Xbox Live Account Hacked :sadface

#1
Looks like my Xbox Live Account was hacked this afternoon. When I went to go check my email, about an hour ago, I got something from Microsoft about 4000 MS point activation confirmation. I thought it was odd since I haven't bought points since early May. I go to xbox.com first to make sure everything is "okay." It showed I had 1 point left and the last game I "played" was Fifa '11, which I don't own.

So I go to change my password and security question and then I log into billing.microsoft.com to see where the points went. Looks like they bought a 4000 point bundle and another 6000 point bundle. After that, it basically shows this:



I called Xbox Support and they are filing an Unauthorized Access claim on my account and I should find something out in 1-15 days. Until then they are locking my account, so I can't access Xbox Live/Windows Live during that time. Tomorrow, I need to call my bank to claim fraudulent charges.

After some searching on Google by a friend, he found that this was fairly common. People accessing other people's account purchasing Ultimate Team card packs and selling them on Ebay. I didn't find anything about this here, but I did find a thread on Giant Bomb. So watch out. :(
 
#4
I've actually tried to remove my CC from Xbox Live, but can't because my ex's friend, on accident, signed me up for one of those 3 months of XBL for $5 things the catch being I need to get a full year of Xbox Live. So, unfortunately, I can't remove my CC info. As much as I've tried. :(
 
#6
When all of the hack news about PSN started going around I removed my credit card from all major online services. Never hurts to be too careful, I suppose. Hope everything works out, OP.
 
#7
The Broken Ska Record said:
I've actually tried to remove my CC from Xbox Live, but can't because my ex's friend, on accident, signed me up for one of those 3 months of XBL for $5 things the catch being I need to get a full year of Xbox Live. So, unfortunately, I can't remove my CC info. As much as I've tried. :(
You have to call them or wait until your account is silver and remove it via Xbox.com

Why doesn't Microsoft tell you this anywhere? Why would they?
 
#9
Jeez, that is unfortunate! Well, at least you aren't freaking out and have taken steps to get things sorted out, that's what really matters. You have a strong soul
 
#10
I've been unable to remove my CC from Xbox Live for years. The website always errors out when I try and I spent almost two hours on the phone for nothing. But now that I just got a new credit card number, Microsoft and Sony can keep the old one for all I care. Point cards from now on.
 
#11
Cday said:
You have to call them or wait until your account is silver and remove it via Xbox.com

Why doesn't Microsoft tell you this anywhere? Why would they?
Yea, I have to wait at least a year, so until early August to remove it. At least I hope so.

FTH said:
Jeez, that is unfortunate! Well, at least you aren't freaking out and have taken steps to get things sorted out, that's what really matters. You have a strong soul
Thanks. I was a little freaked out when I saw it, and luckily Xbox Support was still open this late on a Sunday.

Persona7 said:
You should probably change all your passwords and virus scan your computer and flash drives/mediaplayers/external hardrives
I actually ran an MSE scan about an hour before I saw the email.
 
#12
It is kinda weird that similar "hacks" only happen through Fifa. Though even weirder that the OP says he doesn't own/plays Fifa. Was the account at some moment/point recently used on another Xbox/friend's-unit that happens to play Fifa?
 
#13
fernoca said:
It is kinda weird that similar "hacks" only happen through Fifa. Though even weirder that the OP says he doesn't ownFifa. was the account at some moment/point recently used on another Xbox/friend's-unit that happens to play Fifa?
Nope. I haven't used my XBL account on another friend's Xbox in a few years. And even then, said friend doesn't have his 360 anymore or have any interest in Fifa.
 
#14
The Broken Ska Record said:
Nope. I haven't used my XBL account on another friend's Xbox in a few years. And even then, said friend doesn't have his 360 anymore or have any interest in Fifa.
Really weird then. Wonder how it was hacked.

Another user recently posted something similar, but he actually played Fifa; and also said he clicked through one of those "phishing-scams messages" that promises points and Gold subscriptions.
 
#17
i remember reading about people getting account info via some sort of phishing message they send you on xbox live. this was some time ago so im not sure if it's still a problem.
 
#19
epmode said:
I've been unable to remove my CC from Xbox Live for years. The website always errors out when I try and I spent almost two hours on the phone for nothing. But now that I just got a new credit card number, Microsoft and Sony can keep the old one for all I care. Point cards from now on.
Yeah good luck with that ms is good at still being able to charge old cards.
 

Gen X

Trust no one. Eat steaks.
#20
The Broken Ska Record said:
Looks like my Xbox Live Account was hacked this afternoon. When I went to go check my email, about an hour ago, I got something from Microsoft about 4000 MS point activation confirmation. I thought it was odd since I haven't bought points since early May. I go to xbox.com first to make sure everything is "okay." It showed I had 1 point left and the last game I "played" was Fifa '11, which I don't own.

So I go to change my password and security question and then I log into billing.microsoft.com to see where the points went. Looks like they bought a 4000 point bundle and another 6000 point bundle. After that, it basically shows this:

http://i.imgur.com/RwVHU.jpg

I called Xbox Support and they are filing an Unauthorized Access claim on my account and I should find something out in 1-15 days. Until then they are locking my account, so I can't access Xbox Live/Windows Live during that time. Tomorrow, I need to call my bank to claim fraudulent charges.

After some searching on Google by a friend, he found that this was fairly common. People accessing other people's account purchasing Ultimate Team card packs and selling them on Ebay. I didn't find anything about this here, but I did find a thread on Giant Bomb. So watch out. :(
Had you sold your 360? If they bought all that stuff then it will be tied to your XBL account won't it so I don't see how it will be any use to them. Best you set up a passcode for logging into XBL when you sign in with your Gamertag.
 
#21
My friend had his broken, hackers hacked him to level 100 in gears 2, he can't get achievements or anything else either.

This is where it gets weird, they also bought gears of war 1, along with a shit load of soccer and football game stuff.

Microsoft refunded him completely though, here's hoping you can too.
 

ant_

not characteristic of ants at all
#22
Happened to me as well, except the guy also changed my gamertag to something pretty racist/derogatory.

Called Xbox Support and we got it worked out, and they refunded all my money. Just give it time, they should be able to work it out.
 
#23
Do you have a really simple password? If your password is just a word or even two words put back to back it would be easily bruteforced to "hack" you account(s). Also, if you made you secret answer (dogs name / moms maiden name) available on forums/facebook it could be available via an easy internet search for people to get easy access to "hack." No one is going to go to the bother of hacking separate accounts. They rather just hope to stumble in.

If you know you did not make those mistakes, then it could be that you just got unlucky.
 
#24
Thanks everyone. I have no doubt MS will refund the amount that was charged, and I don't mind waiting, honestly.

Gen X said:
Had you sold your 360? If they bought all that stuff then it will be tied to your XBL account won't it so I don't see how it will be any use to them. Best you set up a passcode for logging into XBL when you sign in with your Gamertag.
I sold my 360 a year ago to get the Slim. I don't remember if I deleted my account before I traded it into GameStop or not.

Keyser Soze said:
Do you have a really simple password? If your password is just a word or even two words put back to back it would be easily bruteforced to "hack" you account(s). Also, if you made you secret answer (dogs name / moms maiden name) available on forums/facebook it could be available via an easy internet search for people to get easy access to "hack." No one is going to go to the bother of hacking separate accounts. They rather just hope to stumble in.

If you know you did not make those mistakes, then it could be that you just got unlucky.
My old security question was my favorite childhood movie, so it's possible and my old email address was a word with numbers at the end. The only thing I could THINK of what happened was I was looking for drivers for using a PS3 controller with PC. I may have stumbled on a disreputable site or clicked something I shouldn't have when I was there.
 
#28
It's incredible that there's always Fifa involved; that game is such scam fest lately it's unbelievable.

Like others suggested, maybe it has to do with some keyloggers you accidentally stumble upon (or maybe someone else using your computer?).

That's pretty common. Have you ever used some "get free microsoft points" site or similar?
 

Stumpokapow

listen to the mad man
#29
Keyser Soze said:
Do you have a really simple password? If your password is just a word or even two words put back to back it would be easily bruteforced to "hack" you account(s).
Although bruteforcing a simply password offline given a particular hash is computationally easy, it is virtually impossible to do so online, both because the cost of an attempt is high (minimum 1 second) and because most online login interfaces have a limiter on number of failed password attempts before locking an account.

Maybe to make this more clear, think of it this way; assuming your password is 8 characters or fewer made of capitals, lowercase letters, and numbers (no symbols), there are 221,919,452,000,000 possibilities. At one access attempt per second, it would take 7 million years to exhaust the search space.

Cracking the same password offline against a hash may take only a few hours, or less with a rainbow table.
 
#30
metareferential said:
It's incredible that there's always Fifa involved; that game is such scam fest lately it's unbelievable.

Like others suggested, maybe it has to do with some keyloggers you accidentally stumble upon (or maybe someone else using your computer?).

That's pretty common. Have you ever used some "get free microsoft points" site or similar?
This!

It's always the way people end up in these type of situations. People will always try and phish your account details from you by providing dodgy websites and other links.

It's always Fifa involved because there is a market for the items obtained from Fifa on ebay.
 
#31
As far as I know most Xbox 'hackings' are because of social engineering...

Either at MS's end or at the users end someone made a mistake.

Simple password recovery question or just a simple password...
 
#32
Did they phish you? Ive been getting some xbox live rewards emails but I don't click on those. I checked them once and they wanted my login and pw. Wasn't sure of it was legit so I didn't do it.

I have my login saved on the Live site and I notice that the link from the email didn't have the login saved on the live site which raised some flags for me.
 
#34
Anyway, I'm not saying this is your case, but NEVER EVER USE THE SAME PASSWORD ON DIFFERENT SITES NO MATTER WHAT.. It can be a hassle but it's totally worth it; I made a formula which ensures unique and secure passwords (12-character random Uppercase/Lowercase and Numbers) on each online service I use.

This also ensure that "secure" password I used at f.ex. "Codemasters" (Creators of "Dirt", which got hacked last week..) isn't used at f.ex. Xbox.com as well, because then the hackers would have direct access to my xbox account by now.

At the same time I am anal about never ever clicking on stuff I am not 100% sure about in the context of this. I never use the password other than directly on site, and also never go to online services via links but go to the service by typing out the address in the address bar instead.

Oh, and I never connect to free/open wifi connections either..

Paranoid, perhaps, but the bonus is that my ass is well-covered.
 
#35
The Broken Ska Record said:
I've actually tried to remove my CC from Xbox Live, but can't because my ex's friend, on accident, signed me up for one of those 3 months of XBL for $5 things the catch being I need to get a full year of Xbox Live. So, unfortunately, I can't remove my CC info. As much as I've tried. :(
These stories always cracks me up, Microsoft don´t deny themself.

Lesson to be learned:
NEVER EVER GIVE MICROSOFT YOUR CREDIT CARD NUMBER.
 
#36
I'm in a similar situation as the OP. I recently returned from a few week trip overseas and the day I get home I notice in my e-mail a few confirmation letters from Microsoft about points purchased. Thinking it might be a family member I go to check the download history and any time/date information I can get on it.
Turns out they bought Michael Jackson Theme Packs (as well as a few other games, but I had a wtf moment there).
 
#37
Personally I just updated my pass, I don't have my CC on there (never would ever again) but I do own games which cost money to buy.

Steam has the right idea with someone logging in from a different computer having to check your email for a special 5 letter code before you can do anything.
 
#38
Well, I was hacked last Friday and finally figured out what happened last night.

Friday I was on GiantBomb.com and saw that my last game played was Rock Band 3 and I hadn't been on that game in over a month or two... so I got a bit concerned and called a buddy of mine to check out if I was signed online at the time.

He told me that I wasn't even on his friend's list anymore... this weekend I had to go to a bachelor party, so I couldn't really get into it until last night.

Tried to sign on and it said my account didn't exist. I did the same thing with the MS billing website and saw that 5,000 points I had on my account were spent on Rock Band songs... a lot of them odd foreign language ones. I checked my credit card and $133 was spent on MS points. My bank returned the money before I even knew this happened, so good on Chase for helping me out.

I did the whole support thing and I will get access to my account hopefully in the next two weeks once they determine it was fraud. If Chase determined it without even talking to me, I imagine MS will find the same and restore my account and stolen points.

Good times... guess I should get InFAMOUS 2 now while I'm out of commission on Xbox.

Fuck hacking douches.
 
#39
Diablohead said:
Personally I just updated my pass, I don't have my CC on there (never would ever again) but I do own games which cost money to buy.

Steam has the right idea with someone logging in from a different computer having to check your email for a special 5 letter code before you can do anything.
Google uses a similar system as well. I hope that MS and Sony will do something like that in the future.
 

Data West

coaches in the WNBA
#40
painful fart said:
These stories always cracks me up, Microsoft don´t deny themself.

Lesson to be learned:
NEVER EVER GIVE MICROSOFT YOUR CREDIT CARD NUMBER.
Never give any company your credit card number
unless it's Amazon
 
#41
Stumpokapow said:
Although bruteforcing a simply password offline given a particular hash is computationally easy, it is virtually impossible to do so online, both because the cost of an attempt is high (minimum 1 second) and because most online login interfaces have a limiter on number of failed password attempts before locking an account.

Maybe to make this more clear, think of it this way; assuming your password is 8 characters or fewer made of capitals, lowercase letters, and numbers (no symbols), there are 221,919,452,000,000 possibilities. At one access attempt per second, it would take 7 million years to exhaust the search space.

Cracking the same password offline against a hash may take only a few hours, or less with a rainbow table.

Im guessing his password was hunter2
 
#42
AndyMoogle said:
Google uses a similar system as well. I hope that MS and Sony will do something like that in the future.
I'm baffled that most serious service providers don't use any kind of two-factor authentification yet.
An additionnal layer of authentification per device would save everyone a lot of time and tears.

I checked last week and it seems paypal even has the nerve to make it a paying service (30€ for a token based authentificator)
 
#43
What bothers is me is that many companies love to save your credit card information for possible easy re-purchases again.

In truth, I'd rather buy a gift card or game card and add points instead of dealing with credit card hassles.
 
#44
So I finally found a way to disable auto-renewal on Microsoft's Xbox site. The best part is that you have to first change your location to Chicago IL before they allow you to do it. It's locked out for most areas of the country.

But even after disabling auto-renewal, I still can't remove my credit card from my account. According to MS: You cannot remove a payment option that is associated with an active Xbox LIVE Gold Membership. However, if you associate a new payment option with your Xbox LIVE membership, you can then remove the existing payment option.

How in the hell is this even legal?

It continues: If you don't have another payment option to associate with your active Xbox LIVE membership, please call Xbox Support for help removing a payment option.

I despise this company.
 
#47
What is the reason for Microsoft not allowing people to remove their CC info? Is it because that people shouldnt be able to use stolen CC info when creating an Xbox Live Gold account and then delete the CC right after the account is made? Is it possible to remove the CC info if you have a Silver account?
 
#48
Ive always figured people's live accounts get hacked the same way WOW players do. Looking at phishy websites, probably getting keylogged.

Never had my xbl or wow account hacked though.. knock on wood.
 
#49
test_account said:
What is the reason for Microsoft not allowing people to remove their CC info? Is it because that people shouldnt be able to use stolen CC info when creating an Xbox Live Gold account and then delete the CC right after the account is made? Is it possible to remove the CC info if you have a Silver account?
Some security reason (excuse) the guy told me way back then on the phone. Since then my obsolete 6 year old CC is tied to my account and I pay my stuff with points (because paypal still does not work).