I must have been an exception. It was 21 days for me. My particular compromise was not a FIFA "hack." I can also say, after working in IT for ten years, I would think I can spot a phishing attempt via email from miles away.
I think the weakness came from the live.com side of things. I had not used my new 360 in almost two months and someone had added funds to the account and then bought a PC MMO (that they couldn't even play). I still have a hard time figuring out "how" the system was compromised because since the Sony fiasco I've changed all my passwords EVERYWHERE to be something unique. That is a major chore, I have an app that helps me keep track. I also don't use public wifi or open wifi at my home.
Did Microsoft do right by me? Sure, 20+ days later with a locked account during AAA title season. I couldn't play PC games that had GFWL either. I'm glad they worked with me and helped me through the process. They were even forthcoming with updated info when I called two weeks into the process for an update. It's just unfortunate that everything had to be locked down, but I understand.
Even though "35 million" accounts go through there, there HAS been an increase in problems somewhere. Just google it. I do have a hard time accepting that social engineering and phishing just got lucky and stepped up it's game. Still, it's like SPAM ratios. 1% of 35 million is an incredibly high number.
Since, the Sony ordeal, I've removed my credit card from every online account I've had, or so I thought. I still need to do it with the 360, but I'm finding that to be complex. It's my own fault for not being proactive enough. The big companies want to make it easy for me to purchase things through their console (and rightfully so for them), but there has got to be more assertivness, transparency, and protection in place.
I just don't trust the system in it's current state anymore.