Hundreds of Dollars Later, One Tragic Xbox Live Story That's Hopefully Almost Over

I’m intimately familiar with consumers dealing with Microsoft customer service in order to recover their Xbox Live accounts and, all too often, money taken from them in tandem with the account.

There are few stories as upsetting as what happened to Susan from Texas, who started off 2012 with several hundred dollars--$366.06, to be exact--stolen from her via her Xbox Live account.

She's recounted the situation on her Tumblr the last few days.

Her struggles to make things right have gained the rightful ire of the Internet, and reflect the worst parts of the stories I’ve filed here at Giant Bomb (here, here, here) about the exploitation of Xbox Live users.

“I think it’s fair to say that many people would look at Microsoft as a reliable company and absolutely trust them with their bank details,” she wrote. “What makes them any different than Blizzard or Sony? If this level of trust makes me a fool, than so be it, brand me as one. Just know that you are branding a hell of a lot of people with that marker than you probably know and we are not the ones to blame here.”

Susan had linked her Xbox Live to her bank via PayPal, and not a credit card. Traditionally, credit cards have greater protection for consumers in cases like this.

It’s unclear how someone came to access Susan’s account, as she claims to not be the victim of a traditional phishing scheme (which hinges upon tricking users into visiting familiar looking websites), but what happened after is familiar territory. The individual now in control of her account bought a “Family Gold Pack,” purchased an enormous number of Microsoft Points, transferred said points to new, unknown accounts, and sold these accounts elsewhere.

I’ve mentioned the selling of Xbox Live accounts in previous stories, but I’ll admit to not being aware of how common the practice might actually be, and I’m actively looking into the merits right now. Please contact me with your stories.

The reason Susan’s tale is more heartbreaking than most relates to her frustrating interactions with Microsoft customer service, which consistently gave her the runaround, pointing her in other directions, and putting the onus on her to ensure account was taken care of. I’ve heard this from countless other users.

Amazingly, Susan was even able to message the person who eventually purchased--and used--her account!

Microsoft director of policy and enforcement of Xbox Live, Stephen Toulouse, told me over email that his team became aware of Susan’s ordeal last night, and promptly locked her account and a refund should be en route.

I’ve been unable to verify personally with Susan whether the refund has been applied, but in her more recent update, she confirmed the account had been locked.

Toulouse said his team is aware of reselling sites.

“We do look out for them and shut them down where we can,” he said. “The selling of accounts is against our Terms of Use, not to mention the selling of a stolen account is a crime in many places.”

“Both the buyer and the seller of accounts run the risk of a console ban from Xbox Live,” he added.

You can keep tabs on Susan’s ordeal through her Tumblr and Twitter accounts, and if you haven't been keeping up with my coverage of similar issues over the past couple of months, here are some links:

• Microsoft, EA Claim FIFA Isn't Causing Rash of Xbox Live Hacks
• The 25 Days (And Counting) of Waiting to Get Back on Xbox Live
• A Q&A With Stephen “Stepto” Toulouse on Xbox Live Security

When it rains it pours, eh?

Read about this on GAF and I figured Kleptoc would be all over it. Good job getting this out to a wider audience and hopefully more attention from the guys at Microsoft.

Tragic, and upsetting the MS didn't take it more seriously from the start.

This happened to me too a couple months ago, except it was only about half that amount of money taken.. and I hadn't played my 360 in a year!

Took about a month to be refunded

The next generation of consoles should include 2 factor authentication like steam and battle.net do.

This is a sad story. I think the most upsetting part about it though is that it took jumping online and posting about it before MS got the information to fix the situation. Really makes me reconsider how I handle my customer service interactions in the future.

Poor dudet, having that much money stolen and none of it was your fault, and the worse thing is she tried to stop it, but Microsoft didn't look into it well at all.

I hope she gets reimbursed.

So basically what we've learned is that if you want to get anything done with your account support-wise, you need to have access to Stephen Toulouse, otherwise customer support will just give you the run around.

Good to know!

I think Microsoft are flat out lying about the hacking of accounts.

Dollars Laters :)

It's idiotic that it took this long for Microsoft to take any sort of action other than assigning blame. That sort if customer service is intolerable and I hope she gets her refund soon.

Microsoft must needs to admit that they have weaknesses in their security and try to do better. I've said it a million times a steam guard like function for XBL accounts would pretty much eliminate this unless your email was compromised too.

Don't ever use PayPal for anything, ever.

It’s unclear how someone came to access Susan’s account, as she claims to not be the victim of a traditional phishing scheme

How else would they have gotten the account details?

These kind of stories make it hard for me to understand how anyone can be a fanboy or aligned with any of these huge companies. They're all equally shit and really don't care about you.

Stepto (Stephen Toulouse) is available @steptoe on twitter. The Xbox live team works hard to prevent stories like this and make them good as soon as they find them.

Is it just dumb luck that they get these accounts with CC info on them, or are they somehow able to single out the people with that sort of info linked to their account? Thats what I want to know. I don't think we'll ever know for sure how they target accounts, though.

Glad to see you picked this up Patrick. Kudos on spreading the word!

Patrick Kelpek, bringing it once again on the consumer advocacy/awareness front. There have been so many good articles coming out of this guy lately.

I just hope they are learning for the next console cycle. 
 
I need to go delete my card details from my accounts. I'm not sure how I feel about all of these stories.

This is likely a case of people using shared logins/passwords for multiple accounts, when one of the databases has been compromised.

As someone who does work on the other side of the phones (though not at MS, and in a different field), the best thing you can do is escalate. If you're not getting anywhere, demand to speak to a manager or supervisor. Do not stop until you're talking to the President of MS, or to someone who actually gets you an answer/solution you'd like. CSR's do NOT like getting yelled at, and most of the time, will gladly hand off an angry customer to their supervisor/manager (much to my dismay).

People, if it hasn't been clear since the PSN hacking scandal: use prepaid cards! It may not stop them from stealing your account, but tying your Gamertags/PSN IDs to actual credit cards you own is asking for trouble.

Glad MS is getting around to fixing it though!

Why is this only happening on 360? I use the PS3 and it's not like their password system is any better? I know the hack thing was big but stories like this aren't coming from that so why is it happening?

@LoveYouSomeEric said:

Patrick Kelpek, bringing it once again on the consumer advocacy/awareness front. There have been so many good articles coming out of this guy lately.

If you put your credit card information online, someone bad out there might be able to find it. News at 11.

@Grimluck343 said:

Don't ever use PayPal for anything, ever.

It’s unclear how someone came to access Susan’s account, as she claims to not be the victim of a traditional phishing scheme

How else would they have gotten the account details?

Social engineering? That's how mines got stolen I think. Put my gamertag into google and you get up enough info to make an educated guess. Have since changed my answers to secret questions to random words.

Two days ago I purchased $20 worth of MS points on Amazon, then used about half of them to purchase some DLC that's on sale for Mass Effect 2.  Yesterday I booted up my 360 to learn that my account was hacked and my remaining points had been spent on this FIFA crap.  
 
I have no idea how this hacker was able to get my account information.  I like to think I have a keen eye for phishing attempts and fake websites.  If I didn't, hackers would have easily hacked my WoW account years ago.
 
I changed all my passwords and called up Xbox.  I spent about an hour on the phone with two different reps, resulting in them freezing my account while they "launch an investigation" that could take about a month.  While it took longer than I liked, I can't say the reps weren't professional and courteous.  I didn't get a runaround like the woman in this story did.  Then again, we'll see how long it takes to get my account and money back.
 
That said, my situation would be way worse if MS had my debit card on file.  Because I purchased my points through Amazon, the only damage the hacker seemed to be able to do was spend ~$14.

@Grimluck343 said:

@LoveYouSomeEric said:

Patrick Kelpek, bringing it once again on the consumer advocacy/awareness front. There have been so many good articles coming out of this guy lately.

If you put your credit card information online, someone bad out there might be able to find it. News at 11.

I'm just saying that many of his recent posts have a decidedly pro-consumer theme, and I think that's a good thing.

@LoveYouSomeEric said:

@Grimluck343 said:

@LoveYouSomeEric said:

Patrick Kelpek, bringing it once again on the consumer advocacy/awareness front. There have been so many good articles coming out of this guy lately.

If you put your credit card information online, someone bad out there might be able to find it. News at 11.

I'm just saying that many of his recent posts have a decidedly pro-consumer theme, and I think that's a good thing.

I agree, but this one seems a little less... informative? I don't know. Bottom line: be careful what you put out there, use good passwords, etc. Just take steps to protect yourself online. And don't use PayPal. For anything. Ever.

@CrunchbiteJr said:

@Grimluck343 said:

Don't ever use PayPal for anything, ever.

It’s unclear how someone came to access Susan’s account, as she claims to not be the victim of a traditional phishing scheme

How else would they have gotten the account details?

Social engineering? That's how mines got stolen I think. Put my gamertag into google and you get up enough info to make an educated guess. Have since changed my answers to secret questions to random words.

Interesting. I just googled my profile for shits and giggles and while it does pop up on various sites, there isn't really any information in the public profile itself that seems very helpful. There's no name or address attached to it, unless you put it in your "bio" section of your gamertag. All they see is the profile name, country, and games that I've played. Maybe it's a security breakdown with games that require a separate login, like some EA titles? That was how I assumed the whole FIFA thing started.

@n8 said:

Dollars Laters :)

Laters!

It's not hacking it's social engineering...and yes...most of this is tied to FIFA Ultimate Team.

Google your gamer tag. Now, did you find anything interesting that could potentially make accessing your personal information possible? I bet you did.

These guys are not "hacking" they are just using the tools available to them to access your account. A simple search of your gamer tag on Google could pull up your FB profile....Twitter profile...Linkedin...personal homepage...blog...etc. All of these things could easily be analyzed to figure out your security questions. Then it is a simple matter of either calling up CS or using the web to access your account.

The link to FIFA Ultimate Team is the fact that the card packs bought with MS points are not freely available in the game without playing a ton of games. So, building a great team can either take a lot of time or a lot of money, but if you buy a preloaded account...the ones that Susans was broken off into....for a fraction of the cost that a 6000 MS point bundle would cost you, you would be well on your way to having that great team. Then there is the matter of the currency in game. That can also be sold on for real life money. This is not dissimilar to World of Warcraft gold farming via account hacks. In WOW accounts are hacked.....all items sold on...and the gold shipped off to another account and siphoned into a main account for sell on gold selling sites and Ebay. Most of these sites that are selling these preloaded accounts are in Eastern Europe....and 9 times out of 10 it is minors that are buying these accounts.

I am not denying the fact that there is quite possibly an actual hack or two happening, but most of this stuff is due to the massive amount of parity between all of our online identities. Regardless....MS needs to really reevaluate the way they handle this problem. The current system they are using is not working for anyone.

@Anthal said:

This is likely a case of people using shared logins/passwords for multiple accounts, when one of the databases has been compromised.

That was not my experience. I randomize my passwords and catalog them using keepass. Change them fairly often and consider myself pro-active on a security front. According to the MS rep I talked with, they believe the person or people that compromised my account used my "secret question" which admittedly was weak. Sadly live doesn't let you set your own question so now I have it set just as randomly as my password.

Still, very frustrating. I know this is valid security problem on Microsoft's side, but why hasn't anyone thrown any ire toward EA for creating a black market where valued content can be transferred with seemingly no means of tracking?

This is a shame, it really shouldn't take having her, or anyone's story getting popular for Microsoft to actually do some customer service and help them retrieve what was theirs.

While it's good to see Microsoft finally jump into action, it shouldn't take the Internet screaming about it and potentially damaging their PR to push them into doing the right thing. It should only take one customer calling up with a valid complaint of having been defrauded. I'd like to think that this situation would've been resolved without committed folks like Patrick digging into it, but I don't. The entire concept of customer service has imploded, as indicated by the recent nonsense with that twit at Ocean Marketing. I can only hope calling attention to enough of these cases can not only get their individual issues resolved as we've seen, but also lead to companies actually rethinking their procedures when dealing with real people with real problems. Keep fighting the good fight, Mr. Klepek!

It's not just the Xbox department, it's the rest of Microsoft that is totally inept to aiding its customers. my email account got hacked and blocked last month, and despite having it for ten and a half years, the only way I could "prove" who I was was to fill out a retarded form, and got denied every time I tried. the SMS feature didn't work, despite using phone numbers from multiple networks and locations. I even tried calling them (after finding their number in a very roundabout method), only for a computer to tell me such services are for MSNPlus subscribers only.

and the annoying thing is, that was the email i linked most of my accounts to, and now I have to wrack my brain to try and remember all of them, so I can change them.

real smooth, microsoft, real smooth. at least Google's SMS system works, and takes only about a minute.

Laters, dollars.

Really glad you guys are here to get this story out. Now MS is all over this getting it resolved, but if it wasn't made such a big deal, how long would she be waiting for a resolution? Shouldn't have had to come to this to get it taken care of. Good work Patrick.

stuff like this is always going to happen no matter how secure the system is, they always will find a way .considering that there is something like 30+ million Xbox gold subs, its almost impossible for every single one of the to be 100% secure with your credit card info. Shit happens and its unfortunate, I'm glad MS is sorting it out but I'm not worried about it.

I stopped reading Consumerist because they ran stories with one side and no response from the company involved. Not saying that everything didn't happen exactly as she says, but I don't like the trend here. I see a person who got their account stolen, told their side of the story, and everyone ran with it. Would be nice to get some comments from MS somehow other than "yeah, we looked into that".

one reason i still pay for xbox live every month is because im not sure how to make it stop....

This shit is terrifying. Somebody should contact GeoHotz, he'll know what to do!

@Grimluck343: Why do people all of a sudden hate PayPal so much? I'm honestly curious cause recently on several different occasions I've heard nothing but deep ire towards PayPal.

Who the fuck is Susan.

If you know someone's name you can find their Facebook page and so find their linked XBL and PSN account usernames, their birthday, their mother's page and her maiden name, their pet's name, a photo of their car, and so on.

Any webpage that allows password alteration after security question checks is made susceptible to attack by this plethora of information that people blindly upload to the internet.

@Loyal_Dragoon said:

Is it just dumb luck that they get these accounts with CC info on them, or are they somehow able to single out the people with that sort of info linked to their account? Thats what I want to know. I don't think we'll ever know for sure how they target accounts, though.

My guess is if there isn't CC info linked they move onto the next target, it's pretty simple.

@PiltdownMan said:

@Loyal_Dragoon said:

Is it just dumb luck that they get these accounts with CC info on them, or are they somehow able to single out the people with that sort of info linked to their account? Thats what I want to know. I don't think we'll ever know for sure how they target accounts, though.

My guess is if there isn't CC info linked they move onto the next target, it's pretty simple.

It's also possible they hold onto the account, then check back later.

This is awful. What's worse than these people doing this, though, is the very real probability that had Patrick or anyone else with a podium not covered this then she probably would have kept getting the runaround from Microsoft. Good work, Klepek

I honestly think that the reason why MS are offering refunds like this though is because of social media and the internet. When people can post their shit stories on Twitter and raise awareness that creates more scathing PR than any media service could ever hope to achieve. And they end up rushing to try to fix the issue so it doesn't look as bad. I guarantee that if things like Twitter and Facebook didn't exist the issues wouldn't get resolved like this and people would be getting shafted more often than not. It's good to see them fix it, but a customer should not get the fuck around in matters of fraud. Ever. And the fact that it happens is absolutely pathetic.

Clearly their CS workers read from a flow chart during their calls, and that needs to stop. I don't know if it's a language barrier because they're all apparently based in Bombay or if it's just policy but their job is to help the customer first, not the company that they work for.

And this is the reason why I do not have any of my credit cards linked to any consoles of mine. Steam has 1 credit card that I use solely for online purchases and I monitor it closely. That's it. I'll go and buy points for everything else and I urge most people to do the same. Eliminate the source, or head, of the problem and the snake dies.

@TwoSe7enFive said:

I think Microsoft are flat out lying about the hacking of accounts.

Yup.

Worst part about her story is that Allegro.pl is a completely legitimate on-line auction house. Yet, they can't seem to control every single auction it seems(there are litterally dozens of thousands of them). Recently there's been a news story that police has captured people responsible for selling counterfeit Xbox 360 controllers. Also, my mother bought a Sony memory stick for her camera and said stick turned out to be a counterfeit. I've told my mom that the cheapest stuff(twice as cheap as an original) is best to be avoided.

As for selling accounts(with points AND games), yeah, I've seen some of those auctions. Can't seem to find any at this moment.