Microsoft says that recent thefts targeting Xbox Live users are isolated incidents, and often tries to portrays the problems as phishing scams -- effectively blaming the consumer. However, an eyebrow-raising amount of comments and emails seem to suggest that it's a big more common than that.
A few days ago, I spoke with Susan Taylor, the hacking victim who famously exposed Microsoft's awful customer service. She let me know that of the two hundred emails she's received since resolving her own situation, one hundred and forty were from customers who have had similar experiences. Other emails came from those who have used black market sites -- places that sell accounts loaded with games bought using stolen Microsoft Points.
"Quite a few people have also questioned the third party servers and services, but I am not seeing a trend in the stories I have read," Susan told me. "Some people have EA accounts connected to their XBL accounts, some people don't; some people have PayPal linked, others just their cards; most have never played FIFA 12.
"I personally have Uplay and Raptr accounts linked to my Xbox account. Unless people are outright lying to me, there is definitely not a specific service (aside from XBL itself) that absolutely everyone who has had accounts compromised has in common. Microsoft's arguments are looking very weak at best."
Microsoft has indeed tried to blame a variety of third-party services. One of my contacts said that a customer service rep blamed third-party servers, while FIFA 12 has been accused of allowing exploits to take place. The one unifying strand in all these stories is Xbox Live, however.
A security flaw on Xbox.com has allegedly been discovered by one victim, who learned that indefinite password attempts allows a hacker to force his way into any Gamertag they like, just by learning the corresponding email address (which Microsoft itself makes easy) and assaulting the site with a password generator. Whether this is how the hackers are getting in remains to be seen, but it's the most credible idea so far, and it once again points to Microsoft.
For right now, the only advice one can give to those users wishing to protect themselves is this -- do not have a credit card attached to your Xbox Live Gamertag. You can renew your subscription or add Microsoft Points using pre-paid cards bought in stores, without the need to open a conduit to your bank account on Microsoft servers. It seems to be the best way to keep yourself safe.
From what we've seen, this is a very real problem, but there are practical steps you can take to defend yourself. You're going to have to, because it seems Microsoft doesn't have what it takes to look after its own customers.
Contest:
12:30 PM on 01.13.2012 | 
You just never know.
As for the hacks themselves, it's not like I don't believe most of these people; I just want proof. "Xbox Live Getting Hacked", and hackers phishing for emails and bruteforcing them are entirely different things. While Microsoft should keep the email of the account more hidden, I haven't seen anything so far that indicates that Microsoft's actual servers have been breached. That would be a much bigger problem, as no amount of personal security can ward that attack.
"do not have a credit card attached to your Xbox Live Gamertag."
That's a good practice, but some accounts require you to have a credit card attached under special circumstances. For instance, the "6 months for the price of 3" promotions through Xbox.com, or the Family Gold Pack.
For this, you can use pre-paid Visa cards - available at any grocery store. Just make sure it has a 3 digit number on the back.
- Every Xbox Fanboy after the PSN hack.
Glad to know that people are taking steps to protect themselves!
http://www.deals4gamers.com/
Here's the thing. Sony was hacked. Their databases, which had PII on them and entrusted by users, was compromised. Hackers obtained millions of user's PII that could be used for identity theft.
The situation with Microsoft is different. Individuals are reporting that their personal accounts are being hacked - based on the article above, it seems like they're doing it through phishing and bruteforce attempts (phishing doesn't always have to be on the end user's end, nor is it always their fault).
That could literally happen with any service and any account on the internet ever. IMO, they're a bit different.
For additional information, check this part of the article out:
"Thanks to Facebook, Twitter, or any other links that have their email advertised, hackers now have a potential list of Windows Live ID’s."
As a general rule, posting your email on the internet is a bad idea. While I wouldn't say "it's their fault", it's not the same situation as actual Microsoft servers being hacked.
Jesus, I wish every hacker involved in these schemes would be caught and given the worst punishment for any hacker: a job.
While it was my fault as I didn't have the proper security features activated as I had assumed they were turned on by default; I was baffled at how my account was targeted in the first place considering the limited use I had put into it. Thankfully for me resolving the issue and getting my money back wasn't the horror story Susan went through.
Stuff like "Hey, give my your netflix password and I will give you 1200 microsoft points", or "Wow, I just went to this site and it generated microsoft points for my account http://websiteaddress.extension". I never reply to these emails. As soon as I see them I report them directly to xbox live. Could it be that most of these people falling for these scams are the same ones who think they've been hacked? Or is it actually random accounts being hacked at no fault of their own? I wish I knew.
Anyways, I have an old credit card linked to my xbox account that I do not have anymore, and it is expired. If someone was to try to buy something with my account, I would think it would make a record of gamertag, xbox console ID, IP Address, Time, Date, Geo-location etc.. because the card is expired. Is this true?
What about this. What if everyone put fake credit cards linked to their accounts? If a thief tries to use it, it will fail and they will be caught?
Microsoft gets hacked & robbed, and it's all YOUR fault!
If I had to guess, what we're seeing is still fallout from all the other hacks with username and passwords this year- Lulzsec alone released how many hundreds of thousands of passwords? And the PSN hack and others mean that 'hackers' could just be trolling those lists and trying them on other services- that's why she doesn't see a 3rd party in common.
That is not to say that these people aren't being screwed by Microsoft, MS definitely needs to get its crap together and actually help victims. It's just that this is the age of the internet, when there's a hole somewhere, it doesn't trickle, it floods.
Fuck MS & its shit security & hardware.
Fuck MS & its shit security & hardware.
We have that comic posted up in our IT security office. Love it :D
I still don't understand the Fifa DLC link, having not played Fifa in a couple of years. Is there something specific about Fifa, does it have DLC that can be transferred to other gamertags making it something that could be sold?
:D that's amazing! Love XKCD.
Math and Logic wins!
Keep in mind though, that comic compares short "l33t" passwords to long easy to remember passwords - not really a fair comparison. Long "l33t" passwords are still much more secure - the honus is on the user to remember that password without writing it down.
While it may be hard for some people to memorize a 20~ character password that isn't four simple words, it is still more secure - especially if you only have to remember it for one service because it's the "hawt" thing to hack this week.
A good tip is to use jibberish words that you can recall, but are only really known to you.
Users: Read this http://xkcd.com/936/
While MS sits back, refuses to lock accounts until its way too late, and then blames the consumer and refuses to do anything about the problem or even admit there is one.
They gave all the information available, and the guy on microsofts side said the points went to some where else. They were incredibly unhelpful and came up with no solution.
It could totally be a 1 case thing, but it made me totally lose faith in their company and made me personally look like shit. Under normal circumstances id say the person was just lying, but that doesn't really add up. We gave them their address, gamertag, email address, and they didn't recieve the points. Even the ms rep told me it went to someone else based on the 25 digit code.
Tl;dr Microsoft is super shitty.
I mean that's what you get when you pay for a service right? You get that tasty paid for security right? right?
Seriously though, this is a worry as a user of XBL. A worry and a bit of a pisstake considering it's a paid for "premium" service.
to be fair though, nothing is perfect even if you pay for it, especially when it involves people partially looking after their own interests.
by that logic all things should be free because they could break at some point.
Well, when you purchase something on XBL it is linked to your gamertag, and ALSO linked to the Xbox Console ID that it was purchased on. I know this because I have gone through 5 xbox's and am on my 6th and have had to transfer licenses many times.
Knowing this, microsoft has info on all content purchased saved. This info contains at the very least the gamertag and console ID for each and every purchase. So say your account is stolen and purchases are made. Microsoft will now have a list of your gamertag associated with all your purchases and the hackers purchases. They will be the same and show Xgamertag or whatever bought them. ALSO, it will show that say Worms 2 was purchase on console ID 123456, and then there are some Fifa DLC purchased with the same gamertag but on Consold ID 888721.
There is a definate difference in these Console ID's. The true owner of the gamertag calls it in and tells microsoft about purchases made. They give their console ID number to microsoft, Microsoft sees there are 2 console ID's. If you have registered your xbox than they will have you as the one with the console ID 123456. They can then find out who has console ID 888721. When that console connects to xbox live next, or even if it keeps a history of what IP uses it, it can be tracked to the exact person and address of the hacker, in most cases.
This should be real easy to see, easy to fix, and easy to find who hacked your xbox and sue them and charge them. What do you think?
Seems like people aren't reading the actual issue at hand and just the headline. "Xbox Live" isn't being hacked. People's accounts are being hacked by standard methods after information is gathered and phished.
There is a big difference.
@Nick
I don't believe Netflix can bill you without a credit card or Paypal account. You can't even use Visa Gift Cards like you can on Xbox Live.
The only real options are to create a PayPal account, add like $100 to it, and link that as your auto-bill option. Or, you could fiddle around with virtual credit cards, but I'm not 100% sure that will work with Netflix, as it may detect them like it detects Visa Gift Cards.
not quite. I was hacked and I was not scammed, phished, and I certainly didn't have a weak password. It was brute force or an inside job.
The issue is how Microsoft handles, or fails to handle, the problem.
Take the FIFA situation. (Do remember that this wasn't an exploit within FIFA. It was a regular password stealing situation. It was known for FIFA because the stolen accounts were being used by FIFA players to buy large amounts of DLC card packs.) While it wasn't big news on online gaming sites, it did get some coverage in some locations, and Google will turn up results. When mentioned in threads, some people would chime in with similar stories, so it wasn't just a few isolated cases.
But then you contact Microsoft and speak to someone who acts as if they've never heard of anything like it.
Then you get told that your account will have to be locked for a month for the investigation. Yes, it would take time for an investigation, but locking an account for a month? When just looking at its history should raise red flags? (Your account is "recovered" to a different machine, and suddenly all your existing points are spent on FIFA DLC, with no points being added beyond that point?) Heck, the red flags are so obvious that Microsoft should arguably have been investigating accounts automatically.
Then look at the other stories. Susan's, for example.
To dust off and twist the overused "steal a car" analogy, it is kind of like leaving your car door unlocked and having your car stolen, while parked in a police lot, and then having the police say they'll think about investigating it, but you have to give them your driver's license for at least a month, and then you find out that a car is stolen from the police lot every other week.
while brute forcing will take a while with those type of passwords,
a dictionary attack will crack those passwords in seconds. Add numbers and capital letters to your passwords. and obviously don't be so simple with them.