Xbox account hacked rage-all

RESOLVED. Back to Canada, everything is in English, used that points card I bought a while ago to buy a tonne of Rock Band DLC and played RB3 with my wife all afternoon.

So in sum, that was 2 weeks to get my money refunded and account returned, and a further 12 weeks to get my region changed back, which they apparently forgot to do the first time. But in compensation, I got four 30-day codes.

Good luck to everyone else!

I'm really hoping I don't have to fight for the 1200 or so points I had on my account before it was hacked. I also think it doesn't matter how secure your password is, there's no way this is a brute force hack. I think it's just too easy for people to get PW info for your live.com account.

It's so easy to log in to another console since the update. Literally just enter your live user/pass and away you go. On the upside it means my region never changed, so hopefully that will decrease my wait.

Stylez, have you had your money refunded yet? It seems that takes less time than finally getting the account restored.

Shacknews has an article on the latest FIFA hijacks, plus some earlier editorials about the hacks in general: http://www.shacknews.com/article/718...

The practical upshot for anyone as yet unaffected but worried is to change your password (regularly), and remove your associated credit card and PayPal account, and pay with points cards instead. There's no explanation from MS how these hijacks are occurring, if they can even know, but they point to social engineering and malware. As for the long turnaround time for resolution, especially when region changes are involved, it's apparently par for the long and complicated course. Shacknews argues the reach of your Windows Live ID is a huge vulnerability, and I think I can vouch for that.

Gravey wrote:

Shacknews argues the reach of your Windows Live ID is a huge vulnerability, and I think I can vouch for that.

This has me worried going forward... I mean, the battle between Microsoft, Google and (in the gaming space) Valve and EA is going to result in some ugly outcomes with only the hackers benefiting from those instances.

I really don't think any of the content industries are ready to step up to the plate with the sort of security and support that the medical and financial sectors are... However, i suspect that it will be demanded of them at some point in the near future.

Gravey wrote:

Stylez, have you had your money refunded yet? It seems that takes less time than finally getting the account restored.

Shacknews has an article on the latest FIFA hijacks, plus some earlier editorials about the hacks in general: http://www.shacknews.com/article/718...

The practical upshot for anyone as yet unaffected but worried is to change your password (regularly), and remove your associated credit card and PayPal account, and pay with points cards instead. There's no explanation from MS how these hijacks are occurring, if they can even know, but they point to social engineering and malware. As for the long turnaround time for resolution, especially when region changes are involved, it's apparently par for the long and complicated course. Shacknews argues the reach of your Windows Live ID is a huge vulnerability, and I think I can vouch for that.

Funny you ask, I just got an email saying that another email account has been attached to my address.... One which is sort of like the one I told them to use but not quite right, which is frustrating because I called to check that yesterday. (my full name of Daniel instead of just Dan on the email address). So at this point I'm hesitant on how to proceed. It's entirely likely they sent me information I can't see to the wrong email address, but I did get "Windows Live Account Security Confirmation" today at my usual address. I may just make the extra gmail account they are using and confirm it, then forward that to an existing email. I'll be pretty happy if this is fixed today.

*edit*

So on the phone with them now, apparently it has been resolved, however they will have to escalate it to get it sent to the other email address, so I just went ahead and created the correct one in Gmail and tied it to my account... Which apparently is also an issue as I'm back on hold while she checks with a supervisor. SO CLOSE.

Double post for great justice! I'm back online, with all points refunded. That was much quicker than the 25 days expected thankfully.

Great news, glad to hear it!

Duoae wrote:
Gravey wrote:

Shacknews argues the reach of your Windows Live ID is a huge vulnerability, and I think I can vouch for that.

This has me worried going forward... I mean, the battle between Microsoft, Google and (in the gaming space) Valve and EA is going to result in some ugly outcomes with only the hackers benefiting from those instances.

Relatedly, less worrisome but just annoying, I cleared my cache of Xbox/Live/Microsoft/etc data, and I still can't login to xbox.com or any live.com site (or use the iOS app) because it says my account's been "temporarily blocked". I thought everything was resolved. I've been ignoring this since I can do without the all-singing-all-dancing connected future for now and don't want to call Xbox support anymore. Maybe when the Xbox 720 comes out, I'll try to get it fixed.

I wonder if I can still use GFWL?

HAHAHAHAHA.

Hi all,

Glad to see it's been resolved for most of you, cause it sure hasn't been resolved for me. It's now been 5 bleepin' months since my regional settings were change to Russian, both on XBL and on MSN, and 2000 M$ points were taken out of my account. It all started back in August, was told it would be fixed in 21 business days. BTW, direct quote from the XBL support kid when I told him about the hack : "Ahhh man, that is baaaad...that is sooo bad." Wow...

Anyways...here's what they wrote me on December 30th :

"Dear Xbox LIVE Customer,

We are continuing to investigate your report of unauthorized account access to your Xbox LIVE account. Our goal is to unlock your account as quickly as possible. As previously communicated to you this investigation may take up to 3 weeks to resolve. During this time we ask for your continued patience."

So I just wrote back, pointing out that we were way past 3 weeks at 5 months now, that it was unacceptable, etc., etc. Here's what they wrote back on January 6th :

"Dear Xbox LIVE Customer,

We are continuing to investigate your report of unauthorized account access to your Xbox LIVE account. Our goal is to unlock your account as quickly as possible. As previously communicated to you this investigation may take up to 3 weeks to resolve. During this time we ask for your continued patience."

It's official. I found it. Worst customer support than Bell.

Congrats M$%&**&

P.S. : I'm new here, can anyone tell me why I can't seem to be able to use Bold or Italic or Quote (or BB Code) ?

I dont think you should be following up via emails at this point. You need to get xbox customer service on the horn again and get it escalated on the spot. Any call to xbox customer service is a loss of time, but you are obviously only getting their scripted email response.

You could also complain to Microsoft corporate customer service and they may get involved to make something happen, which you could do through the main microsoft website, not the xbox one. xbox and microsoft customer service are separate from my experience a few years back.

5 months is of course unacceptable.

Try voicing complaints on Twitter to the @XboxSupport team (https://twitter.com/#!/xboxsupport). I don't know if it helps, but I complained / asked for advice from them when my account was hacked and my turn around time was 2 weeks. Then again, I didn't have any region changes or credit card charges only my M$ points were taken.

Kami wrote:

P.S. : I'm new here, can anyone tell me why I can't seem to be able to use Bold or Italic or Quote (or BB Code) ?

For a certain amount of time after signup, BBCode doesn't work -- This is for spam prevention (mostly to stop spammers from posting links, I believe).

A woman who had a particularly bad experience with her account being hacked posted her story here: http://www.hackedonxbox.com/microsoft/
She says the case was ultimately resolved, but she seems pretty confident there was no way she could have been scammed into revealing her password. Maybe she was, but it seems like this is affecting more and more people--could they all have fallen for some phishing attack? Microsoft might want to start explaining what's going on.

Chairman_Mao wrote:

Microsoft might want to start explaining what's going on.

Of course they don't. I bet they're feeling pretty good right now, they've got a hacking problem that is worse than the PSN hack, and yet barely anyone is talking about it. At least SONY's service was free. In this case, I lost 5 months of GOLD membership and my M$ points, plus my Windows Live ID seems to be compromised.

But the case you point out and many others are even worse, with hundreds of dollars of M$ points being purchased by the hackers and PayPal accounts being jeopardized.

This should be on the news, but it's not. That's because Microsoft didn't cancel their exposed service, unlike SONY did. It was the right thing to do, but it bit them in the ass because it made the whole thing newsworthy. Meanwhile, Microsoft is letting us continue to use an unsecured network (obviously) and pay for it too! Who knows what the hack did, maybe all our personal info is out there. M$ sure won't tell us if it is.

All I know is I'm never using a credit card or any other payment method with ANY gaming system ever again. Points cards in stores is the way to go.

BTW : Still not resolved.
BTW#2 : And I guess I still can't use BB code...lol

BTW#2 : And I guess I still can't use BB code...lol

That only works after a certain number of posts to protect against spambots

RESOLVED. Wait, I feel like I've posted that twice before.

Well, I guess getting my region fixed wasn't the end of it, because I got another e-mail this morning with the account recovery steps. So now (now?) (now) everything seems to be in order. Region okay, money refunded, history all squared away, I can login to Xbox.com, other Live sites and the iOS app.

I also just bought a 12+2 month card, so between that and the 30-day codes I kept getting (five in total, and I was never actually without Live access), I'm upped until June 2013.

One final note: my credit card and PayPal info was still attached to my account, but I was able to remove them both through the dashboard with a couple button presses and no hassle. I know people have complained about how hard it is to get payment info removed, so maybe this is new news to some.

It's part of the most recent dashboard update.

trueheart78 wrote:

It's part of the most recent dashboard update.

Yeah that's what I thought. And very much appreciated it is.

It appears that the hacking has to do with a weakness in the xbox.com/live.com login allowing for scripted brute force attacks. In other words, an overly-permissive login page paired with lots of weak passworded accounts.

Didn't see this posted yet, but MS has got an Xbox Live security check list posted on their site now.

* Their #1 recommendation is adding a mobile phone number to your Windows Live ID. Having done it, I see why. You can't so much as fart on your account without having your phone ring-a-ding letting you know there's been activity in the security settings.

* Create a "strong password" for your Windows Live account. Of course, MS's idea of a strong password is 16 characters or less. At least use those 16 characters and make 'em random.

* Profile Protection allows you to require providing your Windows Live ID and password in order to download your profile from Xbox Live to an Xbox system. The Profile Protection page will show you what console(s) you have logged in from.

* You can also set a pass code (a button sequence punched in on the 360 controller) that someone would have to punch in in order to use your 360 profile.

*Legion* wrote:

It appears that the hacking has to do with a weakness in the xbox.com/live.com login allowing for scripted brute force attacks. In other words, an overly-permissive login page paired with lots of weak passworded accounts.

So i suppose they were "tehcnically" correct when they said that they weren't hacked. However, i still feel that the majority of blame lies with Microsoft... though that's probably why they updated the dashboard despite previous bollocks about how you couldn't remove CC info and stuff from your account and how they kept on giving out free 30 day codes for Live!.

Duoae wrote:
*Legion* wrote:

It appears that the hacking has to do with a weakness in the xbox.com/live.com login allowing for scripted brute force attacks. In other words, an overly-permissive login page paired with lots of weak passworded accounts.

So i suppose they were "tehcnically" correct when they said that they weren't hacked. However, i still feel that the majority of blame lies with Microsoft... though that's probably why they updated the dashboard despite previous bollocks about how you couldn't remove CC info and stuff from your account and how they kept on giving out free 30 day codes for Live!.

Correct me if I'm wrong. If you've got a reasonably strong password that's not vulnerable to dictionary attacks, this still will take a LONG time.

MS should correct the basic acknowledgement that the account is a valid account when the wrong password is entered, and the ability to try another ID without requiring a CAPTCHA. But I still wonder if that's all that's going on. I suspect it's a big mix of things. Trojans like have been seen by a couple of people here keylogging login info, people using email addresses and passwords also used on other sites where intrusions have happened, etc.

So i suppose they were "tehcnically" correct when they said that they weren't hacked.

No, they were hacked. It's basic website security that you don't allow brute-force password guessing. The fact that this fails means they were hacked. The exposure from this particular hack is limited to one account at a time, but Microsoft is still being hacked.... thousands and thousands of times, in fact, exploiting a flaw that they shouldn't have allowed in the first place and could easily fix.

8 attempts before captcha? That's not a lot of opportunities. But then the thing is that captcha's aren't perfect either. I haven't seen xbox.com's captchas though.

They mention it is through xbox.com, but with hotmail and Windows Live sign-in being linked to a network of community websites.... isnt there additional vulnerabilities throughout that network? I.e you think of the amount of data going on around achievement tracking sites or xbox simulated blogging etc.. it just seems that a hacker might have many routes to attack that single-signin. I don't know, I just hope they do implement better security practices where they can to close off any routes available.

One thing I think I learned from 2011, like someone else had mentioned earlier, is maybe pre-paid cards are a better route to go than I had realized previously, rather than place any trust these online services at all to safeguard information.

But the achievement tracking sites rely on you setting your account to allow public viewing of your achievements. You're not allowing them to log into your account, they're just scraping web data.

Duoae wrote:

So i suppose they were "tehcnically" correct when they said that they weren't hacked. However, i still feel that the majority of blame lies with Microsoft...

Microsoft is unquestionably at fault here.

Preventing that kind of brute force attack is fairly easy. There's no excuse for someone as big as Microsoft to allow such a weakness in something as important to them as their single unified login system.

Microsoft is also at fault for their stupid and unnecessary password limitations (16 characters max).

At the same time, undoubtedly a lot of users facilitated their own account's compromise by having sh*tty weak passwords attached to them.

*Legion* wrote:

Microsoft is also at fault for their stupid and unnecessary password limitations (16 characters max).

At the same time, undoubtedly a lot of users facilitated their own account's compromise by having sh*tty weak passwords attached to them.

How many people who got hacked via this particular vector do you honestly think had 16 digit passwords?

I'll ask again, if you've got a reasonably complex password not vulnerable to dictionary attacks, wouldn't it still take a long time to brute force? Say you've even got a 10 digit password with random letter/number/special characters, how long would that take with a $1000 PC to crack over the web like this? I honestly don't know.

I still bet it's not just this one way. In fact, I'd say the easier way most of these accounts got compromised is tied to other compromised databases giving access to people who've used the same email/password on multiple sites. Probably more were compromised that way than the brute force way.

But still, they should have had better security in their login page.

MannishBoy wrote:

How many people who got hacked via this particular vector do you honestly think had 16 digit passwords?

Not many. But the restriction to 16 characters takes away some techniques that users use to make strong(er) passwords, like multi-word passphrases.

That is Microsoft's fault. Worse, having major sites like this impose these kind of restrictions is part of what makes it difficult for people to get into the habit of creating long passwords.

If you're not going to make it random, at least make it long. And Microsoft prevented making them long.

I'm curious how many PSN accounts had identical credentials to their Live accounts...

I still don't have my account back and I've had to give up smoking and I'm starting to rage hard.

But maybe it's a blessing in disguise that I can't play multiplayer online right now?

MannishBoy wrote:

(a)I'll ask again, if you've got a reasonably complex password not vulnerable to dictionary attacks, wouldn't it still take a long time to brute force? Say you've even got a 10 digit password with random letter/number/special characters, how long would that take with a $1000 PC to crack over the web like this? I honestly don't know.

I still bet it's not just this one way. (b)In fact, I'd say the easier way most of these accounts got compromised is tied to other compromised databases giving access to people who've used the same email/password on multiple sites. Probably more were compromised that way than the brute force way.

But still, they should have had better security in their login page.

I think possibly (b) is more likely.... unless people on here who specifically stated that their passwords weren't the equivalent of 1234ABCD were, in fact, lying.