Xbox Hacking

So it seems it has been happening for a while, but it is still occurring, but not getting much press it seems. The xbox hacking / microsoft points stealing / Fifa 12 playing problem has been a thorn in my side the past couple weeks.

I logged on to see I had lost 3,000+ MSpoints, and that I had played and got 2 achievements in Fifa 12, which I have never played a fifa game in my life. It also informed me that my profile had last been logged into a previous location. So I called microsoft, and they were open to admitting that this happens, and suspended my account, looked into it, gave me my points back and let me have my account back. The whole thing took a few days, and was all solved.

I chalked it up to "Shit happens", and they did a great job helping me and getting it back, so I wan't too upset by it. They told me they fixed it, and forced a password change on me, and to take it one more step further, I put one of those "click buttons on your controller to log into live" just to be safe.

Advance to one week later (today) I seem to have logged into my profile in another location, my 3,000 points were stolen again, I had one more Fifa 12 achievement, and this time, was getting messages from, I assume, the people who hacked me.

Back on the xbox support line (less happy about it this time) they told me the same things they said last time, they were going to suspend my account and investigate. When I asked if there was any information about this like "why is it always fifa" "what can I do to stop it" and "how can they keep hacking your system" they all said "i dont know, it just happens" which is nice to hear.

I am sure this has been talked about at length in these, and many other's sites, forums, but I figure I would tell one more tale about it to maybe get everyone to think about changing their windows LIVE ID (as they said to me on the phone that this is where the attack is coming from) and maybe cycle your passwords.

Good luck out there.

Damn that sounds like a bummer dude. Luckily it hasnt happened to me yet but it does make me want to take my credit card info off of my account. Apparently its a bitch to take your credit card info off though. I dont expect an article on this site about any problems with the 360 though because you know.

The hacks involve FIFA because they are buying some kind of virtual trading cards in that game that they then resell on ebay or similar.

That's what someone on a different message board said, makes sense to me.

Sounds like a great way to make money! Best part is, when Xbox says they fixed it, they didn't really do anything. We will see what happens when this all gets solved, maybe we can try for round 3.

Yeah, taking your credit card off the xbox might not be a bad idea if you can navigate that mine-field. I am going to dis-connect my paypal account right now.

@laserbolts said:

Damn that sounds like a bummer dude. Luckily it hasnt happened to me yet but it does make me want to take my credit card info off of my account. Apparently its a bitch to take your credit card info off though. I dont expect an article on this site about any problems with the 360 though because you know.

Patrick has written a couple of different articles talking about this.

Considering this issue is one of social engineering/phishing (and not about how secure the Live service is), it would be pretty difficult to prevent aside from Microsoft training their customer support staff to be more strict/telling Xbox live subscribers to be more careful in the way they use the internet/respond to e-mail requests, etc.

@PeasantAbuse said:

@laserbolts said:

Damn that sounds like a bummer dude. Luckily it hasnt happened to me yet but it does make me want to take my credit card info off of my account. Apparently its a bitch to take your credit card info off though. I dont expect an article on this site about any problems with the 360 though because you know.

Patrick has written a couple of different articles talking about this.

Beat me to it. Patrick has written numerous articles about this and even interviewed someone at Microsoft about it. Seems like you're just willfully ignoring those or never visit the front page.

I'm sympathetic to anyone hit by this kind of bullshit. Microsoft seems to be getting off pretty light on this matter. It seems to me that this is as big a deal as the whole PSN debacle of last year. There seems to be alot more actual money being lost by this scam than the Sony one.

Advance to one week later (today) I seem to have logged into my profile in another location, my 3,000 points were stolen again, I had one more Fifa 12 achievement, and this time, was getting messages from, I assume, the people who hacked me.

So what did those messages say?

Also, I thought that it was confirmed that Live's login screen being too lax (allowing up to 8 password retries) and the victim having weak passwords were the causes to this problem. @PencilBastard How strong were your passwords? How many digits and did you try to mix it up with symbols, caps, and numbers?

@WilliamHenry said:

@PeasantAbuse said:

@laserbolts said:

Damn that sounds like a bummer dude. Luckily it hasnt happened to me yet but it does make me want to take my credit card info off of my account. Apparently its a bitch to take your credit card info off though. I dont expect an article on this site about any problems with the 360 though because you know.

Patrick has written a couple of different articles talking about this.

Beat me to it. Patrick has written numerous articles about this and even interviewed someone at Microsoft about it. Seems like you're just willfully ignoring those or never visit the front page.

Or I never visted the site when this stuff was on the front page. But thanks for correcting me just as someone else has. Really serves a purpose.

@laserbolts said:

Damn that sounds like a bummer dude. Luckily it hasnt happened to me yet but it does make me want to take my credit card info off of my account. Apparently its a bitch to take your credit card info off though. I dont expect an article on this site about any problems with the 360 though because you know.

friend had problems.. what he did was give microsoft customer care a call,,, talked to someone for about 5 minutes and had his card info removed and was also the only way to cancel live without actually being on the xbox : /

Microsoft should really just add more security measures that a person needs to know in order to get a password reset over the phone. Multiple security questions or unique pins or something.

That way someone doesn't call, guess correctly that you said Smith for morher's maiden name, and get access to your account.

well that sucks. it's one reason why i removed my credit card from my account. i did it right before you had to call them to remove it. good stuff man.

password should be, Capital letter, Number, Symbol, 5 lower case letters/numbers Capital Letter, Symbol. your hacking problems fixed.

@Monopolized said:

password should be, Capital letter, Number, Symbol, 5 lower case letters/numbers Capital Letter, Symbol. your hacking problems fixed.

Or really a random sentence would do.

I agree that it is strange that Microsoft isn't getting as much heat for this the way Sony took heat for the whole PSN debacle(I've read Patrick''s articles). But then again, alot of this can be chalked up to user error more than anything else. Stuff like this makes me glad my account doesn't have a CC linked to it and I'll continue to buy those cards whenever I can.

@YoThatLimp: Strangely, some sites/services restrict spaces in passwords... quite frustrating.

That sucks duder ... a month ago I re made my password , also cancelled my gold , because last year I didnt even used it :/ but also after reading this I took down my CC info .... I fear for my CC info even more now that my economics isnt in all time high , I cant aford to have "unwanted expenses". Also friggin hackers why screw the lil guys :(

Seems I start to hate MS more and more. I kinda hope it happens to me so I can sell my Xbox and get a PlayStation, but I hardly play consoles, so I couldn't care less. Just something to tell you to go PlayStation next cycle.

@ShaunassNZ said:

Seems I start to hate MS more and more. I kinda hope it happens to me so I can sell my Xbox and get a PlayStation, but I hardly play consoles, so I couldn't care less. Just something to tell you to go PlayStation next cycle.

That seems unnecessarily hateful against Microsoft for no good reason, they were helpful when he was hacked the first time. And it sounds like he only did the minimum required changes to protect his account after being hacked, which really isn't enough. It sucks that he were hacked twice and that Microsoft were less helpful the second time, but they a good job getting him his account and points back in a few days, which is more than what you should expect from pretty much any company most of the time.

When you're hacked I would advise people to get a new Email address and a new password, also use different Emails for different things so random sites don't get your email address for your Xbox LIVE account.

@laserbolts said:

Apparently its a bitch to take your credit card info off though.

It's the worst

@laserbolts said:

I dont expect an article on this site about any problems with the 360 though because you know.

Uhm.

Number 1

Number 2

Anyway, yeah, sucks that this is happening. :/

@spazmaster666 said:

Considering this issue is one of social engineering/phishing (and not about how secure the Live service is), it would be pretty difficult to prevent aside from Microsoft training their customer support staff to be more strict/telling Xbox live subscribers to be more careful in the way they use the internet/respond to e-mail requests, etc.

This. Stronger passwords, people.

@ShaunassNZ said:

Just something to tell you to go PlayStation next cycle.

Because Sony's done an excellent job protecting their customer's information this console cycle.

@Grimluck343 said:

@spazmaster666 said:

Considering this issue is one of social engineering/phishing (and not about how secure the Live service is), it would be pretty difficult to prevent aside from Microsoft training their customer support staff to be more strict/telling Xbox live subscribers to be more careful in the way they use the internet/respond to e-mail requests, etc.

This. Stronger passwords, people.

@ShaunassNZ said:

Just something to tell you to go PlayStation next cycle.

Because Sony's done an excellent job protecting their customer's information this console cycle.

Did Sony care? Yes. Did Sony do something about it? Yes. Did Sony try their hardest to fix the issue so it won't happen again? Yes. Is it holding up? So far, yes. Now replace Sony with Microsoft, the answers will be different.

@ShaunassNZ said:

@Grimluck343 said:

@spazmaster666 said:

Considering this issue is one of social engineering/phishing (and not about how secure the Live service is), it would be pretty difficult to prevent aside from Microsoft training their customer support staff to be more strict/telling Xbox live subscribers to be more careful in the way they use the internet/respond to e-mail requests, etc.

This. Stronger passwords, people.

@ShaunassNZ said:

Just something to tell you to go PlayStation next cycle.

Because Sony's done an excellent job protecting their customer's information this console cycle.

Did Sony care? Yes. Did Sony do something about it? Yes. Did Sony try their hardest to fix the issue so it won't happen again? Yes. Is it holding up? So far, yes. Now replace Sony with Microsoft, the answers will be different.

Sure, let's replace Sony with Microsoft. Did Xbox Live get hacked? No. See! That easy.

@Grimluck343 said:

@ShaunassNZ said:

@Grimluck343 said:

@spazmaster666 said:

Considering this issue is one of social engineering/phishing (and not about how secure the Live service is), it would be pretty difficult to prevent aside from Microsoft training their customer support staff to be more strict/telling Xbox live subscribers to be more careful in the way they use the internet/respond to e-mail requests, etc.

This. Stronger passwords, people.

@ShaunassNZ said:

Just something to tell you to go PlayStation next cycle.

Because Sony's done an excellent job protecting their customer's information this console cycle.

Did Sony care? Yes. Did Sony do something about it? Yes. Did Sony try their hardest to fix the issue so it won't happen again? Yes. Is it holding up? So far, yes. Now replace Sony with Microsoft, the answers will be different.

Sure, let's replace Sony with Microsoft. Did Xbox Live get hacked? No. See! That easy.

Oh I see, was anybody's money touched? No reports there, whereas Xbox's moondollars get fucking used and you have wait to get them back by talking to their crap CS. Oh, and it happens multiply times to people. The PSN deal was bad, I agree, but it just meant people had to go without their PS3 for a bit, big fucking deal. It hasn't happened again, and I would rather that happen than having to deal with getting my points back every time. And Microsoft obviously don't give a shit, they haven't bothered trying to fix it or talk about it.

@ShaunassNZ said:

And Microsoft obviously don't give a shit, they haven't bothered trying to fix it or talk about it.

Let's try this one more time: it isn't an issue for Microsoft to fix. Microsoft can't fix users using shitty passwords, nor can fix people continuing to use shitty passwords with the same email address after they restore someone's account. Make sense now?

@Grimluck343: Ah, no. It's to do with FIFA '12. If it's shitty passwords, then it would happen on any service, right?

@ShaunassNZ said:

If it's shitty passwords, then it would happen on any service, right?

We're making progress!

@Grimluck343: Yeah, and it doesn't.

@ShaunassNZ said:

@Grimluck343: Yeah, and it doesn't.

By "it doesn't," do you mean that no other service suffers from hacked accounts due to poor passwords? If so, we've taken several steps back again. I'll just leave you with your tinfoil hat.

@Grimluck343: What I'm saying is, people's accounts don't get hacked as frequently on other services. Oh, and I like how you didn't acknowledge me mentioning that it's FIFA and not shitty passwords.

@YoThatLimp said:

@Monopolized said:

password should be, Capital letter, Number, Symbol, 5 lower case letters/numbers Capital Letter, Symbol. your hacking problems fixed.

Or really a random sentence would do.

Indeed, random sentences are actually harder to hack. Just putting in symbols, numbers and caps can be cracked in seconds.

@ShaunassNZ said:

@Grimluck343: What I'm saying is, people's accounts don't get hacked as frequently on other services. Oh, and I like how you didn't acknowledge me mentioning that it's FIFA and not shitty passwords.

Then you aren't paying attention. Just look at WoW or virtually any other major service that people have something to gain by hacking. It happens all the time, and MS actually have some really good security. Their password recovery system perhaps had some holes, but I'm not sure how you can compare that to Sony, who's entire service was brought down, which possibly involved them losing a ridiculous amount of personal details.. and they took a week to tell us that it happened.

@Grimluck343: What I'm saying is, people's accounts don't get hacked as frequently on other services. Oh, and I like how you didn't acknowledge me mentioning that it's FIFA and not shitty passwords.

@N7: It looks like I've stumped him anyway.

@Grimluck343 said:

@ShaunassNZ said:

And Microsoft obviously don't give a shit, they haven't bothered trying to fix it or talk about it.

Let's try this one more time: it isn't an issue for Microsoft to fix. Microsoft can't fix users using shitty passwords, nor can fix people continuing to use shitty passwords with the same email address after they restore someone's account. Make sense now?

People have shitty passwords on their PS3 accounts, too, but these kinds of hacks only happen with 360 accounts. There clearly IS an issue on MS's side and apparently it has something to do with a certain login issue on xbox.com that makes brute force attacks extremely easy.

@CptBedlam said:

@Grimluck343 said:

@ShaunassNZ said:

And Microsoft obviously don't give a shit, they haven't bothered trying to fix it or talk about it.

Let's try this one more time: it isn't an issue for Microsoft to fix. Microsoft can't fix users using shitty passwords, nor can fix people continuing to use shitty passwords with the same email address after they restore someone's account. Make sense now?

People have shitty passwords on their PS3 accounts, too, but these kinds of hacks only happen with 360 accounts. There clearly IS an issue on MS's side and apparently it has something to do with a certain login issue on xbox.com that makes brute force attacks extremely easy.

Thank you, someone who gets what I'm saying.

@CptBedlam said:

People have shitty passwords on their PS3 accounts, too, but these kinds of hacks only happen with 360 accounts. There clearly IS an issue on MS's side and apparently it has something to do with a certain login issue on xbox.com that makes brute force attacks extremely easy.

You're right, in the entire history of the PS3 not a single account was ever compromised! That's a real great achievement on Sony's part.

You know what else makes brute force attacks really easy? Shitty passwords.

@ShaunassNZ said:

@Grimluck343: What I'm saying is, people's accounts don't get hacked as frequently on other services. Oh, and I like how you didn't acknowledge me mentioning that it's FIFA and not shitty passwords.

Last response before bed.

Saying that people's accounts don't get hacked as frequently on other services is just patently false. One, you have no idea how many XBL accounts have been hacked so you have no quantitative way of comparing that number to hacked accounts on other services. Simply saying "I've seen at least a dozen posts in forums! That seems like a lot!" isn't proof of anything. Secondly, have a look at MMOs. Warcraft accounts get hacked everyday and no one goes screaming bloody Mary at Blizzard saying "oh shit, Blizzard got hacked!" No, it's usually a piece of malware or poor password/browsing habits. Keep in mind, a lot of people with XBL accounts access their accounts through xbox.com where malware and phishing scams can also come into play.

Now, on to your second point. The reason I didn't mention your Fifa argument is because I have no idea what you're trying to say. The entire point of this is that people who don't play Fifa have their accounts hacked and end up with random Fifa achievements. Now think about this for a second. If I wanted to hack a large number of accounts for my own personal gain, what would I do once I hack those accounts? I'd use the credit card on file to purchase something that I can sell for real world money outside of the game. Hence, Fifa with it's bizarre second party sales on eBay. Again, this happens in MMOs all the time. A gold seller gets a hacked account, moves all the gold off of that account into an account the gold seller possesses, then sells that gold for real world money.

Did you notice anything in that wall of text? Not once did the explanation for why this is happening include XBL getting hacked. Because it hasn't been. The reason, as I've stated from the beginning, is due to the user. Are there things that Microsoft could do to make it harder for accounts to get hacked? Sure. Does it suck to have to talk to customer support? Yup. Is it Microsoft's fault accounts are getting hacked? Not really. This is business as usual in a online services based industry.

Anyways, done explaining this in yet another thread (I'm just going to copy this and paste it when another one of these threads show up). If you're still convinced Microsoft was hacked and it's just been the greatest cover up in tech industry history, by all means more power to you and have a great rest of the morning.

@Grimluck343 said:

If you're still convinced Microsoft was hacked and it's just been the greatest cover up in tech industry history, by all means more power to you and have a great rest of the morning.

No one claimed that the xbl network itself was hacked. But that doesn't mean it's not an issue on MS's side. You should read up on this topic before you continue spewing nonsense.

Again: Not a single reported Fifa-related hack with PS3 accounts despite Fifa's popularity in PS3-land (Europe) and despite PS3 users not having better passwords.

http://www.analoghype.com/video-games/xbox-360-video-games/xbox-live-vulneribility-exposed-microsoft-ignored-the-truth/

http://www.eurogamer.net/articles/2012-01-13-is-this-the-hack-used-to-exploit-xbox-live-accounts

http://www.eurogamer.net/articles/2012-01-16-xbox-live-fraud-xbox-com-security-secretly-tightened-report

@Grimluck343 said:

@CptBedlam said:

People have shitty passwords on their PS3 accounts, too, but these kinds of hacks only happen with 360 accounts. There clearly IS an issue on MS's side and apparently it has something to do with a certain login issue on xbox.com that makes brute force attacks extremely easy.

You're right, in the entire history of the PS3 not a single account was ever compromised! That's a real great achievement on Sony's part.

You know what else makes brute force attacks really easy? Shitty passwords.

Learn to read.

Then you aren't paying attention. Just look at WoW or virtually any other major service that people have something to gain by hacking. It happens all the time, and MS actually have some really good security. Their password recovery system perhaps had some holes, but I'm not sure how you can compare that to Sony, who's entire service was brought down, which possibly involved them losing a ridiculous amount of personal details.. and they took a week to tell us that it happened.

@CptBedlam said:

@Grimluck343 said:

If you're still convinced Microsoft was hacked and it's just been the greatest cover up in tech industry history, by all means more power to you and have a great rest of the morning.

No one claimed that the xbl network itself was hacked. But that doesn't mean it's not an issue on MS's side. You should read up on this topic before you continue spewing nonsense.

Again: Not a single reported Fifa-related hack with PS3 accounts despite Fifa's popularity in PS3-land (Europe) and despite PS3 users not having better passwords.

http://www.analoghype.com/video-games/xbox-360-video-games/xbox-live-vulneribility-exposed-microsoft-ignored-the-truth/

http://www.eurogamer.net/articles/2012-01-13-is-this-the-hack-used-to-exploit-xbox-live-accounts

http://www.eurogamer.net/articles/2012-01-16-xbox-live-fraud-xbox-com-security-secretly-tightened-report

Did you even read what you linked?

The script would batch run a list of potential password, which anybody can find online with a simple Google search.

Funny how this keeps coming back to shitty passwords. Like I said in my last post, there are steps Microsoft can take to make this process harder for the hacker (like limiting failed login attempts), but even with that this is still going to be an issue as long as people don't take their account security seriously.

@N7: I did just mean that the hack was so bad the service had to be brought down, not that the hackers did it.

But yeah, no matter what happened in the end, that was a very bad situation for Sony that was handled poorly by them. I'm not the biggest fan of XBL, but I don't see how this situation comes close to matching that. It just seems like there's been a lot of fishing scams, and people with poor passwords. MS have still tightened their security measures over this too.

@Grimluck343 said:

@CptBedlam said:

@Grimluck343 said:

If you're still convinced Microsoft was hacked and it's just been the greatest cover up in tech industry history, by all means more power to you and have a great rest of the morning.

No one claimed that the xbl network itself was hacked. But that doesn't mean it's not an issue on MS's side. You should read up on this topic before you continue spewing nonsense.

Again: Not a single reported Fifa-related hack with PS3 accounts despite Fifa's popularity in PS3-land (Europe) and despite PS3 users not having better passwords.

http://www.analoghype.com/video-games/xbox-360-video-games/xbox-live-vulneribility-exposed-microsoft-ignored-the-truth/

http://www.eurogamer.net/articles/2012-01-13-is-this-the-hack-used-to-exploit-xbox-live-accounts

http://www.eurogamer.net/articles/2012-01-16-xbox-live-fraud-xbox-com-security-secretly-tightened-report

Did you even read what you linked?

The script would batch run a list of potential password, which anybody can find online with a simple Google search.

Funny how this keeps coming back to shitty passwords. Like I said in my last post, there are steps Microsoft can take to make this process harder for the hacker (like limiting failed login attempts), but even with that this is still going to be an issue as long as people don't take their account security seriously.

1. Did you understand it? There IS an issue on MS's side. They are making it easy for brute force hackers with the poorly secured login system on xbox.com. Also, MS publicly refuses to acknowledge any fault on their part, yet they still quietly reacted to the report.

2. Funny how this hacking wave is not happening on the PS3 despite the same shitty passwords. FIfa12 has the same "gift stuff to other accounts"-functionality on the PS3 and it is way more popular in Europe - Sonyland.

@N7 said:

@WinterSnowblind: Indeed. Sony's whole network was intruded upon, whereas this is a case-by-case incident targeting specific users. It's a world apart.

Unfortunately, it seems that the many xbl hacking cases did more damage to their users in the end than the PSN getting hacked.

@PencilBastard said:

Sounds like a great way to make money! Best part is, when Xbox says they fixed it, they didn't really do anything.

The problem was someone had your login details and took your moon bucks, they fixed it by refunding the space $ and resetting your password (maybe the locked out the xbox or ip that used it we don't know). Then someone got your password again.

Get a better password, check your computers for malware and av and check your security questions on your linked windows live id that's the problem that needs fixing and ms can't do anything about that.

(although they do need better systems to cope with this crap when it happens)

Yeah, I got hit once myself even before FIFA was released. I removed my CC information, cancelled that card and got a new number, and did the same on PSN. I changed my passwords, too to something I don't use on other accounts. Its just not safe anymore, that is if it ever was.

@N7 said:

@CptBedlam: n... why don't they just shut it down and make sure this doesn't happen to anyone else?

Well, XBL itself isn't the problem so shutting it down would unnecessarily anger millions of unaffacted users. But MS needs to get their shit together with Xbox.com if that's the weak link. Before the report linked above appeared, it was possible to infinitely try out new passwords without getting asked a captcha code or something - brute force paradise ...just leave the bots running 24/7. That's just careless and clearly a fault on MS's side. Apparently they made some changes so we'll have to wait and see if the number of hack cases goes down in the next few weeks.