Please read like, oh idk, 2-3 posts above yours. You do not just look in a database and read a password off. End of discussion
WTF reading comprehension FAIL
Where the hell did I say they read the passwords? LOL
Please read like, oh idk, 2-3 posts above yours. You do not just look in a database and read a password off. End of discussion
Blizzard actually takes steps to offer better security to customers. So, there's that.
edit: this is what I'm talking about: http://us.blizzard.com/store/search.xml?q=authenticator
It doesnt really matter if there isnt a server-side hack like with PSN if accounts can be abused regardless. There seem to be no pattern here either about who gets their account hacked, so it doesnt seem that anyone is immune.Holy shit why do they even post?
Microsoft has not been hacked. Big difference. That's why there isn't and never will be a media circus and the vast, vast majority of people will never even have to worry about this.
Has anyone ever tried this on a test account? edit: never mindAnd to top it off, they did NOT change my password because i logged into it through the website immediately after the compromise.
So it wasnt phished, it wasnt changed, and it wasnt brute forced. How many options are left?
To be fair Sony had sensitive information in plain text. I'm not defending his point but just sayin'.
WTF reading comprehension FAIL
Where the hell did I say they read the passwords? LOL
WTF reading comprehension FAIL
Where the hell did I say they read the passwords? LOL
Then how are they getting onto the accounts when the passwords aren't getting changed?
The fact that we can't remove our credit card information from xbox live without contacting their customer service line is BS.
Screw you, MS.
I have.
Auto-renew was off, couldn't take it off untill gold expired
I don't know nor did I ever claim to. Coopolon asked how social engineering could work and I gave an example. Whether this example is being used on LIVE we don't know. Plus I thought it had been established that some accounts that had been hijacked DID have passwords/secret questions changed?
Jesus christ how many times are we going to have to repeat this. Please list one alternative to reading passwords over the phone that does not involve a password reset, since we already know passwords aren't being reset.
So it can't be either phishing/social engineering or mystery hack. The latter of which implies XBL has been totally compromised for almost three years but the hackers aren't doing much with it. That doesn't make sense so there must be some fourth exploit no one has figured out yet.
A MS employee is leaking or selling the info.
A MS employee is leaking or selling the info.
Hey, if you are right then we should see this thing explode soon but I dont think so. Not worried at all.
No they didnt
The CC info was encrypted but I'm pretty sure they admitted that any other information, such as passwords, wasn't in any way.
The CC info was encrypted but I'm pretty sure they admitted that any other information, such as passwords, wasn't in any way.
That's possible but still lot of other theories.
I hope MS do something about the FIFA thing because we don't have power to prevent it if you still using CC (or Paypal look like can't be removed). Only MS, maybe EA can do it. That's why we want it on the media many as possible to hurry MS up and get fuck on it.
It's never been specifically about FIFA. That's just the end result.From this woman's story, it doesn't seem like FIFA game is involved ? Did she mention she is a FIFA player ?
From this woman's story, it doesn't seem like FIFA game is involved ? Did she mention she is a FIFA player ?
The CC info was encrypted but they admitted that any other information, such as passwords, wasn't in any way.
From this woman's story, it doesn't seem like FIFA game is involved ? Did she mention she is a FIFA player ?
It's never been specifically about FIFA. That's just the end result.
There has always been suspicion of EA's involvement though (especially with regard to the sharing of credentials / account data with them).
Impossible to say without intricate knowledge of their systems. They certainly share your normal data, as obviously EA runs their own online infrastructure alongside xbox live.Does XBL send your/her PayPal info over to EA ?
why the fuck can't I remove my paypal details from my account until gold expires? so unbelievably stupid, holy shit
Impossible to say without intricate knowledge of their systems. They certainly share your normal data, as obviously EA runs their own online infrastructure alongside xbox live.
why the fuck can't I remove my paypal details from my account until gold expires? so unbelievably stupid, holy shit
why the fuck can't I remove my paypal details from my account until gold expires? so unbelievably stupid, holy shit
I'm not turning on victims here, but I'm stunned how many people have a debit card or Paypal account tied to Xbox Live (or any other service for that manner).
Credit cards people. One call to the issuing bank and I get charges disputed in minutes, virtually no questions asked. Believe me, you get better customer service when you're holding their money hostage, and not the other way around.
Still, I don't tie any payment method to my account. Buy codes from a trusted third party, like Amazon.
I think as long as there are points in the system, the hackers can use them. And some people stock up those points ahead of spending because of promos and point discounts.
I'm guessing points, so yeah, probably no need to transfer any info. I don't know for sure though.When you buy EA DLC, do you buy it from XBL or EA store ? i.e., using points or dollars ?
That's I said FIFA thing as refer on the common one has been heard many times. I know it is nothing to do OP story. But it sound worse than FIFA gold pack hijack account. Poor her.From this woman's story, it doesn't seem like FIFA game is involved ? Did she mention she is a FIFA player ?
I understand that, but there are a couple of things even there:
1. With no payment info on file, the damage is limited to the points in the account. No situation where bill money is stolen.
2. Every promo I've taken advantage of issues codes. No need to immediately redeem them.
I'm going to put my head out on the chopping block and volunteer my own theory on how my XBL account was hacked. (Sept 7th, 6000/4000 points purchased on attached credit card that was close to expiration, account transferred to Brasil, still not recovered after ongoing investigation)
First off, I created my account years and years ago, back when I had a very insecure password system. I never updated that password.
As I'd told my Xbox to remember my account password, I had completely forgotten that I was using "that" password (one that I had also used lots of other places) until it was too late.
Anyway, turns out that very password was that one that was disclosed, albeit encrypted, in the infamous Gawker Breach of 2010 (damn, over a year ago now.) The databases from that leak are still readily accessible online if you poke around.
You can search for the MD5 of your email address over here - http://www.google.com/fusiontables/DataSource?dsrcid=350662 to see if you are in this list. Remember that this is only ONE of multitudes of databases that have been fully compromised from various websites over the years, so being in here or not really doesn't mean much.
One characteristic unique to my XBL account being hacked is that that same evening, I received a "welcome back!" message from Facebook, which I'd created years prior, again, with the same password, but had deactivated and had left dormant. Turns out whoever got my XBL login also was trying it on Facebook, and who knows where else. I'd say I have enough data to tie all of these incidents together.
It is extremely profitable for criminals to obtain lists of compromised usernames and passwords and script logins to popular services in hope of getting bites. This is why it's so important to never use the same email address/username/password combination ANYWHERE.
This does not, in any way, explain why users such as cpp_is_king, who has confirmed that he has had a 100% unique email address with a unique password tied to his XBL account, and still managed to have the account compromised. That shit baffles me.
For everyone else, it is highly likely that the account password for EITHER your XBox Live account or the MS Live ID that is tied to it was the same as an account you had used elsewhere, which had been compromised, and the database owners never thought to let you know about it. It happens all the time.
Again, the only way Microsoft is going to truly nip this in the bud is to implement a true two-factor authentication/verification system for XBox Live which will require authentication from something you HAVE (digipass/etc or cellphone code) to approve charges to the account, account transfers, or a myriad of other functionality that can be defined from your XBox Live account preferences.
I am not reactivating my Gold account until this is present, period.
Of course I am using a secure password system now, and admit I was a complete moron to not be more vigilant, but hey, life's made up of tough lessons.
It's quite possible that there are multiple avenues of attack. As you mention, obtaining lists of UN/PW is absolutely the easiest avenue of attack for any Joe Schmoe hacker. I'd be surprised if at least some of the attacks weren't a direct result of that.
Absolutely, and your case in particular fascinates me. I don't know what other avenues would exist for someone whose account information is so closely guarded. Had it been a long time since you'd last logged into your Xbox? Are you on a home network which has any unencrypted or easily decrypted connections at all?
One thing I remember about the brief unauthorized access to my Facebook account, is that the moment I received the email letting me know it was lit back up, I logged into it and looked at the active connections, and the only one in there was one that was completely unknown to me from my same (albeit huge) hometown.
Switching paranoid mode on completely, it is fully possible that whomever was trying to completely milk out accounts attached to my compromised credentials was using a local compromised machine as a gateway. All it would have taken at the time would be one look at my public XBL profile to see the city I live in.