Support NeoGAF

[wutwutwut]

"when someone is unknowingly coerced into revealing confidential information"

That is where I stopped reading. Don't give out your account details, don't get hacked.

That's not good enough when multifactor authentication (cf Steam Guard, Google Authenticator) exists.

 

[sixghost]

That people claiming they've been hacked even though they had secure passwords haven't in fact been hacked, but had poor passwords/used the same password over different accounts/services.

Seems odd that with the number of members on Live that this isn't as bigger issue.

So you not being hacked is proof that it's impossible for this to happen with a good password?

I suppose since my house has never been broken into, everyone who's ever had their house broken into must have had shitty locks or left the door open.

 

[A Twisty Fluken]

How secure?

For example, my password resembles the following - two symbols followed by two capital letters followed by three numbers followed by another two symbols which are following by three capitals and it's topped off with a mixture of two more symbols and three letters/numbers.

I haven't been 'hacked'.

over 50 bits of entropy, not reused on any other account

i just came to report my issue, so find someone else to crusade against, good warrior

 

[Teknoman]

That people claiming they've been hacked even though they had secure passwords haven't in fact been hacked, but had poor passwords/used the same password over different accounts/services.

Seems odd that with the number of members on Live that this isn't as bigger issue.

Regardless, with a company like Microsoft that even sells security software...shouldnt their own services, especially those that store financial information, be pretty secure? Especially from people doing petty things like buying DLC. Also shouldnt a complete nonsense word with numbers added work as well?

 

[Brandon F]

Eight years of premium Live subscription here with no issues until last month when I got hacked.

There has been no actual substantive evidence from MS or the 'hackers' as to how this leak is occurring. Therefore it is purely speculation as to how 'secure' my password may have actually been, or if MS service has severe leaks.

Given all of the account theft that has occurred lately in such a miniscule amount of time, all with the same M.O., something 'is' seriously amiss. I would reason beyond merely how well ordered our password characters are.

 

[Speedymanic]

So you not being hacked is proof that it's impossible for this to happen with a good password?

I suppose since my house has never been broken into, everyone who's ever had their house broken into must have had shitty locks or left the door open.

Don't be ridiculous.

over 50 bits of entropy, not reused on any other account

i just came to report my issue, so find someone else to crusade against, good warrior

What makes you think I'm WK for MS? I asked a question, you replied. Leave it at that and drop the attitude.

Regardless, with a company like Microsoft that even sells security software...shouldnt their own services, especially those that store financial information, be pretty secure? Especially from people doing petty things like buying DLC. Also shouldnt a complete nonsense word with numbers added work as well?

True, but then we don't know what's actually happened here. Maybe HM/WLID was 'hacked' or passwords were obtained through other means. It doesn't necessarily mean that the service isn't secure.

To be honest, there aren't that many reports at the moment, so it could be few isolated cases that are linked to a security problem somewhere else in the chain. (email accounts being the most likely culprit)

 

[Thoraxes]

Damn, I just want my $75 back.
I really don't want to have to the BBB just to get this shit situated. I really don't.

 

[Deepo]

So my friend just told me some guys had bought 11000 MS points with his account and used them for NHL 12 stuff.

Just adding another voice to the choir. Surely we are seing a pattern here?

 

[LAUGHTREY]

I still feel like my account isn't safe. I've changed passwords on everything and have a separate email for my windows live account, but I'm still going to remove my credit card and pay in only points cards from now on I think.

I mean, if they got into my email, gmail tells you when your IP has changed. I would've known what happened, I still don't know exactly what happened to me.

 

[bender]

Damn, I just want my $75 back.
I really don't want to have to the BBB just to get this shit situated. I really don't.

If that helps force Microsoft's hand, it's probably worth the effort.

I wonder if starting a Google doc for those who have been hacked listing Gamertag(?), email provider, case number, and status of support case would be useful. With enough instances maybe an outlet or two would pick up the story.

 

[Brandon F]

To be honest, there aren't that many reports at the moment, so it could be few isolated cases that are linked to a security problem somewhere else in the chain. (email accounts being the most likely culprit)

To be honest, as I reasoned above the ONLY sources that are capable of determining the ACTUAL number of reports is either Microsoft or those responsible. Until this data surfaces, stop insinuating you actually have -any- clue what is going on.

Many of us have already stated using separate passwords for our Live account versus our e-mail. Many have also stated widespread reports of 'hundreds' of stolen accounts being auctioned off internationally. The M.O. for these hacks follow a clear and consistent pattern and have been growing rapidly in a short amount of time. Clearly these reasons alone, bereft of the actual percentage of the total subscriber pool, merit some sort of examination.

Hence the entire point of this thread; to raise awareness, and give victims a collective voice to share experiences in how best to handle the issue.

 

[Kikarian]

I heard a few stories of people having there account hacked lately. Maybe a group, trying to get something off Microsoft.

 

[Ding]

My account was hacked on Wednesday. I happened to be online at the time, which probably helped limit the damage a bit. I was playing (single player) Gears 3, when I was suddenly logged off of Live. I was unable to log back on, due to some sort of invalid profile error.

Yesterday, I noticed I still couldn't log in, and ended up calling support. Someone had logged on to my account, changed my Live ID, changed the "secret question", and bought some space bucks. The system noticed something shady about this. (Probably due to "me" being active on two devices simultaneously.) It auto-locked my account, and auto-refunded the money that was spent.

I was very pleased about how professional the customer service reps were. But I'm very unhappy about how long the "investigation" is going to take. They told me it might be 25 days. I'm glad they are taking such things seriously, but I can't see why my account couldn't be unlocked more-or-less immediately.

 

[epmode]

I really wish Microsoft required you to verify your account if you attempt to change the password from inside a Live account. The way it is now, external email addresses are only used if you've forgotten the password. So if someone manages to get into your Live account settings, they can reset your password without having access to your email.

 

[Sanchito]

My account was hacked back on August 13th. I have called MS every 3 days or so to see what the deal is. Same shit.. check back in a couple of days. The last person I spoke to told me to call back Monday, as it would have been more than 25 business days since the investigation.

Those hacker assholes charged $49 bucks in points. Lucky for me, the bank refunded my money in a matter of a few days.

What pisses me off more, I can still see what the person is doing with my account on raptr.

 

[strata8]

I have a very complex password that's unique to my Windows Live account, Steam, and Paypal. For everything else I use a more generic password. Seems to be the safest way to go about things.

 

[deim0s]

Why we don't hear about this in the news/gaming blogs? This worse than the PSN hacks and downtime a few months ago.

 

[AlexMogil]

The thing I don't get about all this is how are they getting the Live account that is associated with the Gamertag in the first place? It isn't publicized and there's no way for any one to find out what Live account is associated with your Gamertag. So doesn't this mean that there has to be social engineering going on?

 

[Zerokku]

Damn, I just want my $75 back.
I really don't want to have to the BBB just to get this shit situated. I really don't.

Hell, my investigation is complete, but my account still frozen and money not yet returned. Once it hits 5:00 tomorrow, if I haven't received the email response the support lady said I would "within 24-72 hours" (That was at 5:00 on thursday), I'm calling and raising hell. If it isn't fixed by Tuesday, I'm writing to the BBB. This is ridiculous.

 

[VibratingDonkey]

I have a very complex password that's unique to my Windows Live account, Steam, and Paypal. For everything else I use a more generic password. Seems to be the safest way to go about things.

You should have a unique password for every site. Or at least the ones with access to personal details. Especially your main email account.

Different applications/services are more or less suitable depending on your needs.

KeePass is what I went with as I have trust issues with the cloud, which may be an irrational worry. Or not.
Don't forget to back up. And don't overwrite old backups, you may need them if the current database gets corrupted somehow.
Also, when updating a password in KeePass, don't overwrite the old entry in your KeePass database before the site has accepted the new password.

1Password costs money, so I never bothered checking the specifics. But apparently it costs money for a reason.
LastPass is cloud-based, so pretty carefree and convenient, plugs into your browser to autofill forms, save login details and such. As long as you've got your password, eventual multi-auth thing and internet access, you can essentially access your passwords from anywhere, any platform.

 

[smurfx]

one of you needs to email your problem to your local news station if they have some kind of consumer helper segment. if you get lucky and have the segment air then microsoft will finally acknowledge the problem.

 

[TheChewyWaffles]

Hell, my investigation is complete, but my account still frozen and money not yet returned. Once it hits 5:00 tomorrow, if I haven't received the email response the support lady said I would "within 24-72 hours" (That was at 5:00 on thursday), I'm calling and raising hell. If it isn't fixed by Tuesday, I'm writing to the BBB. This is ridiculous.

What do you mean the money isn't returned?? Call YOUR BANK OR CC to get them to refund the money - don't wait for Microsoft, dude.

 

[Speedymanic]

To be honest, as I reasoned above the ONLY sources that are capable of determining the ACTUAL number of reports is either Microsoft or those responsible. Until this data surfaces, stop insinuating you actually have -any- clue what is going on.

Many of us have already stated using separate passwords for our Live account versus our e-mail. Many have also stated widespread reports of 'hundreds' of stolen accounts being auctioned off internationally. The M.O. for these hacks follow a clear and consistent pattern and have been growing rapidly in a short amount of time. Clearly these reasons alone, bereft of the actual percentage of the total subscriber pool, merit some sort of examination.

Hence the entire point of this thread; to raise awareness, and give victims a collective voice to share experiences in how best to handle the issue.

'Hundreds' of stolen accounts and yet there are only a a few dozen reports? Hell, there was more fuss made about the bannings of a few dozen a couple of weeks ago, with numerous sites picking up that story within hours, this has been happening for weeks and yet a single site hasn't picked it up, I wonder why that is?

As I said, there aren't many reports yet and with that in mind, it's much more likely that this some phising scam/social engineering opposed to an actual hacking of MS' database with 'hundreds' of accounts stolen.

If MS had been hacked or if hundreds of accounts had been stolen, it would be a much, much bigger story. This is down to individual people being careless with their personal info....

 

[bababouille]

Someone just bought 18000 ms points on my account. Both my credit card support and the xbox live support phone services are closed atm. Dunno what to do, that's 300 bucks!

EDIT: 18000 ms points, not 1800.

 

[Zerokku]

Someone just bought 1800 ms points on my account. Both my credit card support and the xbox live support phone services are closed atm. Dunno what to do, that's 300 bucks!

Called it just now, working for me. Haven't gotten to a person yet, but call has gone through like normal.

 

[Zerokku]

Sorry for the double post, but...

Finally! It seems good Support Representatives only work on sundays or something, as out of 6 calls the past two weeks, the only times I've been helped properly were last sunday and today. The guy recognized the problem, explained the issue, sent me the appropriate emails, and sent the emails he needed to to the investigation/support team, and I should be able to log in properly around this time tomorrow. Was incredibly knowledgeable as opposed to the two people fumbling around on tuesday and thursday.

Thank god. I'll keep updated on my situation, but I don't forsee there being a problem after this.

 

[epmode]

Someone just bought 1800 ms points on my account. Both my credit card support and the xbox live support phone services are closed atm. Dunno what to do, that's 300 bucks!

That's $22.50

Unless you forgot a zero?

 

[SupraDarky]

I also got hacked a couple days ago, someone bought 18000 points worth 300 dollars and then proceeded to spend it all on useless Legendary Packs. I called, they gave me a ticket number after I explained everything and I'm waiting for them to call back.

 

[bababouille]

Called it just now, working for me. Haven't gotten to a person yet, but call has gone through like normal.

Oh man thanks for that. Since I live in Quebec, Canada, the xbox website's default language is french, and the support page showed the opening hours in France. So I called and like for everyone else they'll be conducting an 25 days investigation on the fraud.

That's $22.50

Unless you forgot a zero?

Right, my bad, it was 3 purchases of 6000 points, so it was 18000 points ~ 300$.

 

[AlexMogil]

It's like they have this automatic procedure, now. Like they know it's going to happen anyway.

I still don't understand how they are getting the info. How do they know the Windows Live account associated with the Xbox account?

 

[M3d10n]

It's like they have this automatic procedure, now. Like they know it's going to happen anyway.

I still don't understand how they are getting the info. How do they know the Windows Live account associated with the Xbox account?

It's probably the opposite: they hacked into Windows Live and found Xbox accounts associated with it.

 

[Universaldamps]

Got home from work last night and had three emails saying I had bought 2x Xbox Live Family 12 month subscriptions and 6000 microsoft points totaling $338. Considering I knew nothing of the purchases, I immediately knew my account had been breached somehow. Called my bank, canceled my credit card. I then called MS and initiated an investigation, meaning my account was frozen etc. He said it's going to take 3 - 4 weeks.. sigh.

This sucks major wang. I only JUST bought a 3 month prepaid live subscription to enjoy Gears 3 online, and this shit happens. I've noticed that the 6000 MS points had been transferred to another persons account. I got an email saying "the transfer has been completed blah blah" and it actually included the recipients gamer tag. Needless to say I let the Xbox support person know.

I guess I've learned my lesson. I'm never tying my credit card with my console accounts again :-(

Edit: From reading some of these posts, it seems like it might be a hassle to get my money back. Should I talk to the bank about it instead?

 

[Zoe]

^ canceling your card was overkill. These people are making charges by gaining access to your Live account, not by accessing your card.

 

[TheChewyWaffles]

Got home from work last night and had three emails saying I had bought 2x Xbox Live Family 12 month subscriptions and 6000 microsoft points totaling $338. Considering I knew nothing of the purchases, I immediately knew my account had been breached somehow. Called my bank, canceled my credit card. I then called MS and initiated an investigation, meaning my account was frozen etc. He said it's going to take 3 - 4 weeks.. sigh.

This sucks major wang. I only JUST bought a 3 month prepaid live subscription to enjoy Gears 3 online, and this shit happens. I've noticed that the 6000 MS points had been transferred to another persons account. I got an email saying "the transfer has been completed blah blah" and it actually included the recipients gamer tag. Needless to say I let the Xbox support person know.

I guess I've learned my lesson. I'm never tying my credit card with my console accounts again :-(

Edit: From reading some of these posts, it seems like it might be a hassle to get my money back. Should I talk to the bank about it instead?

Good god yes. This should be your first action, not waiting on MS.

 

[Universaldamps]

Good god yes. This should be your first action, not waiting on MS.

Hmm alright. Will there be any repercussions resulting on my xbox live account if I get the bank to do a charge back? I've got a fair few xbl arcade games tied to it etc. Not sure if I want the account to be permanently suspended!

 

[Yagharek]

^ canceling your card was overkill. These people are making charges by gaining access to your Live account, not by accessing your card.

No, its not overkill. Most CC issuers (ie banks) have a requirement that as soon as you suspect your card might have been compromised, you are obliged to inform them ASAP to cancel the card.

 

[LAUGHTREY]

Hmm alright. Will there be any repercussions resulting on my xbox live account if I get the bank to do a charge back? I've got a fair few xbl arcade games tied to it etc. Not sure if I want the account to be permanently suspended!

If you can't, do you really want to continue using XBL? Are you alright with someone being able to steal your money and then having to wait for Microsoft?


I'd say contest the charges with your bank, and hope that MS is understanding. If not, then they don't deserve your business anyway.

 

[chewydogg]

Finally regained control of my account. After talking to four different service reps, I found someone that could help. I was directed to the Windows Live help forums where a moderator was apparently able to flip a switch and unblock my WinLive account.

When I recovered my gamertag, I discovered that some one from Chile had control of my account (country was changed, new "friends", tons of messages in Chilean) up until Sept. 11. How is this possible when I called XBox on Aug. 23? The rep told me he was blocking it while I was on the phone. The impostor had bought a handful of games, including SF3 and Shadow Planet. MS removed all the games and added 240 MS points. They didnt remove any of the achievements that he ... achieved.

 

[Universaldamps]

Thanks for the advice guys. I'll be contacting the bank to get my money back, rather than waiting 5 weeks for microsoft

 

[Crimson Angelus]

My older brother had his account compromised in the middle of August, he didn't even know about it until last week either. He tried to buy MSP and was unable to, then tried to add MSP with a point card and was unable to. He called XBL CS and was told that someone accessed his account in August and attempted to purchase a 6000 and 1600 MSP bundle, for whatever reason MS stopped the charge without contacting my brother and refunded the attempted charge to the credit card on his account and froze the account also. So, he wound up changing the password, the live email and the secret question. What kills me is he doesn't play many games, mostly CoD:Bo and his wife's email was the one linked to his gamertag. So why I don't know how someone would have gotten her email and his password. He doesn't have an FB, though she does...and her email password is different from the one he had for his Live account. I find it strange that this seems to be happening more often now than ever, makes me think it has more to do with "tricking" XBL support into helping recover an account that is not yours to recover. What I also find odd is that almost all of the instances I have seen have the account in question buying the points or using existing points to purchase nothing but EA unlockables. Is it just me or is there little value in EA unlockables for Fifa/NHL/NFL/Tiger...(**conspiracy**) This is all being done by EA somehow....dundundun...(/**conspiracy**)

 

[Brandon F]

Spent about 45 minutes on the phone with another rep today, much more helpful than usual. My quoted wait period(22 days) has expired and still haven't heard anything, but was promised that in the next day or two I should hopefully be back in business.

The big problem however is that the hacker migrated my account to a different country(UK) and thus that will be the region to which my gamertag is locked in as. There is supposedly between 120 days and 1 year before my original region(US) can be restored(it is not an easily reversible process). Essentially in the interim time for that to fix, conflicts may occur with my DLC and online play regarding my region, such as select titles may not function properly(ie. EA purchases and such, dependent on the publisher). So basically my current Mass Effect 2 DLC on my console may actually not access correctly when handshaking due to the region conflict. Even worse is that purchases will likely require the country currency, and that may entail getting UK point cards for new DLC and XBL games.

Ugh. I know many of us have had our regions changed due to this shitstorm(Russia, China, etc...) so I'd like to hear some thoughts from people that are back up already. News just keeps getting worse.

 

[Ardenyal]

What I also find odd is that almost all of the instances I have seen have the account in question buying the points or using existing points to purchase nothing but EA unlockables. Is it just me or is there little value in EA unlockables for Fifa/NHL/NFL/Tiger.

Ultimate team coins are sold on Ebay just like WoW money, so i guess that's what they do to turn the MSP into real money.

 

[Animaniac]

Ugh... just had my account compromised too. The fuckers stole over $300 from my credit card. They bought 12000 MS points and a Gold Family Pack.

I changed the password on my account and called the bank to cancel the card. The bank said I can file a fraudulent charge claim and I will most likely get the money back. I phoned Xbox live support but they had closed for the night so I sent them an email instead.

The weird thing is that it wasn't even my main account, it was an account I just set up to watch Foxtel on the 360 in the bedroom. The only reason a cc was attached is because you need to have Gold to use Foxtel via Xbox.

I really don't trust MS with my cc anymore.

 

[Mammoth Jones]

Ok, I'm confused. How are these "hackers" gaining access to XBL accounts? What are they doing? And what can someone do to protect themselves?

Is it a keylogger via Games for Windows? Or just guessing weak passwords?

 

[evil_as_skeletor]

Ugh... just had my account compromised too. The fuckers stole over $300 from my credit card. They bought 12000 MS points and a Gold Family Pack.

I changed the password on my account and called the bank to cancel the card. The bank said I can file a fraudulent charge claim and I will most likely get the money back. I phoned Xbox live support but they had closed for the night so I sent them an email instead.

The weird thing is that it wasn't even my main account, it was an account I just set up to watch Foxtel on the 360 in the bedroom. The only reason a cc was attached is because you need to have Gold to use Foxtel via Xbox.

I really don't trust MS with my cc anymore.

Has MS made an official statement regarding this yet?

Or has anyone determined a cause or some sort of common theme between hacked accounts yet?

I have changed my passwords and cleared as many cards from unused accounts just to be as safe as I can be - I count myself pretty lucky I haven't got any suspicious emails yet.

I feel for all those who have been affected, but it's good to see that many banks are being helpful in resolving the 'fraud' issue and lost funds.

 

[darkwing]

what do these hackers get? i mean they just buy stuff for the account, are they just trolling?

 

[Snkfanatic]

This thread made me remove my credit card info from XBL....cards from now on for me.

 

[Mammoth Jones]

This thread made me remove my credit card info from XBL....cards from now on for me.

Yea, I have an expired card currently listed and I'm going to be sticking to cards. I can't deal w/ this. Hell, the reason I have an expired card is because my bank invalidated that one after the PSN hack.

 

[Grecco]

what do these hackers get? i mean they just buy stuff for the account, are they just trolling?

Its either the FiFa packs that they sell on Ebay, or buying points/family packs to sell accounts on the internet.


There are places where you can buy xbox accounts with 12,000 plus microsoft points for real cheap prices, and its obvious they are stolen accounts.

 

[Teknoman]

Got my investigation finished/recovery email today along with 3 months of XBL ( Two 1 month codes + the code they sent earlier). Hopefully everything goes smoothly.