Xbox live accounts being hacked?

[Hedon]

Hopefully people figure out when others are phishing to prevent this.

[Colin McGregor]

I have 2 credit cards on my account and i've never been hacked, i know what phishing is so i know i wont get hacked and have nothing to worry about.

[Dotdot]

I have 2 credit cards on my account and i've never been hacked, i know what phishing is so i know i wont get hacked and have nothing to worry about.

Funny that, im a web designer and have all sorts of I.T knowledge. Yet I still got hacked/phished. Sadly because you know something exists, doesnt mean you wont fall prey.

[shakey]

Funny that, im a web designer and have all sorts of I.T knowledge. Yet I still got hacked/phished. Sadly because you know something exists, doesnt mean you wont fall prey.

Especially when it probably has nothing to do with you doing anything besides having an account. This hasn't been confirmed to be a phishing or scam based break in to peoples accounts. It very well could be a security flaw somewhere in the Live accounts registered with Xbox, customer service leaking details, or another many range of ways.

[Dotdot]

Especially when it probably has nothing to do with you doing anything besides having an account. This hasn't been confirmed to be a phishing or scam based break in to peoples accounts. It very well could be a security flaw somewhere in the Live accounts registered with Xbox, customer service leaking details, or another many range of ways.

Yip, my account was for Live only and was setup with the Xbox, had a unique password and well Im just not conciously dumb enuff to go handing out my details. Not to mention that I wouldnt of had any reason to enter the details into anything but the damn Xbox. Its not as if I used the account for Live Mail or Messenger, so at no point would I of stored or had these details entered into my PC, other than of the day of creation. Even then I probably used the Xbox itself.

To be honest the only thing stopping me selling my Xbox is Forza 4, and a few arcade games I own. I dont like to hand a company money when they dont give a crap about there customers as clearly proven by my own experience. What I find even worse is that at no point did anyone try to compensate me for the hassle and phonecalls I had to make, i.e no eextra month free or a few hundred points to shut me up. Just excuses.

To this day they havent contacted me about what happened and if I hadnt phoned the Bank again Id still be -?50 thanks to Microsoft.

Keep in mind they had escalated my case to there highest level and promised to phone me back. No phone calls, no money, just hassle.

[BajiRav]

Funny that, im a web designer and have all sorts of I.T knowledge. Yet I still got hacked/phished. Sadly because you know something exists, doesnt mean you wont fall prey.

Your web designer experience and "all sorts of I.T. knowledge" doesn't make you impervious to fishing. I have seen most elaborate phishing scams especially with BoA and one page was really convincing. I was saved thanks to my habit of looking at the site certificates.

[Hedon]

This hasn't been confirmed to be a phishing or scam based break in to peoples accounts.

Actually, it has. Microsoft confirmed phishing is the cause.

http://www.thesixthaxis.com/2011/11/22/microsoft-claim-phishing-is-cause-of-recent-hacks/

[matt4pack]

Just because Microsoft says it phishing doesn't make it so. I know in my case that did not happen.

[Hedon]

Just because Microsoft says it phishing doesn't make it so.

Sounds good ;)

[BajiRav]

Just because Microsoft says it phishing doesn't make it so. I know in my case that did not happen.

Let's turn your argument around.

Just because you say that it did not happen in your case doesn't mean it did not happen in your case.

[+Audioboxer Subscriber²]

Let's turn your argument around.

Just because you say that it did not happen in your case doesn't mean it did not happen in your case.

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mailspoofing or instant messaging,^[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

I'm pretty sure people using Neowin would know if they entered their unique Xbox password somewhere other than on their Xbox.

[BajiRav]

I'm pretty sure people using Neowin would know if they entered their unique Xbox password somewhere other than on their Xbox.

really? I wouldn't be too sure of that...

Warning to all PSN users though, there is a Phishing scam going on... http://gamingbolt.co...g-sent-to-users But it is unrelated to this... Still, beware. I actually clicked the link before I read about this, and had looked at what seemed to be my account.. So i'm off to change my password now via ps3... brb :p

[shakey]

really? I wouldn't be too sure of that...

Ya :p Some of the methods are actually down right devious. That email had everything that it needed. Let me see if I can find it and post a screenshot of it real quick. Though, it was the only time I ever fell for anything as such, and luckily, I was able to find out instantly after what it was. *going to check trash in email*

It didn't help that I was doing everything via my phone, which only made the fonts smaller and me more less likely to pay attention to such things. But it did get me for a second, which was enough. I was able to secure everything right after, but the emails are pretty "official" looking.

[matt4pack]

Yeah I'm sure you can trust Microsoft on this. These are the same people who issued denial after denial about the RROD until it was so overwhelming that they finally had to admit to it.

[shakey]

Yeah I'm sure you can trust Microsoft on this. These are the same people who issued denial after denial about the RROD until it was so overwhelming that they finally had to admit to it.

As well as those who state that they don't even use the email or haven't checked or gone to anything via email. MS likes to hide behind what they can, until they can't hide anymore. Most companies work that way.

[Emn1ty]

As well as those who state that they don't even use the email or haven't checked or gone to anything via email. MS likes to hide behind what they can, until they can't hide anymore. Most companies work that way.

Or they may be avoiding the issue until they can actually make an official statement regarding the manner.

[Royalty]

My account was hacked and all my friends were deleted because I used one of those stupid generators on YouTube that was supposed to give you free Microsoft Points. That was a LONG time ago when I was still very young. :p

[S00N3R FR3AK]

By any chance did you play FIFA 12? it's not Microsoft who are to blame - it seems to be a vulnerability with EA's online system and FIFA 12 in particular. It's happened before and people have reported someone playing FIFA 12 on the console. Unfortunately, the lock-out is part of Microsoft's policy but they will refund you, so no worries there.

I did not play FIFA 12 but my information was stolen in that way. Just got the investigation started yesterday.

[+Audioboxer Subscriber²]

really? I wouldn't be too sure of that...

And the people on Neowin saying they haven't entered their password anywhere? My point is you don't tend to enter your password somewhere and forget you did. If you've never used the password anywhere but on your Xbox, like a few members on here have said what do you say to that? Just call them liars?

GAF is full of the same situation, unique passwords not used anywhere else.

[Hedon]

Are people forgetting that people can actually (and have) Phish Microsoft (as well as Sony and other companies) directly for this information via phone?

LOL, Gaf. I still don't know why I visit that cesspool daily.

[BajiRav]

And the people on Neowin saying they haven't entered their password anywhere? My point is you don't tend to enter your password somewhere and forget you did. If you've never used the password anywhere but on your Xbox, like a few members on here have said what do you say to that? Just call them liars?

GAF is full of the same situation, unique passwords not used anywhere else.

What makes you think all people act sensible on Internet? It's not impossible for people to get fooled by a phishing attack and then forget about it, just ignore it or not realize they're "phished". I laugh at people who claim they've never used the xbl account outside of Xbox. That means only one thing to me - they failed to properly secure their accounts with additional safeguards such as password reset questions or text alerts. I won't call them liars but will stop short of saying dumb.

[(Spork)]

Yip FIFA 12 hack. Phone your Bank/CC company if theyve taken funds, and also contact MS. Tho if your experience is anything like mine, be prepared for aa very very very long wait.

i have contacted MS and nothing was changed they just used 6800 points to purchase market items

[+Audioboxer Subscriber²]

Last week we asked if

Xbox Live had been hacked. We used the detailed account of Xbox Live fraud victim Susan Taylor to suggest that yes, it had.

After publishing the article, Eurogamer was approached by half a dozen other readers who had experienced similar exploitation on Xbox Live.

All the while, Microsoft staunchly denied any such security breach on Xbox Live.

But now we may have discovered how those Xbox Live accounts were broken into.

Eurogamer was contacted recently by "Jason", a man who claimed to know how to hack into Xbox Live accounts. He offered us an explanation via email last night. But our efforts to validate his claims were cut short by website

AnalogHype, which today posted an uncannily similar "how-to", based on information provided by a source named Jason Coutee.

The same Jason? Probably.

Coutee and Eurogamer's "Jason" point the finger at Xbox.com - the website. This allows eight password attempts at a Windows Live ID before CAPTCHA is triggered - the system that presents those squiggly words. A simple password-generating script can apparently be used to exploit this system before CAPTCHA kicks in.

The Windows Live IDs come from playing Xbox 360 games online. Gather Gamertags and Google search them in the hope you'll find related email addresses. Try these as Windows Live IDs and the Xbox.com website will let you know if they're valid - "the email address or password is incorrect" - or not - "That Windows Live ID doesn't exist."

Using these methods you can apparently brute force your way into a near-limitless supply of Xbox Live accounts and use their saved banking details to buy Microsoft Points. That's how it sounds. We haven't tested this, naturally.

Eurogamer has contacted Microsoft about this issue. Microsoft is aware of the issue and Eurogamer is waiting for a formal response.

AnalogHype says that Jason Coutee is a network infrastructure manager who had his own Xbox Live account hacked and used to fraudulently buy 8000 Microsoft Points. He called Xbox Support, who offered to freeze his account but couldn't refund him. He declined the offer and investigated himself, eventually stumbling upon the answer.

Since publishing Susan Taylor's account of Xbox Live fraud, Eurogamer has been contacted by half a dozen other people who were victims of similar exploitation. Thank you, those who have written in. And please do keep letting us know if you've had your Xbox Live account fraudulently used.

Source: http://www.eurogamer...x-live-accounts

From what started as a supposed Fifa 12 hack, turns out to be more then that. Xbox Live has a serious security flaw and Microsoft ignored it for way to long. We have uncovered how easy it is for hackers or anybody with some free time to hack your Xbox Live account.

I spoke with Jason Coutee, a network infrastructure manager who had his Xbox Live account hacked. 8000 Microsoft points were purchased on his account, so he did what anyone of us would do and call Xbox support. A transaction for Xbox Live Family Pack was in the middle of being processed and he was able to cancel it before it went through. Unfortunately Xbox couldn?t refund him for the 8000 Microsoft points but offered to freeze his account for 30 days to investigate. Jason declined to the investigation so that he can do his own investigation. For the next couple of weeks Jason went searching for vulnerabilities that may have caused the hack. He then found Xbox 360?s Achilles heel, Xbox.com

The first step was to gather the Windows Live ID?s of gamertags. So after a round of Halo Reach, he gathered a list of gamertags and enter them individually on Google. Thanks to Facebook, Twitter, or any other links that have their email advertised, hackers now have a potential list of Windows Live ID?s. Now the hackers check to see if the email is a valid Windows Live ID. To do this, hackers headed to Xbox.com Typing in the email and a random password like blah.

If the hacker got the error message ?account is invalid? they move on to another email.

When the hacker comes across the error message ?password is wrong? then that account is in trouble.

Now with a simple script, hackers can brute force their way into your Xbox Live account. The script would batch run a list of potential password, which anybody can find online with a simple Google search. The script will attempt to enter these potential passwords until it gets in. Xbox allows you to enter your password incorrectly 8 times on the website, then it asks for a CAPTCHA code. When hackers get to that CAPTCHA code, there is a link for ?try with another Live ID?. Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again. This process can easily be automated by a skilled hacker. Once a hacker is in your account, nothing is safe. Hackers will take your credit card info, Netflix, Hulu Plus, the works.

So what are hackers going to do with your hacked account? Most likely purchase games and Microsoft points, change your gamertag and the email associated with then sell it online. For extra kicks they might also purchase a Xbox Family pack to add 3 more gamertags to their arsenal. Hackers are known to do this several times a day. Making several hundred dollars a day off of Microsoft?s laziness and your money.

Jason Coutee attempted to call Microsoft to report his findings and Microsoft Headquarters gave him the run around. Instructed him to email helpnow@microsoft.com He also tried calling 1-800-4-MY-XBOX where he spoke with a supervisor. The supervisor instructed him to take it to the Xbox.com forums. His latest attempt was with the Piracy and Phishing department at Microsoft who wouldn?t help him with anything Xbox related. Everybody at Microsoft refused to acknowledge the issue and because of that, gamertags are still being hacked. Microsoft can easily fix this issue by sending an email to people when there are more than X amount of failed login attempts and by by storing session id?s.

Source: http://www.analoghyp...ored-the-truth/

[arrrgh]

Brute forcing a password is not a 'hack'. If this is it, then it's just these guys using weak passwords.

[Si Veteran]

Is this the hack used to exploit Xbox Live accounts?

No.

This is social engineering (people publicly linking their gamertag with their Live ID) followed by a brute force/dictionary attack which finds weak passwords in a reasonable time.