offense meant to anyone. But that's why they make prepaid cards. I go to a store buy one of those and redeem the code. It's gotten to the point you can buy them anywhere, I saw some at a grocery store. So it's really as simple as picking one up on your way home from shopping, The benefit is that without a card tied to your account there is nothing they can spend. As for points buy what you need and use it, try keeping a 0 point balance it would make you less likely to be attacked.

Happened to me last month, I had 5500 points bought on my card and billed £46 for it. I got an email 2 days ago from MS saying theyd investigated and a refund was due. However it may take upto 10days to appear in my account.

I also have Fifa 12 as recently played and 3 team achievements, even tho ive never played Fifia 12 or know anyone with it.

Likewise i run spyware/adware/virus scans once a month and have never entered my Live account details anywhere except via GFWL games and ofc on Xbox Live.

I'm not sure this was exploited directly through xbox live!, just live!

This happened to me as well (I also posted on the other thread thats been mentioned a couple times). But for me, I also noticed an additional email contact had been added to the generic windows live! service, along with the symptoms everyone else reports (Points getting spent, FIFA12 related, etc -- I'm one of the ones that DO NOT own any FIFA games).

I've seen someone mention at another site that also claimed they were compromised themselves that they thought it might be related to the Gawker incident some time ago. Honestly, I think I might have to agree -- I've changed most passwords like a good little netizen, but, I totally forgot about my rarely directly-logged-in-to Windows Live! account.

It seems people tend to forget that any Microsoft Live! service is a shared login / linked like that, so I've wondered when reading all of these reports how many people even check to see if someone else has added themselves to their accounts -- it certainly wouldn't/doesn't show that information on your xbox!

I enjoy seeing the fanboy dispute between xbox and ps3... lol and regardless, of what happened on either system the fact of the matter is.. they've both have been compromised ohh so the real difference is Xbox 2 PSN 1... both of which are 1 too many times.

I'm thinking what XBox Live needs is some kind of remote face unlock mechanism instead of using age-old text passwords. That'd be pretty foolproof!

KingCrimson said,
I'm thinking what XBox Live needs is some kind of remote face unlock mechanism instead of using age-old text passwords. That'd be pretty foolproof!

Maybe it just needs an authenticator like battle.net.

KingCrimson said,
So is it phising or brute-force attack on the XBox Live servers? Reading the article it's completely unclear what's going on.

It seems that some EA account servers got compromised and through them the xbox live accounts.

Apparently (I can't confirm this since I don't own a 360) for certain EA games you login to your EA account and link it with your live account.

At this scale i highly doubt it's phising. Most xbox live users are tech savy enough to not enter their account info outside of xbox live.

Well, that was inevitable.

Sounds like EA's fault if it really is a problem in FIFA and/or Battlefield as suggested; however, also possibly indicative of underlying issues.

Fun part is I have been on Xbox Live, since the Beginning and with the same password, and no one has compromised my account, then again, 15 character using a wide mix of the 96 character set.

thejohnnyq said,
Fun part is I have been on Xbox Live, since the Beginning and with the same password, and no one has compromised my account, then again, 15 character using a wide mix of the 96 character set.

I wonder if some accounts got compromised because people used easy to figure passwords like "1234".

I dont see why people would even bother with this

So they hijack someones account, spend money on that account, then mabey lock the person out? Buy a few items/games then after a few days the account is locked out

Points/items arnt transferable are they? Just dont see the point in doing this...

Wow, Xbox Live accounts getting hacked, and they still say, we are hacked less bad than psn... Well, show us where PSN users were charged and how their credit card info was leaked... oh ya, it wasn't. Only the servers were hacked that stored information that the phonebook and facebook has.
So, PSN Hack = they got your name and home address.
Xbox Live = suspended accounts, money charged using credit card, and possible they could have also got your name and home address....
So ya, downplay this all you guys want. This type of hacking is far worse than what happened to PSN, but keep spreading the false information around that was debunked months ago...

shakey said,
Wow, Xbox Live accounts getting hacked, and they still say, we are hacked less bad than psn... Well, show us where PSN users were charged and how their credit card info was leaked... oh ya, it wasn't. Only the servers were hacked that stored information that the phonebook and facebook has.
So, PSN Hack = they got your name and home address.
Xbox Live = suspended accounts, money charged using credit card, and possible they could have also got your name and home address....
So ya, downplay this all you guys want. This type of hacking is far worse than what happened to PSN, but keep spreading the false information around that was debunked months ago...

so you have zero proof, but lots of RAGE and bitter accusations dripping from your post... and you aren't butthurt you say?

shakey said,
Wow, Xbox Live accounts getting compromised, and they still say, we are hacked less bad than psn... .

Fixed that for u

Its abit different when one is at a server level and one is at a user level...

I don't even have an Xbox and it happened to me. I think Live for Windows got hacked too and I haven't logged on to it in a long time. Microsoft needs to admit they got hacked.

matt4pack said,
I don't even have an Xbox and it happened to me. I think Live for Windows got hacked too and I haven't logged on to it in a long time. Microsoft needs to admit they got hacked.

Uh no, it's not clear XBox Live was hacked, but the account info was stolen somehow.

Deihmos said,
How does anyone still fall for phishing stunts in 2011?

Older people and those that aren't tech-savvy will always be vulnerable, and especially people with dementia, etc.
Also this article states it's got nothing to do with phishing.

Deihmos said,
Does not say it wasn't a phishing attack. I am sure it was.

I assure you it's not a phishing attack. I only have the Games for Windows Live account which I haven't touched in a year and I had points purchased on 10/31.

Another common problem is people signing up on websites with the same password as windows live account. They didn't magically get your email address and password.

Deihmos said,
Another common problem is people signing up on websites with the same password as windows live account. They didn't magically get your email address and password.

Ah so you sign up on some gaming website with the same password as your live account, and unscrupulous admin decides to sell account passwords in the hope that some of them are Live accounts! Well, that's certainly not Microsoft's fault - they can't protect against sheer stupidity.

matt4pack said,

I assure you it's not a phishing attack. I only have the Games for Windows Live account which I haven't touched in a year and I had points purchased on 10/31.

Are you saying they hacked into MSFT account database?

matt4pack said,

I assure you it's not a phishing attack. I only have the Games for Windows Live account which I haven't touched in a year and I had points purchased on 10/31.

Sorry, a Games for Windows Live an Xbox Live and Hotmail account are pretty much the same thing, they're all linked to the same account.

matt4pack said,

I assure you it's not a phishing attack. I only have the Games for Windows Live account which I haven't touched in a year and I had points purchased on 10/31.

It also isn't an XBox or Live or Online problem, as people that have NEVER used these services or used cards online have had these charges appear on their credit cards.

Which makes this story a bit misleading, as it is pure Credit Card theft/fraud, and has nothing to do with Microsoft.

It also isn't an 'online' credit card security issue, as people that have cards they haven't used have had charges appear from not only Live/XBox but other online services like Amazon, etc.

The reaon Microsoft 'points' are valuable in this type of fraud is that they are a way to access money internationally, without touching normal banking systems.


There are SO many tricks to getting the information for an active credit card, and it isn't an online problem either. All a person has to do is obtain a merchant account, and then used very old tricks to valid credit card numbers and use them, as they can obtain the billing information, etc as a merchant. At least the safe guard information like the security code, zip, etc.

Why I have an alert setup on my bank account. Anything more than a certain amount they gets removed from my account, I get a text message.

SPEhosting said,
oh, whats this xbox people? you got hacked? and money stolen! yea...the ps3 hack doesnt seem like such a bad thing now does it....

Nah, this is like someone taking something out of your mailbox. The PS3 hack was like someone breaking into your house and taking everything you own and you can't move back in for 3 months.

SPEhosting said,
oh, whats this xbox people? you got hacked? and money stolen! yea...the ps3 hack doesnt seem like such a bad thing now does it....

/facepalm

SPEhosting said,
oh, whats this xbox people? you got hacked? and money stolen! yea...the ps3 hack doesnt seem like such a bad thing now does it....

..
It's not funny on either side

SPEhosting said,
oh, whats this xbox people? you got hacked? and money stolen! yea...the ps3 hack doesnt seem like such a bad thing now does it....

Wow, I bet your parents must be proud. They raised not only a troll... but an ill informed nonsense-spouting flame-baiting troll.

Nothing has been hacked. This is not a hacking attack and I wish people would stop calling phishing/brute force password attacks/etc hacking. They're not.

but atleast we still had all our money at the end of it

Enron said,

Nah, this is like someone taking something out of your mailbox. The PS3 hack was like someone breaking into your house and taking everything you own and you can't move back in for 3 months.

Zappa859 said,

Hate name-calling. But wow you are dumb.

C*nt features... lighten up, im joking around... ffs loser its obvious Im messing around... i guess you lost some money so now you are actually going to cry about it?

Zappa859 said,

Hate name-calling. But wow you are dumb.

C*nt features... lighten up, im joking around... ffs loser its obvious Im messing around... i guess you lost some money so now you are actually going to cry about it?

SPEhosting said,

C*nt features... lighten up, im joking around... ffs loser its obvious Im messing around... i guess you lost some money so now you are actually going to cry about it?

Yer funny, so funny.

SPEhosting said,

yup you got robbed.... haha i hope they took lots and you never get it back :3 just for being a miserable sod


No, I've never been "hacked, phished," or robbed by Microsoft. I'm actually pretty happy, not miserable. I still think you are hilarious, though.

Kyle said,
To all the 360 fans who said that PSN is horrible and insecure during the PSN hack, karma is fun, isn't it?

Slight difference don't you think? In this case it seems the accounts are being compromised outside of Microsoft. And with the PSN case, credit card details were leaked.

What I don't understand though (and I don't have xbox live gold) is that doesn't Microsoft ask you for your 3 digit code when you try to use a linked credit card? If so, how are these hackers able to use the card to buy subscriptions or points?

Kyle said,
To all the 360 fans who said that PSN is horrible and insecure during the PSN hack, karma is fun, isn't it?

PSN is horrible and has/had a lot of issues. Not the same thing dude. Instead of posting nonsense, at least try and post something on topic.

/- Razorfold said,

What I don't understand though (and I don't have xbox live gold) is that doesn't Microsoft ask you for your 3 digit code when you try to use a linked credit card? If so, how are these hackers able to use the card to buy subscriptions or points?

On MS XBOX site, if you save your CC info, all you have to do is click on add more points, accept, and then it get charged. No need to enter your CC info or 3 digit code. I suspect some have their info saved.

/- Razorfold said,

Slight difference don't you think? In this case it seems the accounts are being compromised outside of Microsoft. And with the PSN case, credit card details were leaked.

What I don't understand though (and I don't have xbox live gold) is that doesn't Microsoft ask you for your 3 digit code when you try to use a linked credit card? If so, how are these hackers able to use the card to buy subscriptions or points?


If I recall correctly hardly anyone hard "their" CC leaked, it was only account info.

techbeck said,

PSN is horrible and has/had a lot of issues. Not the same thing dude. Instead of posting nonsense, at least try and post something on topic.


How is it not the same thing? People making charges on other people's CC is like having their account compromised.
Xbox Live = **** security
PSN = Used to have **** security

Kyle said,
To all the 360 fans who said that PSN is horrible and insecure during the PSN hack, karma is fun, isn't it?

"The basics of the hack or possible phishing attack are this: A user will have his/her account compromised"
Learn to read... This is nothing like the PSN issue... people have had their accounts getting "hacked" for a long time now... Tho its normally due to phishing emails or account compensations.. Not someone getting into MS's servers and pulling data...

Zeet said,

How is it not the same thing? People making charges on other people's CC is like having their account compromised.
Xbox Live = **** security
PSN = Used to have **** security

How would it be the same thing? In one case the usernames and passwords were retrieved, potentially threatening tens of other online accounts for millions of people. In the other case, a few accounts were hijacked through unknown means.

Having a mass personal information release vs what is probably a localized data miner or password crack. I'm just not seeing the similarity.

And yes, most people are too dumb to ever change their passwords.

Zeet said,

How is it not the same thing? People making charges on other people's CC is like having their account compromised.
Xbox Live = **** security
PSN = Used to have **** security

Why I said PSN has/HAD issues. Learn to read. Anything else you said means nothing. Like I am going to listen to anyone who says something is crap without backing up what they are saying.

And MS will fix this and hopefully do right by their customers. Just will have to see what happens.

techbeck said,

On MS XBOX site, if you save your CC info, all you have to do is click on add more points, accept, and then it get charged. No need to enter your CC info or 3 digit code. I suspect some have their info saved.

Nobody save the 3 digits code. MS simply doesn't ask for it. Maybe MS should start asking for it now.

brent3000 said,

people have had their accounts getting "hacked" for a long time now... Tho its normally due to phishing emails or account compensations..

Don't be naive and do not drink the kool aid please.

It's would appear so but it's still not clear how they are getting access to the accounts. So, at this point, nothing is really off the table.

"Further, if you contact Microsoft about the issue, it could take over 20 days to get your money back, which could put some in a tough spot if they need to pay bills. "

I say this all the time to anyone who will listen: DO NOT USE A DEBIT CARD! If you use a credit card and get scammed, you fill out a form online and the credit card company refunds your money, done. With a debit card, the money's taken out of your bank account and you have no recourse. Credit cards FTW!

Agreed. I try to use a credit card as a pseudo-debit card, plus most retail card readers read chips so they need a PIN from you.

My credit card is issued by my bank and linked to my online banking account, so I can easily move funds from chequing accounts to pay off transactions.

Fezmid said,
"Further, if you contact Microsoft about the issue, it could take over 20 days to get your money back, which could put some in a tough spot if they need to pay bills. "

I say this all the time to anyone who will listen: DO NOT USE A DEBIT CARD! If you use a credit card and get scammed, you fill out a form online and the credit card company refunds your money, done. With a debit card, the money's taken out of your bank account and you have no recourse. Credit cards FTW!

What about debit cards with the Visa logo? As far as I know those have the same protection as a credit card.

TRC said,

What about debit cards with the Visa logo? As far as I know those have the same protection as a credit card.


Getting your money back versus not paying for the transaction is the difference.
So in the meantime with a debit, you are emptied out in your BA.

What about using an "Internet card"? That's the way my bank works for Internet transactions, they give you a virtual debit card and you decide how much money you have in there, so if something wrong happens they can't charge you.

Tis exact thing happened to me. Checked my email 3 weeks ago and noticed $100 worth of points were bought. I don't even own an Xbox. I contacted my bank and Microsoft and I got all that money back, luckily I never have more than $100 on my Internet card at any one time otherwise the damage could have been a lot worse.

If this happens to you, definitely contact both the bank and microsoft and don't panic

Thanks for supporting the idea of having a prepaid card for Online business.

Seems I won't be putting any money soon to my card just to prevent this kind of scam