Late this past August, my friend noticed she had a large number of unauthorized charges on her credit card. Someone, somewhere, had gained access to her Xbox Live account and charged an enormous amount of Microsoft Points. Immediately, she phoned Microsoft’s customer support service, who claimed to have put the account on hold and will take up to 21 days for the investigation to find results. Despite this claim of account suspension, the unauthorized user was still able to purchase additional points and she was able to watch these points diminish slowly but surely on the official Xbox site, seeing them spent on downloadable content for EA Sports’ FIFA 2011 soccer game. We took to Google immediately and found a related post on the site Giant Bomb. It wasn’t much help, but we at least saw a degree of comfort that she was not the first.
My friend naturally disputed these charges with her bank, barely. They needed information from Microsoft, which Microsoft does not give out but that an investigation was underway. Microsoft also claimed several times they would actually give her a call and update her the investigation. They did not. Ever. Unfortunately, because of some strange technicalities in their terms of service, Microsoft customer support claimed they saw no problem, that they could not help her in any way and that communications between the customer representatives and the agents of the fraud department are limited to the point where the reps don’t know some of the things the customer is even talking about. After successfully contesting the issues with the bank, Microsoft actually tried to dispute the claim filed and say that these charges are legitimate. My friend is no fan of soccer, so naturally she would never touch a FIFA game in her life, but now FIFA 2011 sits in her game history like a stain on a nice carpet. Not only that, but regardless of how many Microsoft Points you may have had prior to this breach, Microsoft is inclined to perform a points adjustment and you may be left with less than the amount you originally had, if any at all.
I took the search to perhaps the largest game forum on the internet, NeoGAF. I discovered that this was bigger than I had anticipated. Several of the forum’s users have been attacked by these thieves in the same fashion: charge points, purchase FIFA content, get away scot-free. Success with disputing these charges has been rather up and down, it would seem:
Thread 1 – Started May 24
Thread 2 – June 13
Thread 3 – August 30
One issue seems to stem from Xbox Live’s recent Family Account option, that allows a user to create additional accounts for family members and “gift” them Microsoft Points and edit their user options. Unauthorized users may access your email associated with the account, or the account itself, purchase this family pack and a points pack for resale across a number of sites like eBay.
Taken from my friend’s letter to Microsoft reps:
From what I can tell, hackers can gain access to the victim’s accounts in a couple of different ways. One way is by calling Xbox Support and pretending to be the victim. They speak to a representative long enough to get a bit of information on the account, and then hang up and call back and use that new little tidbit to get a little further with the next rep. They do this until they have enough information about the victim’s account to gain complete access.
Another way that I have read about seemed specific to FIFA ’11, where a hacker can e-mail EA support with some jargon that confuses the EA server into sending the hacker the victim’s Xbox and EA account information. I’m not sure of the legitimacy of this claim but during my search I found videos about it on YouTube, as well as websites explaining how to do it.
I’ve also seen reports of phishing sites offering free points for the victim to click and stupidly enter their account information.
Once the hacker has access to the victim’s account and purchases the points, they can create a family account and restore your gamer tag to their console to make it part of the family account. This way they are able to use your points even when your account is locked.
They also seem to be selling accounts with the stolen points on sites like tradetang to customers who unwittingly buy them, thinking they are getting a great deal. The auctions for these accounts make claims such as “Dear friends: Since the points might expire, please use up the points within the warranty time” and “The accounts are not gold. And it is better not to buy gold membership for the account because it won’t last too long.” How that doesn’t send red flags is beyond me.
Besides the unauthorized charges themselves, the unfortunate thing is how unreliable Microsoft’s Xbox site as well as their Windows Live site can be. Many users experience error pages that prevent them from successfully editing their account passwords and other details in order to increase security. Microsoft has also notoriously made removing credit card information and disabling auto-renewal payments for Xbox Live a hassle. Customers can either phone customer support and ask for the options to be removed, or remove it from the Xbox Live Dashboard but needing to add another credit card, which possibly negates the entire reason for removing your information in the first place. I recommend at least purchasing a prepaid Xbox Live card from a local retailer, as well as Microsoft Points cards. It’s unfortunate that we cannot depend on security like this from a major corporation, let alone two, right, Sony? We have to do our part as well, and although this sounds like common sense, this could happen to even the most experienced users: make sure to have a strong password, never give out credit information if you can help it, and don’t click on shady, suspicious links that claim to have amazing prizes and what have you.
I think sites need to make this issue aware, and Microsoft and all corporations that ask us for credit information for utilization of a service, to please work on updating your security measures and not just casually pat the customer on the shoulder and say “We’ll see.”
Microsoft Xbox Support
@XboxSupport
This exact thing happened to me the other day, but I didn’t realize it until today. I can say with certainty that I’ve never given my account information to anyone, but I do have an EA account. It’s pretty shameful on the part of both EA and MS if that’s really what’s going on here. I’ve since read a couple articles on this, as I’ve been searching around, and the duration for investigations has gone up from 10 days to 20 in some cases. I was told 25 days just now. After locking my account, the rep also refused to remove my credit card from the account, which concerns me because I’ve read reports of people purchasing family accounts and re-activating the accounts to spend additional money that way. This is totally unacceptable.
This just happened to me over the weekend and now I can’t even get into my own account and since I only found out in th middle of the night I have to wait to call my bank and support.
Discussing it with the NeoGAF crew seems to conclude that there are hardly any major game sites reporting on this, if at all. What I posted in the entry is the closest I’ve come to what happened to my friend. Meanwhile, they go nuts all over the fact that PSN was down for a couple of hours around the time I posted this. I’m trying to spread the word. Something has to be done. I posted the links to Microsoft’s CS anyway but it has been of mixed results.
I know it’s sort of crazy how it’s on their support, it’s been happening for months now and nobody’s been mentioning it. I guess in Fifa 2011 anyway there was a weakness that people could trick it into doing similar things to what is happening but someone said “Oh it wont be in the 2012 version” Yet it seems ti still is.
Same thing happened to me today, 5000 points bought and spent on Fifa 12 content and two achievements left on my account
People who’ve been hacked: how secure are your accounts? If you have a massive password on your passport account and your email AND your EA account, surely you should be safe?
They have to go on an xbox and recover your account which requires certain details only you should know (can’t even remember what they are). If passport has a security question then make sure you use a phrase only you would possible know, not something on your facebook account or something.
Same thing happened to me on the 8th of Oct. 1400 points spent on gold packs and a 25 day lock out period. XBOX Live Customer support was completely useless.
Last night frustrated and upset that this has had no press I sent a lot of major gaming news sites information and links concerning this wave of attacks, obviously based on some exploit in the MS or EA system. I highly suggest you all do the same. If some traction is built perhaps some answers may be found.
@Brad
This is why I wrote this post. Many people were baffled how this saw little to no coverage whatsoever so and I attempted to tweet this to some major and minor sites. I want this spread as much as possible because something needs to be done about this. Consumers deserve better than this.
I encourage passing this post around if possible!
If you or someone you know had their Xbox Live account compromised recently, please email me with details: patrick@giantbomb.com
Delightful attempt to get a source off someone else’s hard work there Patrick. Well done. Hurrah for journalistic integrity!
Delightful attempt to goatse everyone there, Ian. I’m pretty sure subbeh is not Patrick, just someone reposting a tweet in an attempt to get this issue some additional exposure. Klepek is good people, and I’m guessing subbeh is too.
Anyway, the post on Eurogamer has just been updated, with a statement from Microsoft claiming there’s no evidence of their security being compromised, and that they’re working with people who’ve been affected to get everything resolved. They don’t mention that they’re only working with those that have requested a refund. Surely it would be more efficient to automate it to a certain degree based on the obvious pattern of misuse. But I suppose that would mean they’d have to give back ALL the money they’ve made from this.
The Eurogamer article’s here for those that are following along at home: http://www.eurogamer.net/articles/2011-10-14-xbl-accounts-hacked-to-buy-fifa-packs
Pingback: Rumour: Xbox Live Accounts Hacked To Buy FIFA DLC? | Video Game Deals & UK News | Dealspwn.com
Pingback: FIFA 12 - Account-Diebstahl auf Xbox LIVE und Origin (Update 2)
Pingback: Hackers Target Microsoft Xbox 360 | Xbox 360 News | Game Central | Game, New and updates
I suppose a follow-up post is in order. Been a busy week! I’m glad this is finally being made aware and thanks to all for contributing!
Had my account hacked today. Found out when my phone could not get my hotmail emails.
Actually had good service from MS, though my bank seemed to know more than the MS rep I spoke with (they had received a lot of calls from people about the hacks).
I have no idea how this happened. I have an EA account but that was for Red Alert 3. I do not own FIFA 12 nor do I have many EA games that have asked for accounts to be made. I have Mass Effect 2 though…maybe that was it!
I do know however that I won’t be having any FIFA 12 achieves to my name…in 25 days, after the investigation my Xbox will upload data to the MS servers when I reconnect to live and will wipe out those ugly achieves that I don’t want to my name!
This s=is still happening just got Battlefield 3 on the Nov 2nd linked my game tag with EA to play it and Nov 3rd i try to loggin to xbox live and get a error message say i need to recover my gamertag i was able but while it was downloading i checked my email and got 3 emails saying i had bought 4000×2 and 1600 MSPs I contacted MS and said my account would be locked for 25 -30 days to investigate. If its been going on this long then some warning or something from EA and Microsoft would have been nice to know i also contacted EA and they disabled the packs for fifa that had been bought
I just got hacked on Nov 11th. I have no EA Xbox games (that I am aware of) and do not own any version of FIFA soccer. I am also wise to phishing requests and had what I thought was a fairly strong password. I didn’t provide these jokers with the password, though they may have brute force cracked it.
I noticed tonight (11-13) that I had received a security confirmation email from MS Live on Friday at 10:39 p.m. asking if I could confirm a request to add an email address. I didn’t see the email until Sunday night, at which point I selected the link to cancel the request. On a separate email address that is registered to my Windows live account, I got a confirmation email about two purchases of Xbox live points, which happened on Saturday at some point. MS sent the purchase confirmation email at 8:39 p.m. on Saturday, so it took a few hours for the hackers to get into my Xbox account.
I checked my credit card and low and behold there were two transactions, one for $75 and one for $50 for 6000 and 4000 points. However, the $75 transaction had already been reversed (but not the $50 transaction). MS billing also shows some kind of adjustment that took the 10120 points in my account and zeroed them out. MS phone lines were closed (after 10 p.m.) but I emailed them to request that my credit card be removed from the account and that I get my 120 points back that I had before my account was cleaned out. I also called my credit card and reported the fraud and got the card canceled, in case MS chooses not to act.
Steve
This happened to me last month. However, contrary to the experience detailed here, Microsoft customer support were very helpful – the rep I spoke to acknowledged that there was a wider issue concerning FIFA and EA accounts and promised to get it sorted within 25 days. True to their word, 20 days later I received an email confirming that all unauthorised charges had been refunded, and Microsoft threw in 500 MS Points and a 30-day Gold subscription to make up for the lost time. All that’s left are the two FIFA 12 achievements on my gamertag, which I’m going to talk to support about getting rid of.
Pingback: Xbox Live users hit by phishing attacks- Pause The Press!
Pingback: Xbox Live users hit by phishing attacks | Science and Technology News
Pingback: Xbox Live users hit by phishing attacks | iPhone 5 News and Information
Pingback: Xbox Live users hit by phishing attacks | My Blog
Pingback: Xbox Live users hit by phishing attacks | Xbox World
Pingback: Xbox Live users hit by phishing attacks | usergadgets.com
Pingback: Xbox Live users hit by phishing attacks | iphone new 2012
Pingback: Xbox Live users hit by phishing attacks | Softmodding.com
Pingback: Xbox Live users hit by phishing attacks – Gaming Information Blog
I have recently been hacked by someone who used all my points to buy Fifa 12 Ultimate team packs. MS have suspended the account while they investigate so quite pointless trying to play any PC games or XBox games as I will have to recover my Gamertag once their investigation is over. My question is can I still play Xbox Live games on my Windows Phone 7 and earn achievements? I do not want to finish games off to find the achievements will not update now or even once my account is reactivated as that would mean reinstalling to start from scratch.
Thanks!
Pingback: In the midst of Microsoft’s customer “service,” we find a heroine. | Goosterblog
I’m extremely pleased to find this web site. I wanted to thank you for ones time for this fantastic read!! I definitely savored every bit of it and I have you book marked to look at new information on your website.
I got my account hacked. Luckily I was online when it was hacked so when I got the notice saying that I had been logged in on another console, I immediately logged back in and changed my password. Some of my friends weren’t so lucky. If I had been hacked at any other time of the day I might have figured it was my little brother using my account to get a DLC. But it was 2 AM and he was in bed.