I haven't posted here in forever, but I feel like I need to leave an imprint on this thread with as much information as I have available.
I have never in my life had an account compromised. For the most part, I use different passwords for any account that could possibly be tied to financial data, I live alone, so all of my hardware is completely under my control. I don't log on to public terminals, I don't store any account passwords on my smartphone, and the two computers I use (one at home, one at work) are virus/rootkit free and are scanned often out of paranoia.
That said, on Sunday, Sept 3rd, I received some emails regarding a 4000/6000 points package purchase from my XBL account, and then an hour later, an email notifying me that my XBL account had been transferred to Brasil. Of course I phoned XBL support right away and reported it, and the lady I spoke with told me that points are not normally transferrable, but what some people have been doing lately to get around this is to assign the stolen account as a child under a family account, and then merge it in. Bunch of shit.
The security question on the associated Windows Live account was also changed, but I was able to get back into it via their advanced account recovery thing that asked me several questions about the account.
Three weeks later the $120 or so was refunded to my credit card, and I got a code for a free month of Gold with the notice that "I may be contacted again with in 30 days" - meanwhile, I still don't have my gamertag back and probably won't get it back unless I do some creative chain escalation, which I probably will do once my case has been completely closed out, if it doesn't result in complete restoration.
---
I have a pretty damn good idea of where my credentials got ganked from. When the Gawker breach occurred, I indeed found my email address (the same one that was assigned to my XBL account) in the database, along with the password that I haven't used for anything in years... ...well, the password had been saved to my XBox for years as well and I'd never gotten around to changing it. The password was encrypted in the database, but anyone with a bit of time on their hands could crack it if they wanted.
On the other hand, a friend of mine who's also pretty paranoid recently had the same exact thing happen to his XBL account, and his attached email address was NOT in the Gawker database, so I don't know what the hell.
No Raptr account here either. The service that got hacked must have been around a while, because the password I was using for my XBL account was one that I hadn't assigned to any new account in probably 2 years or so.
I suspect that the people who actually performed the unauthorized purchases on our ganked accounts probably bought the entire accounts from some underground reseller - the majority of account transfers I'm seeing are going to Russia and Brasil.
Edit: hopefully the last edit. I'm stuck on the Gawker breach theory because I remembered I got an email from Facebook telling me "welcome back!" to which I thought "the hell is this phishing attempt shit?" - I'd deactivated my Facebook account about as many years ago and it too used the same password, so it seems that whomever had decided I was next on the scrubbing list made the rounds.
Reading through the last few pages, though, it seems that many of you had used XBL passwords that were completely unique, so I don't know what the hell to think.