Oh and that process doest fucking work with hotmail as far as I know.
I know I had to contact the service center to get access to msn and co because they never fucking sent that message to my phone.
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
UPDATE: Hackers are selling stolen Xbox Live accounts on foreign auction sites. (!)
- Thread starter chubigans
- Start date
Oh and that process doest fucking work with hotmail as far as I know.
I know I had to contact the service center to get access to msn and co because they never fucking sent that message to my phone.
Baron_Calamity
Member
I'm fairly sure this is the exploit being used. I'm fairly concern that the profile package isn't even very well protected. I hope that they are sniffing live traffic and getting what they need that way but the more I've looked into it, the more I'm concerned that they really only need your account name, insert it into a profile restore packet request and send it to Live.
I unknowingly purchased one of these a few years back from an auction site (and yes, they're still for sale on said auction site). I thought I was getting a code for points, instead I received an account.
I called Xbox Live and told them where I purchased what I believed to be a stolen account, and the fact that there are many other sellers doing the same exact thing.
She told me not to worry about it- Even that I could use the points if I wanted to. Nothing about going after the site or the seller. I don't get it either.
I called Xbox Live and told them where I purchased what I believed to be a stolen account, and the fact that there are many other sellers doing the same exact thing.
She told me not to worry about it- Even that I could use the points if I wanted to. Nothing about going after the site or the seller. I don't get it either.
No, I don't think anyone is arguing MS is paying anyone. I think it's just that whenever a journalist's account gets hacked, Microsoft rushes their account recovery so it only takes a few days or less. So the journalist thinks it's no big deal, while the average consumer has to wait 2 weeks to 2 months to get their accounts back. The gametrailers.com guy is a great example of this happening recently, he tweeted his account got hacked, it was recovered in an incredibly short amount of time.
Accounts have been on sale for years... I remember seeing them 4 years ago, at least.
Rebel Leader
THE POWER OF BUTTERSCOTCH BOTTOMS
I remember aswell
Another round of free 360s at E3 coming up.
Rebel Leader
THE POWER OF BUTTERSCOTCH BOTTOMS
MikeE21286
Member
well this makes me feel all warm and fuzzy considering the fact that my account was Fifa hacked at the end of December....
Can't believe all this isn't bigger news than the Sony PSN saga. Much more people have been adversely affected I'd bet.
Can't believe all this isn't bigger news than the Sony PSN saga. Much more people have been adversely affected I'd bet.
Rebel Leader
THE POWER OF BUTTERSCOTCH BOTTOMS
Merry Ch- awww T_T
---
PSN was shut down.. Which made it more newsworthy
---
PSN was shut down.. Which made it more newsworthy
Vorg
Banned
How can we know for sure after the number of accounts getting fifa'd/stolen that keep popping up?
intheinbetween
Member
my understandig about the differences between the PSN and MS situations is that, while PSN got hacked, Live didn't, the users have been the ones hacked with scamming sites
Infamous Chris
Banned
Holy shit why do they even post?
Microsoft has not been hacked. Big difference. That's why there isn't and never will be a media circus and the vast, vast majority of people will never even have to worry about this.
How do you know? Remember a couple of months ago when Microsoft forced lots of people to change their MSN/Hotmail passwords? I wonder why? ...
* Twilight Zone music *
Zoe
Member
The MS should have done something at least 4 years ago.
I'd like to say that, when I say that "people with easy passwords" and "social engineering", I mean all of it: Phishing sites saying "input your info for free points", sites selling points that tell you that you need to login to get the points, password databases being raided and double checked for same-password gamertags. All of it is a valid form of hacking to get these accounts. None of these scenarios has Microsoft being compromised. Combine all these methods and you have a decent stream of gamertags to steal from. I believe the most widespread way to steal these accounts is a combination of all methods listed.
I will say that I really do like the "insert a gamertag name into a recovery package and send it to Microsoft" idea. I just think that, if it was that easy, it would have been overused so much that it would've been fixed by now. It's like somebody said earlier in the thread: Nobody is going to find out about an exploit and sparingly use it to keep it open for 2 years. They will milk that shit to the ground, to get the most profit from it as soon as possible. Still, it's very possible that a method to retrieve gamertags without the actual password is out there.
That Kotaku story wonders about the account being locked, but still being used to buy points and share points.
When my account was "hacked", I was sitting on my computer, so I quickly changed the password, thinking it would be good for something. As we all know, he already had retrieved my account to another xbox, so changing the password didn't do any good, and the "hacker" started using the points. I called the support and they said the same thing: The account is being locked for your protection, so on and so forth.
However, a couple of hours later, the "hacker" was still using Microsoft points buying FIFA cards. I called back and the lady said that yes, the account was locked, but since the gamertag was logged in on an xbox, it still had full access to everything.
Later I found out that, as long as a Gamertag is online, it'll remain online. I think recently they added a 2 hour system check on the server to see if everything is ok with the account. That's obviously still not enough.
I will say that I really do like the "insert a gamertag name into a recovery package and send it to Microsoft" idea. I just think that, if it was that easy, it would have been overused so much that it would've been fixed by now. It's like somebody said earlier in the thread: Nobody is going to find out about an exploit and sparingly use it to keep it open for 2 years. They will milk that shit to the ground, to get the most profit from it as soon as possible. Still, it's very possible that a method to retrieve gamertags without the actual password is out there.
That Kotaku story wonders about the account being locked, but still being used to buy points and share points.
When my account was "hacked", I was sitting on my computer, so I quickly changed the password, thinking it would be good for something. As we all know, he already had retrieved my account to another xbox, so changing the password didn't do any good, and the "hacker" started using the points. I called the support and they said the same thing: The account is being locked for your protection, so on and so forth.
However, a couple of hours later, the "hacker" was still using Microsoft points buying FIFA cards. I called back and the lady said that yes, the account was locked, but since the gamertag was logged in on an xbox, it still had full access to everything.
Later I found out that, as long as a Gamertag is online, it'll remain online. I think recently they added a 2 hour system check on the server to see if everything is ok with the account. That's obviously still not enough.
Pie and Beans
Look for me on the local news, I'll be the guy arrested for trying to burn down a Nintendo exec's house.
People should be MORE concerned over this security failing, more so than the Sony database hack.
- Sony was targeted by basement dweller hackers looking to prove a point through massive data stealing, not for commercial gain. Sony acted fairly quickly to inform customers to watch their credit cards just in case (a very very small percentage ever affected), change passwords and so on.
- An inherent MS security flaw in the way accounts can be reclaimed and accessed has yielded an entire black market of account thefts dealing in exploiting people's logged credit card info for MS points and more every single day of the week. No wide response, no changes have been made to security measures, you're just at risk now as you were when this first started and its DISGRACEFUL and not getting widely reported.
Nexus Zero
Member
5 months later I receive an email saying my account has been changed from US to UK, so hopefully I get it back soon.
They said I can keep all the DLC purchased in my name for all those games I don't own. Great.
They said I can keep all the DLC purchased in my name for all those games I don't own. Great.
CadetMahoney
Member
Does Microsoft start throwing a hissy fit when your card expires? Like asking you to put a new one on their system even if you're not a Gold member. Does it automatically erase from their database or do you have to ring them up? I heard they can still successfully charge to it even though it's expired - but if you try and use it for yourself it doesn't work. smh.
Dr Frasier Crane
Member
Both. But Sony was compromised by 47 million accounts, which this (right now) is 1-5million(?) accounts compromised. Meanwhile, Sony's service was shut down for a month with little to no explination (a security risk) while MS continues to have a service but complete silence (or "it's a non-issue since it's account social networking") about it.
Sony's edges out for 2011, but this could be Fail of the Year 2012 if it accelerates and MS doesn't stop it.
No. They'll continue to "charge" you until a month later and then they'll lock the account like a Steam ban (can't sign into Live, basically) and go "you owe us, pay bitch."
You can turn off auto-renew but it's basically a PITA still because you have to go through hoops to remove the credit card information.
I'm just glad I did that two years ago and haven't looked back toward renewing Gold subscriptions.
Tom Chick's got hacked semi-recently, and he was very critical of Microsoft.
If your auto-renewal is on and the credit card on the database is expired, your account will be renewed and that invalid credit card will be charged. It won't work, obviously. Your account will continue being GOLD (because it renewed) and Microsoft will try to charge that credit 2 more times in the next two months (a total of 3 Months of "free live" and 3 tries to charge you for the new block of gold time, one each month).
After the third time is denied, since the card is invalid, your account will be suspended because you didn't pay for the service (the automatic renewed GOLD account which you didn't really ask for). From that point on, I've been told it's very hard to get your account back. To prevent this, either turn auto-renewal off or, if you're already screwed and are in the 3 month "we're trying to charge you but you're not paying us" period, you NEED to add a new Credit Card to the system prior to the third charge. Calling support won't get you anywhere.
Maybe it changed by now, but that's what used to happen one year ago.
PairOfFilthySocks
Member
People being shut out of a paid service? You bet your ass it would be loud.
A "foreign auction site" is anything else that is not eBay, but uses the same framework.
Apparently he took the loss, too, since he couldn't let his account be locked for 60 days.
You can go to a US auction site and buy an account right now.
It's really as simple as a google search. Yet MS has done nothing to stop it.
Princess Skittles
Prince's's 'Skittle's
It's absolutely disgusting that this is still going on.
Two step authentication should have been added to the 360 back in June (or whenever this became a thing).
Two step authentication should have been added to the 360 back in June (or whenever this became a thing).
Thankfully the card on my xbox live account is invalid, due to a fraud investigation I had earlier in 2011 (not related to XBL). My Xbox live account did get compromised and when they tried to purchase blocks of points they failed, which alerted me to the hack right away and I was able to change my password and put an end to it before it got out of hand.
I've since switched to retail cards for points and live subs and will have to keep it that way.
I've since switched to retail cards for points and live subs and will have to keep it that way.
U n i o n 0015
Member
This issue really needs to get beyond the gaming media and into the mainstream media. That is the ONLY way that Microsoft will acknowledge the severity of the situation and take the steps necessary to correct it.
The fact that you changed your password didn't prevent anything. Your account was just abandoned because the Credit Card on file is invalid.
Once your gamertag was recovered on that console, it's still accessible. That's something that also scares me: The amount of gamertags that are not exploitable but are already hacked, and people are just waiting for a valid CC to be inserted in it.
Princess Skittles
Prince's's 'Skittle's
This is the way to go.
I only ever put my credit card into PSN (since they did not have cards at the time).
The problem is that whenever a journalist gets hacked, MS rushes to help only them so they won't report about it.
Yeah I just found this out. ugh.
god knows i'll forget to remove it when the gold ends in a week
It's funny how you get angry everytimes someone criticizes microsoft.
Omegasquash
Member
This. I'm going to be sending an inquiry to get my info removed from them today, and just use cards going forward. This is more than a wee bit absurd. The fact that they haven't added additional protection is also absurd...I have three consoles in my house, so I'm signing in on different ones all the time, and frankly I wouldn't mind a security pass when logging in.
Hell I'd love it.
Except you can't benefit from paid Live Events (like the UFC app, that's on beta right now) or crazy ass deals on GOLD (1 usd per month FOREVER) without a valid CC on file.
Hell, even the Free Beta UFC matches required you to have a CC on file (mine is invalid and it still worked), because a Charge of 0.00 USD goes through Microsoft's system. No CC? Sorry, you can't purchase this event valued at 0.00 USD.
Clear
CliffyB's Cock Holster
I'd just like to hop on my soapbox for a minute and point out that several times in this thread its been stated that PSN CC info was compromised, when as far as I'm aware -and I followed the incident closely- PSN CC info was only POTENTIALLY compromised. Sony were unable to rule out whether those databases were hacked.
I'm not saying this to white-knight for Sony, because the potential should never have existed in the first place, but, to highlight how distorted and sloppy the reporting of the situation was.
What we have here are ACTUAL cases of small-scale fraud, and noone seems to be actively investigating the methodology by which it is being achieved. And people are wondering why the enthusiast press is so ineffectual at pursuing the issue...
The irony is that from a criminology perspective the PSN hack was a better piece of corporate sabotage than it was a crime for profit; yet the press pushed it as the latter with ominous concerns of mass identity-theft.
I'm not saying this to white-knight for Sony, because the potential should never have existed in the first place, but, to highlight how distorted and sloppy the reporting of the situation was.
What we have here are ACTUAL cases of small-scale fraud, and noone seems to be actively investigating the methodology by which it is being achieved. And people are wondering why the enthusiast press is so ineffectual at pursuing the issue...
The irony is that from a criminology perspective the PSN hack was a better piece of corporate sabotage than it was a crime for profit; yet the press pushed it as the latter with ominous concerns of mass identity-theft.
I thought that stuff was all about reactive after your account was hacked to prove you were the one trying to reset? I actually changed my password on the first (always change it on jan 1 and july 1) and it did not make me give a code (and I have all those proofs setup).
I've been thinking...
I guess that a two tiered email-confirmation system on a system where, usually, the email associated to the gamertag and said gamertag are both on the same login system, Windows Live, (I'm guessing most people that use Live have a Hotmail email, because when you create a new gamertag on the xbox, you automatically create a hotmail account) wouldn't be very useful, unless you register a secondary email for account retrieval purposes, which I believe is not mandatory.
Still, they need to do something.
I guess that a two tiered email-confirmation system on a system where, usually, the email associated to the gamertag and said gamertag are both on the same login system, Windows Live, (I'm guessing most people that use Live have a Hotmail email, because when you create a new gamertag on the xbox, you automatically create a hotmail account) wouldn't be very useful, unless you register a secondary email for account retrieval purposes, which I believe is not mandatory.
Still, they need to do something.
Infamous Chris
Banned
Whoa there, no need to take your insecurities out on me. Tons of people on this very page have said the same exact thing I have.
The "holy shit who do they even post" is fully in context. Whole topic of people explaining how it isn't a hack and why it isn't, and then:
"bu-bu-bu Sony gets hacked and its a big deal but Microsoft gets hacked and only GAF cares! I just don't understand."
wat
Zoe
Member
Has it always been like that? I don't remember getting one.
I posted about Tradetang and DH gate on here months ago and people either ignored or or decided it wasn't worth a response. Maybe it was because I didn't make a thread with a sensationalist headline or something.
SMH.
A large part of these Hong Kong sellers business is acquired through phishing links and social engineering. How do I know? Because I have one of them on my google chat.
SMH.
A large part of these Hong Kong sellers business is acquired through phishing links and social engineering. How do I know? Because I have one of them on my google chat.