This happened to me a couple of weeks ago. The whole process was really annoying -- especially since I called to remove my CC info a while ago, and apparently that didn't happen.
My advice, sadly is to sit and ride it out. I called numerous times because different reps kept on telling me different stuff, but once I finally got the straight talk -- it was 21 days on the dot from then. Call, change your password, get a new CC and just wait. They know it's not weak passwords/phishing that is causing these problems. I am able to see exactly how they are doing it too.
Overall this experience has soured me on MS and their security measures. I'll be using points cards if I buy from them, and don't plan on keeping gold after my pre-paid time expires. Funny thing is my windows live on my computer is still locked down, and the only advice they could give me was "we can port your shit to a new e-mail address." No thanks, not worth it for me. That e-mail is something I use everyday, secure via 2 step authentication. I would have never caught the theft if I hadn't received an automatic notification from an e-mail I use every day.
Whomever the hacker was had decent taste in Live Games -- was downloading Trenched, , From Dust, Bastion and Clash of Heroes before I cut him off. Hopefully none of the downloads completed for him.