Who's had their Xbox LIVE account hacked?

#1 Posted by Sander (414 posts) -

I have a couple friends who've had their accounts hacked and credit cards charged for over a hundred dollars each. There's a 5 page thread at Neogaf with people describing their troubles and then their subsequent lengthy experiences with xbox live support. And it seems the problem isn't limited to Live but also to Games for Windows accounts too. 
 

Someone used my debit card to buy $75 worth of Microsoft Zune points and spent all the points on my xbox. They bought From Dust, Vanquish someone warhammer arcade game and something else. Spent all the points exactly.

When I went to my local bank of america to file a claim and get a new card the guy there said this happens all the time with Xbox Live users. He says he just got off a phone call with an Xbox live representative a couple days ago and they explained everything.

Apparently they "hack" your xbox, or your account etc., use your stored payment information to buy around $75 worth of points. Apparently $75 worth of points is just under the amount Microsoft considers suspicious. If you purchase more (around 10,000) they flag your account for fraud.

They then spend the points but do not download the games. Somehow, he didn't explain this part thoroughly, they call up microsoft and say they want the points refunded as a gift card. They sell these gift cards on ebay.

#2 Edited by PenguinDust (12533 posts) -

@Sander: I did. They tagged me for, as you say, under $75, bought 3 Games for Windows games (I know which ones, too) and then scurried off into the night. I noticed it on my credit statement immediately since I haven't used my 360 in months and haven't purchased anything since the beginning of the year. I called Microsoft and they were very helpful and took care of everything. They froze my account for the period of the investigation, credited my the money stolen and even gave me 400 points for my trouble. I changed all my cards of course and notified them, as well of the hacking.

I really expected something from my PSN account after all the hoopla, but it turns out that the MS one was more vulnerable. I'd love to know how they got the information since my 360 is rarely on.

Oh, and a few weeks ago a podcaster from the Orange Lounge Radio show had his hacked, too for $113.00, I think. He talked about his experience on one of the more recent shows (August).

#3 Posted by Bubbly (254 posts) -

This is why I use prepaid cards only. When my account got hacked I had 6200 points at the time (saw a really really good deal and took it; thats why I had so much) and the guy bought Dragon Age 2 off of the Games for Windows Marketplace. Called up Microsoft and got my points refunded. Don't even wanna think about all the trouble I would have had to go through if I had a credit card on there.

#4 Posted by iam3green (14390 posts) -

wow that sucks. i removed my debt card a couple of years. i barely buy DLC or any arcade games on any systems.

#5 Posted by OppressiveStink (357 posts) -

@Sander: @MODernChris:

Same way that people get into PayPal accounts and email accounts and bank accounts. Viruses and phishing emails.

I'd suggest to all victims of this to simply get firefox and run noscript. You will not have a single password stolen.

#6 Posted by Sander (414 posts) -
@OppressiveStink: That doesn't explain why there would be a sudden increase in people's accounts being hacked.
#7 Posted by Knetic2341 (243 posts) -

I have not, yet. I really can't imagine someone doing that, but hey, welcome to the internet. I just hope my account remains untouched, worrying about credit and debt cards is a hassle.

Funny sidenote: One time I thought someone charged my debt card. I ran over to the local Wells Fargo to cancel my card and figure out what happened. They looked into it and saw that it was a fraudulent charge and refunded the money. (It was only about $5.50, still someone had my card.) It wasn't until a week later I realized it was Activision charging my account for the free copy of Prototype which I got for buying Singularity. The charge was for shipping but I couldn't remember I was receiving the game because it took about three months to process and Activision didn't charge the card until it shipped. To this day, getting a refund for a "fraudulent" Activision charge has always been funny.

#8 Posted by OppressiveStink (357 posts) -

@Sander:

Sure it does, right now Xbox is sending quite a bit of emails, especially if you're a gold member. I just got a gold member statement for my free points earned for the month. Perfect time to send out a phishing email. If just 1% of people fall for it, or try to log in through that email, you have quite a few accounts compromised.

#9 Posted by piropeople13 (399 posts) -

In light of all this I wish it wasn't such a pain in the ass to get M$ to remove my credit card everytime I renew gold. They have to cancel my gold membership and give me prepaid cards over a 20 min phone call everytime.

#10 Posted by mariokart64fan (366 posts) -

never had my cc number on my xbox360 , but i still crossing fingers not get hack because i have alot of rugrats videos and tv shows i downloaded and boy i f ms lets these people in to peoples accounts and mine is gone, they had better get lawyers, cause i sure aint playin around with that mess especally since i pay 25$ every 3 months-ya i know i should just get the 60 but , i rather do what im doing ,

but still , it should be secure , unlike psn which is free we pay for the service ,

and ya not hacked yet again crossing fingers, as i downloaded alot of games and such

#11 Posted by Helushune (215 posts) -

Mine got hacked about two months ago and region switched to Colombia so it's locked there for at least a year. They spent all the points I had on the account on Dead Space, Dead Space 2, and Assassin's Creed Brotherhood DLC and attempted to charge me in excess of $10,000 on my credit card.

#12 Posted by TheLoveAbove (28 posts) -
Account hacked, 100 dollars charged, then Fifa was played. Its happening to everyone. Its so messed up
#13 Posted by Beb (245 posts) -

Just found out mine was hacked. Looks like it is 14 year olds doing it somehow, because whoever did it left half a text message conversation (ie the incoming messages) in my XBL inbox that seems to include their last name.

#14 Posted by FancySoapsMan (5834 posts) -

No, but just to be safe I removed all my payment options from my account.

#15 Posted by Branthog (5562 posts) -

You know, I hear stories about people having their accounts here or there "hacked" every day. It really comes down to a failure on their part, except for the rare cases where the servers on the other end have themselves actually been compromised in which case it isn't the user's fault, obviously. The same goes for viruses, frankly. I know it sounds mean to suggest that people themselves are a big part of the blame, but it's reality. They need to lock down the network they're using, use a better password, or guard their personal information better. In almost twenty-four years, I have never had a machine become infected and I've never had an account hacked. Not at school, work, home, on BBSes, the internet. Nowhere. Ever.

Then you have people who are varying degrees of careless. They're the ones that you see REPEATEDLY updating their facebook status to say "my account was hacked, again".

#16 Posted by Sugarfix (12 posts) -

@Branthog said:

You know, I hear stories about people having their accounts here or there "hacked" every day. It really comes down to a failure on their part, except for the rare cases where the servers on the other end have themselves actually been compromised in which case it isn't the user's fault, obviously. The same goes for viruses, frankly. I know it sounds mean to suggest that people themselves are a big part of the blame, but it's reality. They need to lock down the network they're using, use a better password, or guard their personal information better. In almost twenty-four years, I have never had a machine become infected and I've never had an account hacked. Not at school, work, home, on BBSes, the internet. Nowhere. Ever.

Then you have people who are varying degrees of careless. They're the ones that you see REPEATEDLY updating their facebook status to say "my account was hacked, again".

But as I pointed out in the other thread, I'me incredibly careful with my security and managed to reset my password while they were using my account elsewhere (I not only changed it on my pc using an on-screen keyboard in case I had somehow become infected with a keylogger but I also changed it on the XBox. I also changed the method of password reset to send an SMS to my mobile and not my email, in case they had access to that too) and yet, they were able to take control of my account again immediately. The only possibility is that they used the answer to my secret question and NO ONE could happen to stumble across the answer, in fact I doubt they'd manage it with a any kind of guess or brute force. I get zero results if I try and Google the answer.

However they did it, Microsoft could still do more to help prevent people spending YOUR money when they do mange to gain access like requiring the 3 security digits off the signature strip to confirm purchases or better still using the SMS feature to require confirmation before allowing your gamertag to be restored to an unknown Xbox.

Lax security on the users part is being matched in equal measure by apathy from MS on this one.

#17 Posted by Branthog (5562 posts) -

@Sugarfix said:

@Branthog said:

You know, I hear stories about people having their accounts here or there "hacked" every day. It really comes down to a failure on their part, except for the rare cases where the servers on the other end have themselves actually been compromised in which case it isn't the user's fault, obviously. The same goes for viruses, frankly. I know it sounds mean to suggest that people themselves are a big part of the blame, but it's reality. They need to lock down the network they're using, use a better password, or guard their personal information better. In almost twenty-four years, I have never had a machine become infected and I've never had an account hacked. Not at school, work, home, on BBSes, the internet. Nowhere. Ever.

Then you have people who are varying degrees of careless. They're the ones that you see REPEATEDLY updating their facebook status to say "my account was hacked, again".

But as I pointed out in the other thread, I'me incredibly careful with my security and managed to reset my password while they were using my account elsewhere (I not only changed it on my pc using an on-screen keyboard in case I had somehow become infected with a keylogger but I also changed it on the XBox. I also changed the method of password reset to send an SMS to my mobile and not my email, in case they had access to that too) and yet, they were able to take control of my account again immediately. The only possibility is that they used the answer to my secret question and NO ONE could happen to stumble across the answer, in fact I doubt they'd manage it with a any kind of guess or brute force. I get zero results if I try and Google the answer.

However they did it, Microsoft could still do more to help prevent people spending YOUR money when they do mange to gain access like requiring the 3 security digits off the signature strip to confirm purchases or better still using the SMS feature to require confirmation before allowing your gamertag to be restored to an unknown Xbox.

Lax security on the users part is being matched in equal measure by apathy from MS on this one.

You're right about the custodians of your accounts and data (Microsoft, Sony, etc) often being way too damn lax in their security. Not just them, but businesses of all sorts. That's why I made the point that the only exception is when it's actually a legitimate failure on the other end of things. Such as having a database server broken into and all the contents stolen. Or companies that easily succumb to social engineering (where you can just call and give two pieces of readily available public knowledge about a person and have the operator help you reset your (their) password, for example). Alternately, you have the ones that require you answer a couple questions on a form. My fucking *bank* did that. And so did my cell phone company. All you needed to "recover" account access (meaning ANYONE could do this with the right info) was answer something like "mother's maiden name" and "which of these four addresses do you currently live at". Information readily obtainable by anyone with an internet connection (or, at the most, a $10 fee at one of those background check websites).

As for the live accounts... it's strange that they so easily rolled over the information for someone else, because my brother lost his account due to not having an active email address setup for it any longer (the place he used for his email when subscribed to the service initially is no longer around). He called themand had all sorts of account information. He just wanted to get his several year old account going again and pay for a renewed subscription. However, since he didn't have an *active* email address on the account, it couldn't send him a recovery message . . . and they weren't willing to help him do anything on the phone. Kind of sucks for something Microsoft supposedly wants you to maintain and care about (your identity on their gaming/media/entertainment service and device).

On the user side, however, I can't think of a time when I saw someone have their accounts or machines compromised unless they were using short, simple, or dictionary passwords, not using proper basic networking security, and no clicking random shit. (I bet that 90% of the facebook accounts that are "hacked" which aren't just simple password guesses are the result of idiots clicking things like apps that say "click here to enter for a drawing for a free iPad!").

Oh, and about the Microsoft help and all that. Yeah . . . it's definitely hit or miss. I've owned many 360s in the last five or six years and after a home invasion, I figured I'd do what I'd read other people do. I'd call up MS and give them my serial number so they could flag it and notify me or the police when they detected it logging in from somewhere. But, nope. They said that isn't possible. Absolutely no way it can humanly be done. (riiiight).

#18 Edited by Lunar_Aura (2779 posts) -
#19 Posted by brad5191 (4 posts) -

this is the exact reason that i don't want to connect my cards to it. its all accurately done when they hack you accounts and they do it without leaving traces

#20 Posted by RoyCampbell (1096 posts) -

Well fuck
 
This is troubling.

#21 Edited by mboom123 (1 posts) -

i did. by my despicable little brother. my account was unprotected and he used $14.99 to by castle crashers . now i hate him even more. he doesn't feel like a brother to me. he feels more like a thief. too bad i'm too smart to be out smarted

#22 Posted by Fattony12000 (7461 posts) -
@mboom123 said:

i did. by my despicable little brother. my account was unprotected and he used $14.99 to by castle crashers . now i hate him even more. he doesn't feel like a brother to me. he feels more like a thief. too bad i'm too smart to be out smarted

#23 Posted by Dark (387 posts) -
@mboom123 said:

i did. by my despicable little brother. my account was unprotected and he used $14.99 to by castle crashers . now i hate him even more. he doesn't feel like a brother to me. he feels more like a thief. too bad i'm too smart to be out smarted

Your also apparently too smart to look at when this thread was made >.>

This edit will also create new pages on Giant Bomb for:

Beware, you are proposing to add brand new pages to the wiki along with your edits. Make sure this is what you intended. This will likely increase the time it takes for your changes to go live.

Comment and Save

Until you earn 1000 points all your submissions need to be vetted by other Giant Bomb users. This process takes no more than a few hours and we'll send you an email once approved.