If you have an Xbox Live account, you may want to check your credit card statements, Xbox account and recently purchased items from the Xbox Live Marketplace as numerous reports of accounts being compromised have hit the web.
The basics of the hack or possible phishing attack are this: A user will have his/her account compromised; Microsoft points will either be used, or if the account does not have any, purchased on the linked credit card and then used to purchase downloadable content. The amounts range from a few dollars spent to over a hundred in some cases.
I woke up this morning to check my bank account(payday) and realized my total balance was smaller than my expected paycheck. I clicked to look further into the account and found that I was billed almost 80$ from microsoft. I immediately got on the phone with them. While on hold I checked my email to find 4 emails from them. 3 regarding points purchases, and a 4th titled 'Account Switch Confirmation'. That email stated that my region was successfully changed to Russia from the US.
Scraggles goes on further to say that four of his friends were also affected by the same type of attack. Further, if you contact Microsoft about the issue, it could take over 20 days to get your money back, which could put some in a tough spot if they need to pay bills.
A user over at neoGAF reports a very similar issue as well. He, along with many others, believe the exploit may be linked to FIFA '11 or '12:
Looks like my Xbox Live Account was hacked this afternoon. When I went to go check my email, about an hour ago, I got something from Microsoft about 4000 MS point activation confirmation. I thought it was odd since I haven't bought points since early May. I go to xbox.com first to make sure everything is "okay." It showed I had 1 point left and the last game I "played" was Fifa '11, which I don't own.
So I go to change my password and security question and then I log into billing.microsoft.com to see where the points went. Looks like they bought a 4000 point bundle and another 6000 point bundle.
There are many reports of this exploit occurring, too. In fact, Ars Technica reported on the issue about a month ago and believes the factor in common is Fifa '11 and '12. However, there are also reports of users who have never played either one of these games also being compromised.
Of course, when something this big occurs, most would think that a phishing scam is under way but considering the large amount of users that the exploit is affecting, and the generally Internet savvy users being exploited, it would have to be a well executed exploit. However, the users say that they never entered their information online anywhere that would allow someone to obtain the required information to make the purchases seen above. Microsoft did provide a comment on the Ars Technica story which is below:
“We do not have any evidence the Xbox LIVE service has been compromised. We take the security of our service seriously and work on an ongoing basis to improve it against evolving threats. However, a limited number of members have contacted us regarding unauthorized access to their accounts by outside individuals. We are working with our impacted members directly to resolve any unauthorized changes to their accounts. As always, we highly recommend our members follow the Xbox LIVE Account Security guidance provided at www.xbox.com/security to protect your account.”
A user two days ago was actually able to watch the exploit happen to his account while on the phone with Microsoft. He states:
I just got "Fifa'd" myself. 9200 MS points charged to my account - and then had the privilege of watching the prick appear on my friend's list "playing" FIFA 2012 while on the phone with MS Customer Service.
I messaged the p**** and he quickly signed off.
Anyway - MS Customer service tells me my options are:
- Shutdown my account while they investigate the issue. The charges will still be applied to my account until it's resolved and it can take up to 1.5 months.
- Option 2 "Pay the charges", change your password and continue playing Xbox Live.
Of course, with Microsoft rebuffing that the issue is on the their end, it raises the stakes as to what is actually happening. It is clear that users of Microsoft's Xbox Live service are still actively being robbed of either their Microsoft points and real money. It doesn't help that if you do dispute the charges, Microsoft will lock your account for approximately 20 days.
There have been a lot of theories about what is happening. Users that are typically playing an EA game such as Fifa '11 or '12, but others have reported that Battlefield also showed up on recently played games when the individual does not even own the game.