The Consumerist: Xbox account hijacking on the increase - EA server connection?

Jun 6, 2004
68,829
0
1,570
#1
They wrote an article on the upswing in Xbox Account jacking.

http://consumerist.com/2011/10/i-watched-live-as-id-thieves-spent-my-money-on-xbox-live.html

Consumerist said:
I Watched In Real Time As ID Thieves Spent My Money On Xbox Live

It's bad enough to find out you've been the victim of identity theft. It's even worse to sit and watch as the thieves spend the money they acquired with your credit card information.

That's what happened today to Consumerist reader Brian, who could do little but sit and watch as someone else had a good time at his expense.
From Brian said:
I received 2 emails from billing@microsoft.com. 1 was for 4000 Microsoft XBOX Live Points ($49.99) and the other for 6000 Points ($74.99). I am sitting at work so I know I didn't make these purchases. Maybe my cat did at home. He is pretty smart.

Thinking this was a scam, I typed in microsoft.com and navigated to their billing page (NEVER CLICK ON LINK IN AN EMAIL THAT LEADS TO LOGGING IN OR GIVING PERSONAL INFO LIKE THIS) and verified that both charges were made to my XBOX Live account and thus charged to my credit card I had on file.

I immediately called XBOX Live Support/Billing and told them about what was happening and the gentleman was very helpful. He immediately locked my account so now more purchases (cash purchases) could be made. However the thief could still spend all the MS Points that were on my account. Also, he said that he put a ticket in and their systems would start tracking the IP address of the thief while he was making the purchases.
i guess it's easier to be a journalist when your paycheck isn't tied up in the story.
 
Jun 15, 2007
23,767
0
990
#2
Brian said:
He immediately locked my account so now no more purchases (cash purchases) could be made
Missed a word there journalist :p

Anyways. Yeah, for all the grief that Sony got over their breach, I was never wrongfully charged for PSN points. Silver linings I guess...
 
May 20, 2009
31,241
2
725
#10
Dave Long said:
Something is definitely up. There are a lot of reports of this happening to people, including Desslock for those of you who have read his work over the years in various publications and online.

Microsoft really needs to comment.
Desslock who writes the PC Gamer RPG column?
 

gofreak

GAF's Bob Woodward
Jun 8, 2004
43,347
1
0
#11
Ars Technica's games editor published an article about it this morning:

http://arstechnica.com/gaming/news/...-hacked-accounts-fifa-11-and-12-purchases.ars

I think it's not being picked up by game journos because most of them are possibly so used to being fed their news from the top down, and MS isn't saying anything about this. This is news coming from the grassroots up and that type of news spread slower. If and when MS comments, you'll probably see a lot more coverage.
 
May 6, 2011
3,032
0
0
#12
Dave Long said:
Something is definitely up. There are a lot of reports of this happening to people, including Desslock for those of you who have read his work over the years in various publications and online.

Microsoft really needs to comment.
It's more than likely that someone or a group has got a database of email/passwords from some sort of gaming related site and are running them against everything under the sun that they could abuse. In the small chance that its directly related to microsoft then yeah they've majorly fucked up.
 
Nov 27, 2009
8,137
0
0
#15
Dave Long said:
Something is definitely up. There are a lot of reports of this happening to people, including Desslock for those of you who have read his work over the years in various publications and online.

Microsoft really needs to comment.
Yeah, I have been seeing more people post about this happening to them recently.

Does anybody here visits black hat/cracking forums to see if there is some kind of break through exploit that thieves have found?

Hope it isn't as bad as what happened to PSN.
 
May 8, 2007
13,515
0
0
#18
Sleep Arrest said:
Good thing I never left my credit card on my live account.
The biggest problem is the hoops you have to jump through to remove a credit card. You have to call support, get approval from a supervisor and then wait 30 days for it to be removed.

It's beyond ridiculous.
 
May 7, 2006
2,822
0
0
#19
I had my account hacked two months ago, Microsoft did refund my pennies but I still don't have my gamertag back. Considering the amount of money I've spent on DLC and that you can't transfer save games between accounts, it's really fucking annoying. Every time I call up to complain I just get some hapless pratt telling me they don't have any contact with the fraud department (I'm sure they don't) so they can't tell me why things are taking so long.
 
#24
Curufinwe said:
Desslock who writes the PC Gamer RPG column?
There can be only one!

He posted a thread on Quartertothree.com about it in the last month. Others started coming forward saying the same had happened to them. I have to say I'm a little worried, but I also have no valid credit cards associated with my account right now, either.

That ship sailed a long time ago with their auto-renewal bull where they apparently try various expiration dates until one works! Sony, Microsoft and Nintendo will only ever get codes from plastic or cardboard cards from me anymore. Too risky to have a credit card tied to these game consoles. They're just too big a target for hackers.
 
Nov 10, 2010
5,835
0
0
#27
If there is some kind of a breach, you would think MS would have learned from Sony that being coy and not saying anything doesn't go over well.
 
Dec 6, 2008
6,845
0
0
London
#28
Dec 6, 2008
6,845
0
0
London
#30
garath said:
The biggest problem is the hoops you have to jump through to remove a credit card. You have to call support, get approval from a supervisor and then wait 30 days for it to be removed.

It's beyond ridiculous.
Not true at all.

You do have to call them up, but they remove it almost instantaneously. Sounds like you were unfortunate enough to get a shitty CS rep.

MikeE21286 said:
IIRC you need a CC on file to be a gold member on Xbox Live.
Nope.
 
Feb 25, 2006
7,966
0
0
#32
garath said:
The biggest problem is the hoops you have to jump through to remove a credit card. You have to call support, get approval from a supervisor and then wait 30 days for it to be removed.

It's beyond ridiculous.
This sort of thing really should be illegal. It's my credit card, why is MS allowed to hold it hostage like this?
 
Sep 19, 2007
7,940
1
0
#33
awwyeahgurrl said:
It's more than likely that someone or a group has got a database of email/passwords from some sort of gaming related site and are running them against everything under the sun that they could abuse. In the small chance that its directly related to microsoft then yeah they've majorly fucked up.
According to Sony, that's exactly what's going on:
http://blog.eu.playstation.com/2011...rom-sonys-chief-information-security-officer/
We want to let you know that we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networks”) services to test a massive set of sign-in IDs and passwords against our network database. These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources. In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks. We have taken steps to mitigate the activity.
So what are the chances the hackers running the ID/password combos tested just PSN and not Live?
 
Dec 5, 2008
8,466
0
0
#37
I think part of the problem with an investigative news story like this is that the gaming press for the most part is comprised of blogs and that format does not favor a real writer or reporter spending their time tracking a story down. They need to produce content at a ridiculously fast pace for the clicks. Sometimes reporters can spend a lot of time on a story like this and end up with nothing at all. A blog type media outlet probably feels (justly or unjustly) that they donlt want to spend money on it.
 
Dec 5, 2008
14,337
3
0
Thames Ditton, UK
#38
All they have to do is close FIFA Ultimate Team and the hackings stop dead. Unfortunately it's probably a bit too much of a cash cow for them, even if all that cash is actually stolen.

If you want to see where your money's going, search eBay for "FIFA Ultimate Team" and look for all the auctions selling coins. These people hack accounts, buy shitloads of coins with your money, and then sell the coins on eBay. Easy money.

That's why it's always FIFA they play, it's because the Microsoft Points they steal can be effectively turned into cash (and then heroin). FIFA UT is unique in allowing this to happen.
 
Jan 13, 2009
61,814
2
900
Baltimore, MD
twitter.com
#40
toythatkills said:
All they have to do is close FIFA Ultimate Team and the hackings stop dead. Unfortunately it's probably a bit too much of a cash cow for them, even if all that cash is actually stolen.

If you want to see where your money's going, search eBay for "FIFA Ultimate Team" and look for all the auctions selling coins. These people hack accounts, buy shitloads of coins with your money, and then sell the coins on eBay. Easy money.

That's why it's always FIFA they play, it's because the Microsoft Points they steal can be effectively turned into cash (and then heroin). FIFA UT is unique in allowing this to happen.
Crazy, absolutely crazy

One sock + free 100000 coins for fifa ultimate team xbox 360

Brand New Ink Pen + optional free 10,500 coins (360 fifa ultimate team 12)
 
Apr 27, 2007
2,475
0
0
#43
toythatkills said:
All they have to do is close FIFA Ultimate Team and the hackings stop dead. Unfortunately it's probably a bit too much of a cash cow for them, even if all that cash is actually stolen.

If you want to see where your money's going, search eBay for "FIFA Ultimate Team" and look for all the auctions selling coins. These people hack accounts, buy shitloads of coins with your money, and then sell the coins on eBay. Easy money.

That's why it's always FIFA they play, it's because the Microsoft Points they steal can be effectively turned into cash (and then heroin). FIFA UT is unique in allowing this to happen.
Dat allard laundering!
 
Dec 5, 2008
4,248
0
0
#45
Speedymanic said:
Eurogamer are reporting the issue is with EA servers
That's a bizarre conclusion to make, given the guy they're quoting says he hates football and would never play FIFA. How the fuck, then, would his account have been hijacked using a vulnerability with FIFA?

My money's on the accounts being sold on a FIFA forum or something.
 
Sep 10, 2006
929
0
0
Oxford, UK
www.hturan.com
#46
The report offers a number of explanations, including one specific to FIFA that involves hackers emailing EA support and the EA server then sending over the victim's Xbox and EA account information.
Haha, no way is this true. EA can't store Xbox account information without breaching the Data Protection Act.
 
Dec 6, 2008
6,845
0
0
London
#47
HTuran said:
Haha, no way is this true. EA can't store Xbox account information without breaching the Data Protection Act.
They can store gamertags.

Jigglywiggly said:
That's a bizarre conclusion to make, given the guy they're quoting says he hates football and would never play FIFA. How the fuck, then, would his account have been hijacked using a vulnerability with FIFA?

My money's on the accounts being sold on a FIFA forum or something.
I've found people tend to exaggerate or outright lie in cases like this. Take his words with a pinch of salt.
 
Feb 12, 2010
2,055
0
0
#50
jigglywiggly said:
That's a bizarre conclusion to make, given the guy they're quoting says he hates football and would never play FIFA. How the fuck, then, would his account have been hijacked using a vulnerability with FIFA?

My money's on the accounts being sold on a FIFA forum or something.
Not a vulnerability with FIFA. If you have an EA account, which could've been created from playing any number of EA games and someone steals that information, then you could be in trouble if you used the same username/password combo as your EA account (IF someone has indeed hacked into the EA account database).