Wow was my Windows live/ Xbox account just hacked?

Speedymanic said:
Doesn't sound like a problem with Live, but perhaps with Hotmail and some password exploit being used to hack accounts. In any case, nothing untoward happening on my account but then my password is very secure using numbers, characters, capitals, pretty much the works.

It's simply madness/ineptitude to use a simple password for an account that has hundreds of pounds of content linked to it.
My account wasn't on a hotmail email and had a sufficiently strong password, both of the machines I would have used have been scanned multiple times for malware and come up clean. I'm also fairly certain I wasn't phished. I honestly have no idea how my account was compromised.
 
JorSneezy said:
This exact thing happened to me on July 29th. I think you'll find the language changed to Russian, too.

It took Microsoft until August 30 (yesterday) to fix it (over a month!), but they forgot to change the country back to United States (from Russia). I contacted them last night about it and they said it would take an estimated week to fix it. It's ridiculous.

I will no longer hate on Sony for the PSN outage.
Update: They've sent me an email saying it will now take up to 30 days to switch my language from Russia to United States. Why does this take so long? Has to be a pull down selection, right?
 
What's the best way to protect yourself against this? Change your password into something unbreakable or remove your card from X-Box? In the case of the latter would you still be able to buy points online?

I might be nuts but couldn't this all be easily avoided by forcing people to enter the security code on the back of their cards every time they make a purchase?
 
Spirit of Jazz said:
I might be nuts but couldn't this all be easily avoided by forcing people to enter the security code on the back of their cards every time they make a purchase?
It would be a huge improvement yes, but then all those people who forgot about their cards on live getting auto renewed would not be giving their cash to microsoft, so they will never change it.
 
Speedymanic said:
Doesn't sound like a problem with Live, but perhaps with Hotmail and some password exploit being used to hack accounts. In any case, nothing untoward happening on my account but then my password is very secure using numbers, characters, capitals, pretty much the works.

It's simply madness/ineptitude to use a simple password for an account that has hundreds of pounds of content linked to it.
My account isn't with hotmail. My password was also quite secure. Some people have been mentioning it could be with windows live games but I haven't used that for years on my PC and it's not even installed now. I'm confused on how this happened.

It's really annoying that I can't use my account for what sounds like will be a month at least. I use my 360 to stream netflix which obviously can't do now. Also, Guardian Heroes and RSG coming out, ugghhh. I think I'll be going to the points card method after this. Fuck having my CC linked to my account.
 

DRock

has yet to tasted the golden nectar that is tag
Could it have been social engineering? Can you ask support to tell you all of the dates and times that support calls were placed on your account in the past few months?
 
Just opted to change my password over my 360, seeing as I never use live on PC I figure it's the safest way to go in case of malware.

MarkMclovin said:
How do you remove it? I'm trying to do it via the site and it wont let me.
You need to call in order to remove it. I have my account on an expired card though, think I might just keep it tied to that then put in the new details whenever I want points (continuing to remove it again) and use cards for my subscription.
 
So while your account is under investigation, you shouldnt be able to log into xbox.com right? Because I can still log into xbox.com, hotmail, etc. after having reset my password. The only "red flag" on my account atm is: "Your membership is suspended due to a problem with your payment option. To continue your membership, edit the payment option or use a new one."

Which i'm sure is due to me getting my old card number canceled, and being issued a new one...
 
Teknoman said:
So while your account is under investigation, you shouldnt be able to log into xbox.com right? Because I can still log into xbox.com, hotmail, etc. after having reset my password. The only "red flag" on my account atm is: "Your membership is suspended due to a problem with your payment option. To continue your membership, edit the payment option or use a new one."

Which i'm sure is due to me getting my old card number canceled, and being issued a new one...
I've been able to go into the account and get rid of my CC and look at my purchase history. I've never had live under the account, and the only purchase I made on it was years ago for AoE for $1 lol.

I was actually wondering the same thing though. They told me 22 days, and it would be locked for that duration. I still don't have my money, they only removed one of the charges, and I can access the old account.

I'm debating calling them back seeing as there's no way to check your Case Number on their website.
 
Teknoman said:
So while your account is under investigation, you shouldnt be able to log into xbox.com right? Because I can still log into xbox.com, hotmail, etc. after having reset my password. The only "red flag" on my account atm is: "Your membership is suspended due to a problem with your payment option. To continue your membership, edit the payment option or use a new one."

Which i'm sure is due to me getting my old card number canceled, and being issued a new one...
I can still log in through the website but I do get that suspended message. Same thing on the 360 however can't do anything because it will continue to ask for the payment method everytime you do anything.
 
Same thing happened to me. Someone used my debit card to buy $75 worth of Microsoft Zune points and spent all the points on my xbox. They bought From Dust, Vanquish someone warhammer arcade game and something else. Spent all the points exactly.

When I went to my local bank of america to file a claim and get a new card the guy there said this happens all the time with Xbox Live users. He says he just got off a phone call with an Xbox live representative a couple days ago and they explained everything.

Apparently they "hack" your xbox, or your account etc., use your stored payment information to buy around $75 worth of points. Apparently $75 worth of points is just under the amount Microsoft considers suspicious. If you purchase more (around 10,000) they flag your account for fraud.

They then spend the points but do not download the games. Somehow, he didn't explain this part thoroughly, they call up microsoft and say they want the points refunded as a gift card. They sell these gift cards on ebay.

Dirty bastards.


EDIT: Interesting tidbit: Google notified me a month ago about someone accessing my email account (linked with xbox.com) from China. Big WTF. Anyways I changed all my PWs that I could think of associated with my email but I guess I forgot my Windows Live ID.
 
Yeah one of my old account was hacked in mid-August. My wife's old account that I cancelled 5 months prior was re-activated by the hackers and they hit my Discover card with over $600 of charges. $400 of which is due to the fact that the idiot customer service reps (via 18004MYXBOX) did NOT deactivate the account when I called allowing the hackers to keep charging stuff. I cannot cancel the card until MSFT gets off their lazy butts and completes the investigation to refund the cash. Discover says there's nothing they can do to exclude a specific retailer, so I hope these idiots shut it down for real this time (2 weeks no MSFT charges....knock on wood). Anyway, I'm pissed that I'm going to be paying interest on hacker charges because of 1) their red tape, and 2) their idiocy of not pulling the account after I made the initial call. This account was also using a non-MSFT e-mail (i.e. not hotmail).

One one main gripe with the Windows LIVE system is that you aren't allowed to delete card information once you cancel (or at least that's what I was told when I canned this account months prior). Luckily my main account has a strong password and has yet to be hacked, but I knew I should have beefed up the password on the old account, but I never thought that it could be hacked and re-activated after cancellation. So I'm posting this to make you all aware of that backdoor. Only reason I got on this as quick as I did is that I have my card setup to send me text alerts for all purchases as I only use this card for gasoline purchases and was trying to have it payed off by early next year. The agony of it all.
 
depths20XX said:
I can still log in through the website but I do get that suspended message. Same thing on the 360 however can't do anything because it will continue to ask for the payment method everytime you do anything.
Yeah, same here. I guess we cant remove info until they're finished. The rep I called yesterday said it might just take 15 days instead of the original estimate.
 
heavyness said:
If you don't use it now in gmail, turn it on! Basically, if anyone logs in to your gmail account from a different computer, they have to enter a special code that is generated and sent to your phone. Basically, they will have to steal your phone to change your password.

And yes, you can use gmail for you Xbox Live account (passport account).

Do it now!
You can use your gmail account??

That is great, Gunnar go change that right now.
 
Diablohead said:
It would be a huge improvement yes, but then all those people who forgot about their cards on live getting auto renewed would not be giving their cash to microsoft, so they will never change it.
It shouldn't play a role in subscriptions though. You could just enter it the first time around and then you're set on auto-subscribe until you cancel it, you still need to enter the security number to purchase any points. I don't see where the downside is to it?
 
Spirit of Jazz said:
You need to call in order to remove it. I have my account on an expired card though, think I might just keep it tied to that then put in the new details whenever I want points (continuing to remove it again) and use cards for my subscription.
You should take it off asap. I've heard from people that they can still charge your card even though it expired, stupid I know.
 
demigod said:
You should take it off asap. I've heard from people that they can still charge your card even though it expired, stupid I know.
Yeah, have heard the same pretty much, that they keep billing you and since they do not get any money (expired cc) they will lock-down your account until they get payed.
 
Not sure how legit this is, but

http://techmento.com/2011/06/18/xbox-live-hacked-60000-accounts-leaked/


The name you all should know by now, LulzSec, has just hacked Xbox Live and has exposed over 60,000 Xbox Live gamertags, passwords, and even PayPal information. The information was taken down from forums multiple times, but it keeps getting posted.

If you use Xbox Live or Paypal, I recommend changing your password on both platforms, as well as your bank account, immediately. World Of Warcraft usernames and passwords were also stolen.
 
Blue Ninja said:
I thought LulzSec went belly-up a few months ago?
Well it is from June. They release 60K accounts in June (asses) which end up in some dude's 0day passes list in China and get traded around like...bubblegum cards.
 
Well, that's kinda shit....and worrying.

I just added my CC details yesterday for my kid :\

The PSN outage was bad but daaaaaaamn cards actually being charged is all kinds of fucked up.
 

LAUGHTREY

Modesty becomes a woman
ShallNoiseUpon said:
My account wasn't on a hotmail email and had a sufficiently strong password, both of the machines I would have used have been scanned multiple times for malware and come up clean. I'm also fairly certain I wasn't phished. I honestly have no idea how my account was compromised.
I have the same feeling. I've scanned everything I use, and normally if you get phished it's very obvious after the fact. I rarely even enter my name + pass since I have it saved to chrome.

And like I said, I can't be anymore loud and clear on this, right before I got charged for the points, I had a password reset email and my email was never accessed from anywhere but my PC. I'm 99.9% sure I wasn't phished or keylogged. There is probably some exploit around that allows them to reset the password.
 
LAUGHTREY said:
I have the same feeling. I've scanned everything I use, and normally if you get phished it's very obvious after the fact. I rarely even enter my name + pass since I have it saved to chrome.

And like I said, I can't be anymore loud and clear on this, right before I got charged for the points, I had a password reset email and my email was never accessed from anywhere but my PC. I'm 99.9% sure I wasn't phished or keylogged. There is probably some exploit around that allows them to reset the password.

Same exact thing happened to me. Exactly. I didn't get charged for points, though, the account was locked beforehand.

Neat thing is, though, I was able to move my Xbox Live account to a new Windows Live account. So in the tug of war for my old Windows Live account, even if he ends up with it... he will have nothing.
 

LAUGHTREY

Modesty becomes a woman
AlexMogil said:
Same exact thing happened to me. Exactly. I didn't get charged for points, though, the account was locked beforehand.

Neat thing is, though, I was able to move my Xbox Live account to a new Windows Live account. So in the tug of war for my old Windows Live account, even if he ends up with it... he will have nothing.
That's cool, how do you change windows live accounts? I'm gonna want to do that after I get my tag back so they don't know my email anymore.

I'm on the phone with them now, I can't even get my gamertag back to play on it while they investigate the charges since it's so "messed up". Honestly at this point I don't expect to get my shit back.

I tried to buy a one month on two seperate accounts last night and the card was declined, I'm guessing since it's the same card that was on my main account it's been, for lack of a better term, "banned" from xbox live as well so that's cool. I'm trying to get them to give me a one month or something so I can at least fucking play something.

This is 2 months EXACTLY that I haven't had my XBL, if this was happening just slightly more widespread I think it could do as much PR harm as the PSN outage, if not more.
 
Spirit of Jazz said:
Just opted to change my password over my 360, seeing as I never use live on PC I figure it's the safest way to go in case of malware.



You need to call in order to remove it. I have my account on an expired card though, think I might just keep it tied to that then put in the new details whenever I want points (continuing to remove it again) and use cards for my subscription.
I just waited 'till my Gold was expired (had to call to cancel auto-subscribe, though), and could then remove the card myself on the website. I've heard you can't do that everywhere, though. MS' system really is shit.
 
I went into my bank today and they sorted everything for me.
Replacing my card and refunding the money I lost, all within a few days it seems.

Sounds like approaching your banks is much more reliable them Microsoft.
 

lobdale

3 ft, coiled to the sky
Yup I must have been a part of this all, got the same thing maybe 2 or 3 weeks ago. Paypal and Xbox Live accounts, bought a bunch of points, recovered my account to their xbox or whatever. Luckily they didn't change my passwords so I just logged back in and changed them, changed all my other sites too. Contacted PayPal to get those charges back, my bank is taking care of the rest.
 

Brandon F

Well congratulations! You got yourself caught!
So yea, same thing happened to me. A 6000 and a 4000 purchase was charged, much like most of you. When I logged into my Windows Live ID on XBox.com, I had to reset my password(old one wasn't working). Further, when I did reset my pass, a dummy gamertag replaced my standard one, so I can't even track anything that occurred to my old account.

Called MS and was quoted the 22 day investigation while they suspended my account and I had them remove my CC from file.

Called my bank and my charges is still 'pending' and was told to call back immediately if and when the charges ever actually go through. Apparently the bank can't block the charges at this point, but seems they will be very helpful in helping to refund if they do get through.

What a pain in the ass.
 
Got my account hacked, they bought 10000 points. I dont even own a 360, only had it for Fallout 3 DLC.

Changed my password and removed my CC from the site. Anyway to delete my account without a 360?
 

Brandon F

Well congratulations! You got yourself caught!
Just got an e-mail from EA thanking me for downloading 'FIFA 11 Ultimate Team'. I guess I know where my stolen points went...

sigh.
 

LAUGHTREY

Modesty becomes a woman
XxCGSxX said:
More and more people's account are being stolen, MS should respond to this immediately.
They wont. They really wont.

This is such a small % that they won't say anything about it because it'll just make it into a bigger deal.
 
XxCGSxX said:
More and more people's account are being stolen, MS should respond to this immediately.
Still think its user error/security problems. What do you want MS to say? stop being stupid and viewing fishy websites?

:p
 
I decided to switch to a much more secure password on my Live account after reading through this thread. But when I turned on my 360 earlier, it logged in without prompting me for the new password I had set.

Is this how it's supposed to work? Is it logging in with a hardware ID or something?
 

user_nat

THE WORDS! They'll drift away without the _!
djm said:
I decided to switch to a much more secure password on my Live account after reading through this thread. But when I turned on my 360 earlier, it logged in without prompting me for the new password I had set.

Is this how it's supposed to work? Is it logging in with a hardware ID or something?
The account is already on your xbox. You would only need the new password when recovering the account to a different box or logging into the website.
 
Makes sense. I have zero experience recovering gamertags onto other 360s, so I was confused. Usually when you change a password and something has it stored, you need to put in the new one.
 
Hopefully things pick up after today, because i'm worried about whether Xbox support staff is actually investigating anything at all. No emails at alternate email account or phone calls yet.
 
Brandon F said:
So yea, same thing happened to me. A 6000 and a 4000 purchase was charged, much like most of you. When I logged into my Windows Live ID on XBox.com, I had to reset my password(old one wasn't working). Further, when I did reset my pass, a dummy gamertag replaced my standard one, so I can't even track anything that occurred to my old account.

Called MS and was quoted the 22 day investigation while they suspended my account and I had them remove my CC from file.

Called my bank and my charges is still 'pending' and was told to call back immediately if and when the charges ever actually go through. Apparently the bank can't block the charges at this point, but seems they will be very helpful in helping to refund if they do get through.

What a pain in the ass.
This is exactly what happened to me. Except that was in the middle of July.
 
Brandon F said:
And nothing has been done to fix it since?
Well, when I initially called I couldn't give them my system ID because my Xbox was red ringed. After a few weeks they called for a follow up, I managed to get my Xbox to boot and give them the information they needed.

YESTERDAY they sent me an email:

Dear Xbox LIVE Customer,

Your report of unauthorized access to your Xbox LIVE account has been received by our fraud investigations team. To protect your privacy and account information, your Xbox LIVE account is temporarily locked and sign-in is disabled. If you use this Windows Live ID for any other Microsoft services, they will also be locked during our investigation. Your account cannot be accessed by anyone outside of our fraud investigations team. No charges or changes can be made to your account while we investigate.

Our investigations are currently taking up to 21 days, with our goal being to unlock your account as quickly as possible. We ask for your continued patience as we investigate this case. We are providing you a free, 30-day Xbox LIVE membership code that you can use to create a new, temporary account or save and add to your own account.

Please accept this prepaid code with our apologies for the delay:

If we verify that fraudulent purchases were made on your Xbox LIVE account while your account was not under your control, the purchase amounts or Microsoft Points will be refunded. Refunds may be processed within the next 10 business days after we conclude our investigations, but may take up to 30 days before they appear on your credit card billing statement.

Please continue to check your email for status updates regarding this case. We may email you with additional questions to help complete our investigation.

Sincerely,
The Xbox LIVE Investigations Team
The code is useless to me, since for all intents and purposes I don't even own an Xbox anymore. So no they haven't done anything since and my bank says that Microsoft has to deny my claim for them to do anything. At this point I'm treating the money as lost and will buy myself something nice when it comes back. Fucking Microsoft.
 
Just got the exact same email today. I called Xbox when this happened almost 2 weeks ago. I wonder, does the 21 days start now or when I called. Oh well, at least I know something is happening now.