Dr Stabbingworth
Member
Just got Fifa'd. I don't even own that fucking game. Pretty sad that MS still hasn't fixed this. Now my account is locked. This is the last straw for the xbox.
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
Hey, has your Xbox Live account been hacked/FIFA'd? Post here!
- Thread starter chubigans
- Start date
Ace Harding
Member
When I bought Battlefield 3 and went to log onto Battlelog I saw that my ea.com user name was something I didn't recognize. Its a name I have never heard of, so my suspicion is that somebody changed it.
Now I would have created that account years ago, and probably haven't checked anything on it in several years. So it's entirely possible that i just called it something random when I first signed up and completely forgot about it.
It's still attached to my current email address and my current gamertag. I haven't noticed any purchases made through EA or through Xbox.
I haven't kept up to date on this stuff. Should I be worried? What should I be looking for?
I changed my EA/Origin password, and my email password has been changed several times in the last year and I use 2-step verification. I don't own and have never played FIFA '12. Again, I haven't noticed any activity that I myself have not done (but I could have missed something).
Now I would have created that account years ago, and probably haven't checked anything on it in several years. So it's entirely possible that i just called it something random when I first signed up and completely forgot about it.
It's still attached to my current email address and my current gamertag. I haven't noticed any purchases made through EA or through Xbox.
I haven't kept up to date on this stuff. Should I be worried? What should I be looking for?
I changed my EA/Origin password, and my email password has been changed several times in the last year and I use 2-step verification. I don't own and have never played FIFA '12. Again, I haven't noticed any activity that I myself have not done (but I could have missed something).
Dr Stabbingworth
Member
In my case, all my points were spent, Fifa 2012 was on my recently played games, I had some Fifa achievements, and my credit card was used to buy "gold packs" whatever that is.
It's ridiculous that this is still going on. Surely they can be more proactive, instead of only taking action after someone's account has been compromised? It hasn't happened to me and I hope it doesn't, but it sucks to lose your account for a month or so at any time, never mind during the Christmas holidays.
- 25th & 27th of november
- They bought around 13000-15000 mspoints (appearently they bought FIFA for the mspoints, should be some more games though since fifa should only be 30-50% of the total amount, but english is not my native language so I didn't enquire too much)
- Suspended and under investigation
- I have an EA-account, probably same password
- I've had my account for about 5-6 years, same since xbox 360 was released
- No compensation yet due to not resolved
- Unfamiliar with security questions, do we have that on 360?
- I added the 4-button security password after the hack
Psychotext
Member
Wow, that's a massive amount of points.
Whoever hacked my console didn't play Fifa 12, but Gears of War 3 is still on my profile from the hack, the content he bought is still in my purchase history, and I have 0 points in my account (in direct contradiction to the email I received from MS).
I want those points back.
Garcia el Gringo
Member
It took 5 days (after I got access to Live) and several phone calls to get my full refund. Definitely ring up support.
On a side note, I've played so many games on the 360 in the past few weeks so those fucking Fifa 12 achievements are pretty buried and out of sight now. I wish I could delete them, but whatever. That shit still irks me if I see it for a second and remember that it messed with my achievement stats.
Yeah. I didn't have my points yet, so I called them now to ask about it. First, my support guy was shocked I got my account back so fast. I'm apparently a real rarity.
Secondly, I probably won't get my points back until the next billing period, which just happens to come around on the 18th of every month. So I guess I'm boned there.
Kinda sucks, but at least I can play Street Fighter with my friends if I want to.
Mister Zimbu
Member
Just got hit by this too.
How the hell do you check your secret question? Dear lord MS's UIs are horrible.
-12/24 at around 1:00am
-5600 points bought. Don't see any new games in the history but they spent all the points I had (which was only about 800 or so) on FIFA stuff.
-Haven't called MS as of yet, just been busy with holiday stuff this morning. I did change my password and lock down my account from other consoles though.
-Checking now, it looks like I had an unbound EA account with the same username and password as XBL. Last played EA game was the PC BF3 beta, on a different account.
-Live account is about 5 years old.
-I have no idea how to check this because it's certainly not obvious anywhere I've looked (in the xbox interface itself, on the XBL live site, and on the general windows live site).
-No passcode.
How the hell do you check your secret question? Dear lord MS's UIs are horrible.
-12/24 at around 1:00am
-5600 points bought. Don't see any new games in the history but they spent all the points I had (which was only about 800 or so) on FIFA stuff.
-Haven't called MS as of yet, just been busy with holiday stuff this morning. I did change my password and lock down my account from other consoles though.
-Checking now, it looks like I had an unbound EA account with the same username and password as XBL. Last played EA game was the PC BF3 beta, on a different account.
-Live account is about 5 years old.
-I have no idea how to check this because it's certainly not obvious anywhere I've looked (in the xbox interface itself, on the XBL live site, and on the general windows live site).
-No passcode.
Is there a hash tag people use when they talk about these hacks on Twitter? I just saw Stepto smugly talking about terrible Go Daddy is on Twitter, and felt like replying with something about how he should get his own house in order before publically criticizing other tech companies.
I was just hacked.
Or I just noticed it anyway. I left for home on Friday, Dec 23, leaving my Xbox locked in my apartment. I spent the weekend pretty much completely away from my computer. Today I actually noticed on Twitter some automatic tweets (from Raptr) saying I gained two achievements in Fifa 12. The first thought that crossed my mind was that my Xbox was stolen. I then promptly checked Xbox.com, and I see that all my points were gone (about 7000 points). Someone had purchased several Premium Gold Jumbos, Gold Player Premiums, and Silver Packs on Christmas.
-Apparently happened on 12/25/2011
-6,960 points spent on the aforementioned. Appears as though somebody played Fifa 12 on my account.
-I have not called Microsoft yet.
-Apparently I do have an EA account, and it actually did have the same password as my Windows Live ID. I don't even remember making the account, but there it was. This is probably the culprit.
-Gamertag is between 3 and 4 years old.
I gained a lot of those points by abusing some free promo a few months back (I honestly forget what it was exactly, there was a GAF thread for it) and for this reason I am hesitant to contact Microsoft. I have heard a few horror stories on how Microsoft can cause more damage than good. Although my credit card info is on my Xbox, it doesn't seem like any points were purchased.
I might just not call MS and accept my point losses. I can log into xbox.com without problems.
I just hope logging in on my xbox at home works smoothly. I can't check it out for about a week.
I changed my email and password, and now my EA account has a different password.
Or I just noticed it anyway. I left for home on Friday, Dec 23, leaving my Xbox locked in my apartment. I spent the weekend pretty much completely away from my computer. Today I actually noticed on Twitter some automatic tweets (from Raptr) saying I gained two achievements in Fifa 12. The first thought that crossed my mind was that my Xbox was stolen. I then promptly checked Xbox.com, and I see that all my points were gone (about 7000 points). Someone had purchased several Premium Gold Jumbos, Gold Player Premiums, and Silver Packs on Christmas.
-Apparently happened on 12/25/2011
-6,960 points spent on the aforementioned. Appears as though somebody played Fifa 12 on my account.
-I have not called Microsoft yet.
-Apparently I do have an EA account, and it actually did have the same password as my Windows Live ID. I don't even remember making the account, but there it was. This is probably the culprit.
-Gamertag is between 3 and 4 years old.
I gained a lot of those points by abusing some free promo a few months back (I honestly forget what it was exactly, there was a GAF thread for it) and for this reason I am hesitant to contact Microsoft. I have heard a few horror stories on how Microsoft can cause more damage than good. Although my credit card info is on my Xbox, it doesn't seem like any points were purchased.
I might just not call MS and accept my point losses. I can log into xbox.com without problems.
I just hope logging in on my xbox at home works smoothly. I can't check it out for about a week.
I changed my email and password, and now my EA account has a different password.
Garcia el Gringo
Member
Support honored my approximate $70 in promo MS points out of the $75 stolen from me. I just had to explain that they were from T-Mobile. It took them like 10 minutes to check that it was from a loophole on an official promo and not something sinister. The Xbox Exceptions Analyst was initially a little combative in his confrontation about the points, but I explained the promo and once he was able to confirm it for himself he eased up. He said they'd honor the loophole. I guess he initially thought he caught a hacker/scammer or something, trying to waste his time or to cause damage to them. Or maybe he thought that the "promotion" I was talking about was a fraud and the root of the phishing. He seemed a bit in disbelief that I was telling the truth and that it was a legit site/promo. You'd think that the higher ups at Xbox support would have known about big MS Point promotions like that. I'm just a decent person who has easily spent over $10,000+ on your company's gaming platforms and finally got a chance to be part of a nice little promotion error scoring me $70 (that I was robbed of).
That was just my experience though. I don't know if honesty would work with every support rep or if they'd even give you a chance to explain how you obtained the promo points. It probably helped that I got a rep through the BBB. So good luck if you do contact support. Those were your points even if it was a promotion error. It's not right for them to be stolen.
That was just my experience though. I don't know if honesty would work with every support rep or if they'd even give you a chance to explain how you obtained the promo points. It probably helped that I got a rep through the BBB. So good luck if you do contact support. Those were your points even if it was a promotion error. It's not right for them to be stolen.
got hacked, probably by some local dude that i know, he was trying to sell xbl year sub for 50 bucks when amazon and newegg had better deals, i confronted him and the dude got mad (this happen on the internet) i know for a fact this dude sell stolen points, and he is also a fifa player
-12/29/2011
-2000 msp on fifa12 packs
-chatting whit them right now since i cant call them from peru :/
-had an EA account probably same password as my xbl one, ive change my password and question already
-xbl account is about 2 years old
edit: so i finished chatting with support, they told it would be ok to call in february (thats when im going to the states), they gave me a confirmation number just in case. pretty upset but not that much really since the points were from the tmobile loophole
-12/29/2011
-2000 msp on fifa12 packs
-chatting whit them right now since i cant call them from peru :/
-had an EA account probably same password as my xbl one, ive change my password and question already
-xbl account is about 2 years old
edit: so i finished chatting with support, they told it would be ok to call in february (thats when im going to the states), they gave me a confirmation number just in case. pretty upset but not that much really since the points were from the tmobile loophole
Quote
Member
So they refunded my money and unlocked my account yesterday (This all happened on 12/12/11).
The only issue is they moved my account to a temporary service e-mail ID, sr#######@hotmail.com and my real Windows Live ID has some blank Gamer Tag attached to it, so I can't move my Gamer Tag over to my real WLID. I called them up last night and they suggested I make a new blank WLID to move the blank Gamer Tag off of, but apparently you can't move Game Tags to WLID that are not older than 30 days. So now I have to wait 30 days to move everything around.
The first compensation they have me was a free month of Live, but after calling them last night and obviously being a little upset that this won't be over for another 30 days they gave me another month of Live.
The only issue is they moved my account to a temporary service e-mail ID, sr#######@hotmail.com and my real Windows Live ID has some blank Gamer Tag attached to it, so I can't move my Gamer Tag over to my real WLID. I called them up last night and they suggested I make a new blank WLID to move the blank Gamer Tag off of, but apparently you can't move Game Tags to WLID that are not older than 30 days. So now I have to wait 30 days to move everything around.
The first compensation they have me was a free month of Live, but after calling them last night and obviously being a little upset that this won't be over for another 30 days they gave me another month of Live.
Speedymanic
Banned
Crazy that this is still happening.
Anyway, in answer to your question. Check your secret question to make sure it hasn't been changed and check your email account that's associated with the GT, might also be a good idea to change your password and secret question again after you've checked your email account.
My email and secret question is still the same, since changing my password I haven't been signed out again. Still nervous however, as I have no idea how my account was compromised. Hoping I just got lucky that I was online at the time the hack was taking place.
Speedymanic
Banned
Yeah, change your secret question just in case. Also change your email password and change the XBL password once more. Do you have a CC attached to the account? If yes, get it removed ASAP.
Might seem like overkill, but you can't be too careful and the investigation period is such that if your account were to be compromised again and you weren't online, you'd be without XBL and quite possibly a large amount of money for upwards of a month.
cpp_is_king
Member
Not sure if this was posted yet, but a co-worker of mine was hacked over the weekend. He also used a 17 character unique password that was never used anywhere else.
Here's a post he made about it on a different forum:
http://forum.beyond3d.com/showpost.php?p=1609811&postcount=104
Here's the important thing to note:
It's true, you can see it yourself directly on Microsoft's website:
I'm inclined to agree with him that there is some sort of backdoor allowing people to gain access to others' profiles without a password. I can pretty much guarantee you that if you have a 17 character password that has never been used anywhere else, then the hackers got in without your password.
Bottom line - if they can get your profile on their console, it's game over even if you change your password.
Here's a post he made about it on a different forum:
http://forum.beyond3d.com/showpost.php?p=1609811&postcount=104
Here's the important thing to note:
It's true, you can see it yourself directly on Microsoft's website:
I'm inclined to agree with him that there is some sort of backdoor allowing people to gain access to others' profiles without a password. I can pretty much guarantee you that if you have a 17 character password that has never been used anywhere else, then the hackers got in without your password.
Bottom line - if they can get your profile on their console, it's game over even if you change your password.
metareferential
Member
The only efficient protection is
- don't leave ms points hanging around
- don't save payment information. E.g. use an "empty" credit card to replace the one(s) you actually use
- don't use paypal (it saves every information needed, thus invalidating any advantage paypal may give, like additional passwords, 2-step verification, etc.).
If you need ms points, buy a code online, redeem it, and use every point left. So even if you get hacked, there's nothing for those scumbags to do.
Fifa on the 360 is a plague. I play it every day, and every day I get fishing messages.
By the way, does anyone know if it is now possible to change the ID and email tied to the live account? Prior to the dashboard update it didn't work.
- don't leave ms points hanging around
- don't save payment information. E.g. use an "empty" credit card to replace the one(s) you actually use
- don't use paypal (it saves every information needed, thus invalidating any advantage paypal may give, like additional passwords, 2-step verification, etc.).
If you need ms points, buy a code online, redeem it, and use every point left. So even if you get hacked, there's nothing for those scumbags to do.
Fifa on the 360 is a plague. I play it every day, and every day I get fishing messages.
By the way, does anyone know if it is now possible to change the ID and email tied to the live account? Prior to the dashboard update it didn't work.
MikeE21286
Member
My account got Fifa'd on the 20th of December.
I didn't notice until I logged in on the 26th and noticed my remaining MS points balance had gone from 7990 to 10 :|
The CSR I was speaking with said that she would be able to keep my account open, however, it had to be locked for 30 days and I was given a 30 day subscription code.
I've never even played a Fifa game. What a crock. Fix this MS.
Yes, you can change your email.
I was forced to change my email and password. Not sure if you can do it on the xbox, but you can do it through a regular web browser.
That's all good advice and it's how I roll now. I used to like having a nice, big balance of points in my account and being able to buy stuff on a whim, but MS no longer have that type of customer in me since I can't be sure that their platform is secure.
Garcia el Gringo
Member
This is a hard one. I love keeping $50+ at any given moment on my account in preparation for XBLA games and DLC. I stock up on 4000 MS Point cards when they're on sale. I guess I'll switch to buying the 1600 cards and only redeeming them when I know I can spend the majority of the points.
I've been changing my email and password like crazy lately. I doubt that's really doing anything to protect me. I just hope I've been crossed off the thieves' list for good and that they're not planning round two.
Speedymanic
Banned
Wait, the recover profile without a password doesn't make sense. I bought a new 360 late Nov and had to enter my password to download my profile.
cpp_is_king
Member
Yea, that's why I mentioned a potential backdoor. There is simply no way people are brute forcing a 17 character password that is both strong and unique across all other accounts. Not happening.
So it stands to reason that they are SOMEHOW getting in without entering a password at all.
Speedymanic
Banned
Which leads me to believe that CS are in on this or are being tricked into handing over details.
I wouldn't be surprised if it was the former, although I'm leaning toward it being the latter.
Same here.
Current points balance is 20 ($0.25) and no payment info is attached to the account.
metareferential
Member
If you know some personal details about the account owner, you could phone Ms CS and just ask for the password.
That's why I always said this is not a hack. Live security isn't compromised. The problem is someone is giving out passwords and/or information.
What kind of question does Ms ask when you call them because you forgot your password/email? How do they check it's actually you?
That's why I always said this is not a hack. Live security isn't compromised. The problem is someone is giving out passwords and/or information.
What kind of question does Ms ask when you call them because you forgot your password/email? How do they check it's actually you?
Garcia el Gringo
Member
Can support give out your current password over the phone? I assumed that they'd force a user to change it if they called support for help accessing an account. My password was left unchanged when it was accessed by the thief. It really boggles my mind if the theif somehow brute forced my password.
cpp_is_king
Member
Then why is it happening in large batches? Go look at twitter, it was relatively quiet and then now over the weekend there's an explosion of new people talking about Xbox live hacks. You think that Customer Service didn't think it was weird when thousands of people called up on the same day asking to reset their passwords? You don't have an operation of this size where a person has to manually call someone up on the phone and talk to them. It's scripted and automated.
Ask for the password or reset the password (e.g., by sending a new one to the owner's email address) ? It is a weakness/flaw if the system allows users to call in and ask for another person's password.
Garcia el Gringo
Member
It really does seem to happen in waves. It'll be cool for a week or two, and then it'll explode in over the course of a handful of days. I wonder what corner of the internet these thieves are finding the exploit and planning the attacks. I'm surprised that someone hasn't exposed them and the exploit.
SephirothRK
Member
Not sure if this was posted yet, but a co-worker of mine was hacked over the weekend. He also used a 17 character unique password that was never used anywhere else.
Here's a post he made about it on a different forum:
http://forum.beyond3d.com/showpost.php?p=1609811&postcount=104
Here's the important thing to note:
It's true, you can see it yourself directly on Microsoft's website:
I'm inclined to agree with him that there is some sort of backdoor allowing people to gain access to others' profiles without a password. I can pretty much guarantee you that if you have a 17 character password that has never been used anywhere else, then the hackers got in without your password.
Bottom line - if they can get your profile on their console, it's game over even if you change your password.
smh, passwords are useless then. Unless everyone locks their account and do this "protection" stuff, They can get in your account with whatever method the hackers are using.
metareferential
Member
Indeed.
It's a bizarre situation, to say the least. If a user gets his account informations changed while using different email/password for every single service he's using, it's very unlikely that they somehow managed to get the password.
They must be using some exploit that doesn't need the password to begin with. Otherwise they just could hack everyone's account, not just some account here and there.
EDIT: I've been trying to change my live ID tied to my live account, without success. From the web it just says "impossible to change your live id at the moment". Let's see what happens from the console.
Speedymanic
Banned
That's probably not how it works.
It's entirely possible/probable that the thieves (I assume it's a select group of people not just randoms every time it happens) are doing it batches. Taking a couple of weeks to retrieve all the necessary info from MS CS and then moving ahead once they have enough details.
That way the calls to MS CS wouldn't seem suspicious and would fall through the cracks as they probably do get more than a few legitimate calls about accessing accounts, etc in any given day.
That method does explain why it happens in batches and why there are lulls between the hacking incidents.
cpp_is_king
Member
Occam's Razor.
What's more likely? People spending retarded amounts of time placing phone calls to customer service to get passwords reset -- a problem solveable in 5 seconds by management telling people to stop doing that?
Or a backdoor, which happens ALL THE FREAKING TIME on websites everywhere, which requires considerable effort to identify, much less fix.
Im going with the option that isnt absolutely retarded -- but thats just me
test_account
XP-39C²
It is really poor security if the customer service gives out the password over phone like that. It should only be sent over to the account email or through physical mail (signed-for, so you have to show ID to get that mail).
But i dont think this is the case to be honest. I would at least assume that the people working at customer service are aware of this problem, seeing how widespread it is. So if they still give out the passwords over the phone like that, then i dont really know what to say. This could be tested though. Just call to the customer service and try to make them give out the password to your own account.
But i dont think this is the case to be honest. I would at least assume that the people working at customer service are aware of this problem, seeing how widespread it is. So if they still give out the passwords over the phone like that, then i dont really know what to say. This could be tested though. Just call to the customer service and try to make them give out the password to your own account.
Speedymanic
Banned
It's possible, but if it was a backdoor there would some info about by now, even if it was rumoured. And when dealing with thieves, never discount any theory. This is no different to people stealing your trash to get old bank statements or anything that has some personal details.
This is their livelihood.
This is their livelihood.
Speedymanic
Banned
Someone with some free time should try this. See how much info they give away over the phone.
While you're right to think that MS CS should catch on, never forget you rarely get the same rep twice and they have reps all over the world, which can make noticing high volumes of people calling to get acc info difficult, but I might be wrong.
test_account
XP-39C²
True about many reps, but i dont think that they should ever give out passwords over the phone, especially when all these hacks is going on, even if it is a legit user that calls.
cpp_is_king
Member
They dont, that would be absolutely asinine. Guys running a business out of their garage could figure out not to do that, there's a higher chance of the world ending on Dec 21, 2012 than this hack being due to CSR reps giving out passwords
test_account
XP-39C²
Yep, it is really bad security if they do so at least. I could see it slip in a few isolated cases, but not when we talk about perhaps thousands of cases.
CS would never give you the password, they probably don't even have it for security purposes (i.e. it's been one-way hashed and stored in a DB). The only thing they could do is reset your password for you, but in my case, my password was unchanged.
When you consider the volume of attacks, there's no way this is being performed through social engineering.
What's really shocking to me is how insecure the system is by default. Microsoft could easily clamp down on this issue by pushing a system update that makes some simple changes:
- Require password authentication when logging into a console under a profile for the first time (i.e. only cache the credentials locally on the machine and re-send them on each connection attempt).
- Give users the ability to disable remote profiles/login
- Make Region Migration a CS-only operation (you have to call them to do it)
- Fix the Live / Profile Download Backdoor
- Require password authentication when logging into a console under a profile for the first time (i.e. only cache the credentials locally on the machine and re-send them on each connection attempt).
- Give users the ability to disable remote profiles/login
- Make Region Migration a CS-only operation (you have to call them to do it)
- Fix the Live / Profile Download Backdoor
Monty Mole
Member
Happened to my gf over the weekend. She's never played FIFA, never shared details and she's never even played online multiplayer and only uses her 360 for games like Peggle and De Blob. She logs in yesterday to find she has bought "GOLD JUMBO PACKS" among other things and her point balance drained, whilst also having achieved 25 gamer points on FIFA 12 which she has never own nor played.
Her credit card details were on her account but luckily it looks like they went no further than her points and we've since changed her password. There's far more to all this than Microsoft is letting on - it's far beyond just a "phishing" issue and this incident would show.
Her credit card details were on her account but luckily it looks like they went no further than her points and we've since changed her password. There's far more to all this than Microsoft is letting on - it's far beyond just a "phishing" issue and this incident would show.
If it was genuinely a loophole the volume of attacks would be MUCH larger. They'd be going all out to get as much as they can as fast as they can before the loophole is found and closed. If the scammers have found a loophole and are going (relatively) low volume for some stupid reason they're just tempting fate. The longer they do this the bigger chance they have of being caught.