Origin hacked, change your passwords for reals

So, maybe this is old news, but Origin has been hacked and it is legit. Unfortunately for me I didn't get the memo until today. I used the same password and email address for my Xbox Live account as Origin, and came home today after work to two emails saying I purchased 4,000 and 6,000 Microsoft points. Purchases that I didn't make and the email above that stating my origin password had been reset. The Microsoft points are not on my account, but the sums of $49.99 and $74.99 were charged to my Paypal account since that's the form of payment I have saved to my 360. When I changed my password on Xbox Live, I used the website, I did get a warning page saying it looked like my account was accessed by an outside party or something of that nature. But I did successfully change my password.

So, I have some questions for the Giant Bomb community:

1. Who should I contact first about this? Paypal, Microsoft or Origin?

2. Since the hackers bought 10,000 Microsoft points, where did the points go if they are not in my account?

3. If you have any other tips or advice that'd be awesome. I already changed passwords and such, so I should be fine there.

I also wanted to spread the word. I googled "origin hacked" and apparently this was in the gaming news around the 14th of November. But from what I saw, Origin is denying they were hacked.

Just an FYI, I used Origin one time, bought a couple hardcopy games from their site during black Friday last year. I don't even have their client installed on my PC. But I can tell you, those games weren't worth this headache! :p

1. You could try calling MS to have them reverse the transaction, but I guess it's your fault (in their eyes) that you got hacked, so, who knows what'll happen (probably "Too bad, so sad" but it is the Christmas season after all!).

2. I don't know how but another account is the answer. They probably just use your payment information, not your account.

It's hard to do if your lazy like me but best practice is of course to just have many passwords.

Is your Paypal connected to a credit card? If EA is denying any security intrusion, I doubt MS will refund the points. I think your best bet is to go to your bank and ask for a chargeback.

Did you check your transaction history? That should show you what they bought with the points.

I don't seem to be having a problem. But now I've got to figure out everything that uses that password and change it...

How do you know Origin was the cause?

Contact MS, when my live account got hacked during the big Fifa hack days they refunded me the points.

Thanks for the info. You guys have all been really helpful.

Luckily, I got through last night to Microsoft and got it straightened out. A Major Nelson sounding guy walked me through the steps of securing my Live account. Took about 30 minutes in all. They also said the money had already been refunded, but it takes a couple days to show back in my PayPal. Microsoft was well aware of this issue, but did not want to provide much info other than I had been "FIFA'd". They offered no info as to what caused this, but said I should call Origin as well.

A Microsoft admin had put a note on my account attached to the two fraudulent purchases while I was at work and oblivious to what was happening, authorizing a refund since their system flagged the purchases as suspicious. Pretty cool that their system at least does that.

Funny twist, when I logged on this morning there was a friend I had never seen before playing what else but FIFA 13. When my account was compromised they must have added this user to my friends list. In all the confusion last night I didn't even notice. Anyways, he quickly went offline and de-friended me when I logged on. But not before I got his gamertag. Good times.

I'm 100% sure it wasn't a key logger or anything of that nature. I'm leaning towards a social engineering issue or database hack at Origin. I was just stupid for having the same security info for both Origin and Live.

Oh, shit I gotta go change the combination on my luggage...

Still not seeing any concrete evidence that it actually had anything to do with Origin at all. 
But meh, what do I care, I'm one of those people who change my password all the time anyway just to be really safe so I guess it couldn't hurt to change my passwords now rather than doing it tomorrow. 

@Andorski: Luckily, I use a business debit PayPal credit card, the funds come straight out of my PayPal and don't even touch my bank account. I use this card solely for online stuff.

@WarlordPayne: They bought then gifted a butt load of FIFA points.

@mosdl: I got an email from Origin saying my Origin password had been changed. Then ten minutes after that, 10,000 Microsoft points were bought. I used the same password for Origin as I did Xbox Live. My Live account is also linked to Origin, your gamertag is shown on your Origin profile, so my guess the hacker checks to see if they can log into Live with the password they just stole from Origin.

@ZeForgotten: I dunno, man...just Google "origin hacked" or go to you tube and see the amount of people that are getting their Origin accounts hijacked. Even to the extent of having their birthdays changed, which I would believe points to a database hack. The fact that my Origin account was hacked then my Live account ten minutes later was compromised which shared the same password as Origin, gives me enough concrete evidence that Origin has a security issue somewhere down the line. I'm 100% positive it is not or was on my end.

Also, protip. Set up your Microsoft proofs. It would have saved my ass here. That's adding MMS, secondary email, etc to your security measures on your Live account. You can do all that jazz at accounts.live, yes, its a legit Microsoft site. :P

Damn, scared me man. Thought it was another incident. Then you reminded me about the last time it happened and I did change my password that time.

@ZeForgotten: lmao...yeah, homie, it's a weird / dirty feeling seeing the hacker's (god, I hate that word) activity on your account when you get it back. I have a FIFA 13 achievement that the person got when my account was compromised and apparently he played Microsoft Flight Simulator as well, that shows up too.

Oh wells...there is a lot of other things worse that could have happened to me. But getting money stolen from you is always a crappy feeling. :P

KeePass is my best friend. Nothing beats having random ass passwords for everything linked to money and being able to just change the password without caring about what it is. 1..7\J9p;PfUx?oH:Vuy

Of course it is really the length that matters, but because sites like to be assholes and have maximum lengths, you can't just easily come up with something easy to remember and have it possibly follow the same password scheme you use to remember it.

The tricky part is being able to access my KeePass database at any time, but so far I haven't had an issue VPNing into my home network and just RDPing into my computer. Still trying to figure out the best way to handle just downloading it as needed though.

That weird FIFA stuff has been going on for a long long while, but I still don't understand how they get the logins. Was your password weak and easily guessable, did you enter it into some phishing website or is there some problem on Microsoft or Origins end that they failed to plug in over a year?

@TyCobb: This is why I use LastPass for everything. Every site has a different, random password (locked by a master password in the same kind of setup as KeyPass), and it syncs across my various devices for easy access. It isn't open source like Keypass but the ability to have an iPhone app (which I utilize quite often as good luck remembering a 20 character random password) and keeping everything synced across my devices makes up for it in my mind.

Plus they don't store your master password, and everything is double bolted with 256-bit AES and SSL (for communicating with the website). It's the best solution that I've found which also retains a degree of portability.

I guess it doesn't matter now, but I requested a password change email from Origin yesterday after seeing this thread and they never emailed me...

@Mirado: I have looked at that before. I just could never pull the trigger on it because it's someone else holding on to my information and I don't want someone else with the keys to my castle. It's one of those things of putting all your eggs in one basket. KeePass is very secure. Especially if you use a master password and Key file with 100,000,000 key transformation rounds, but I still can't bring myself to just put it on DropBox even though it is only installed on 1 computer and everything is private.

I'll probably break down and signup for it because I am sure there will be a time I wished I had.

@PeasantAbuse said:

I guess it doesn't matter now, but I requested a password change email from Origin yesterday after seeing this thread and they never emailed me...

Email? Why not just log in and change your password? I changed my password tonight through the client.

@PeasantAbuse said:

I guess it doesn't matter now, but I requested a password change email from Origin yesterday after seeing this thread and they never emailed me...

Dont be an idiot, just log in and change it.

Just checked my accounts ... it seem one asked if I requested a change in password (dont recall that I did) , but then I procedded to re ask for my password and changed it accordingly , albeit that account has no money tied to it so im safe. It hurts no one to check that everything is ok tho

@TyCobb said:

@PeasantAbuse said:

I guess it doesn't matter now, but I requested a password change email from Origin yesterday after seeing this thread and they never emailed me...

Email? Why not just log in and change your password? I changed my password tonight through the client.

I'm an idiot. Thanks lol

edit: to clarify I didn't email them, it was a password change request on the Origin site.

I'm going to not change my password, but convince myself that I did. That'll fool them.

@Grumbel: From the best I can tell, man...the problem starts with Origin. Some how the bad guys are getting Origin's customer security information, taking over the accounts and selling them. But my Origin account was useless, literally didn't even have ONE game attached to it. So, the hacker didn't even bother to change the email address attached to the account. So, it was easy for me to get back in. He was more interested in my Xbox Live info since I had a credit card attached to it. Once the hacker has access to your Origin account, your Xbox Live gamertag is on display when they log into Origin and view your profile and most likely just check if you were stupid enough to use the same password for both Origin and Xbox Live, like I was.

I doubt they could have brute forced my password. It was very complex. My gut just says something isn't right at EA.

My gut just says something isn't right at EA.

People have been saying that for ten years now.

@Funkydupe: Haha, tru dat! I still want my NFL 2K back :(

I have an entire data center dedicated to changing all my account passwords across the interwebs every 5 seconds, I think I'm safe.

@TyCobb said:

@Mirado: I have looked at that before. I just could never pull the trigger on it because it's someone else holding on to my information and I don't want someone else with the keys to my castle. It's one of those things of putting all your eggs in one basket. KeePass is very secure. Especially if you use a master password and Key file with 100,000,000 key transformation rounds, but I still can't bring myself to just put it on DropBox even though it is only installed on 1 computer and everything is private.

I'll probably break down and signup for it because I am sure there will be a time I wished I had.

Well, it's an inherent tradeoff. LastPass has been very forthcoming with any sort of security issues (when they detected even the slightest amount of abnormal traffic, even though they couldn't say for certain if anything was even accessed, they made sure to have everyone change their master passwords), and while I agree it isn't as safe as a locally stored (and as you point out, incredibly secure) KeyPass setup, there's such an inherent inconvenience built in that I feel the trade off is worth it. KeyPass barely integrates with anything, and while my setup may be atypical, I have Macs, PCs, and phones which all use sites that have LastPass generated passwords and I'd lose my mind if it wasn't as built in as it is.

I guess it comes down to this for me: even though I am putting my eggs in one basket, I've taken steps to mitigate what would happen if LastPass fails. I only use one card which ties into my bank account and they're paranoid enough that even my normal transaction sometimes get flagged (which is a bit of a pain, but better then the alternative), so if there's a breach, one call locks everything up (and they have great service when it comes to refunding fraud). If I had multiple distributed accounts that I didn't check very often or are a pain to shut down or recoup losses, I can see perhaps being even more paranoid then I am.

But at some point, a site is going to get breached, they're going to get you CC info and all the local security in the world isn't going to save you. I'll take the fairly secure convenience of LastPass over the absolute, pain in the ass security of KeyPass.

Just an update, the Microsoft refund for $124.98 went through. I'm actually pretty impressed with how they handled my situation and how fast they got my money back to me. They don't seem to be ing around.