Xbox LIVE hack doing the rounds

[Idsertian]

Just a friendly warning for my fellow Escapists about a hack that's doing the rounds at the moment.

This morning (10/10/2011), I tried to sign into my XBL account for a quick blast of Gears 3 on Insane (yes, I go basic achievement hunting, and yes, I must be a glutton for punishment or something), to be told no less than twice, that my details were invalid. Wuh?

"Okay," thinks me, "it's just the console having a Microsoft moment, I'll just recover the GT, no problem." After waiting ages for my crappy internet to redownload my profile information (thanks a lot, Sky), I finally log in.

What the crap is this? FIFA 12 with two achievements? But I don't own...oh crap. My MS Points are gone. All 2100 of them.

It seems some spoddy little arsewipe, or group of spoddy little arsewipes, is going around jacking people's accounts and emptying them of points by spending them all on "Premium Gold Pack" and "Premium Silver Pack" DLC for FIFA 12, while playing a basic amount to get a couple of achievements. They're also not above using associated bank cards to charge ridiculous sums of MSP's (usually in the order of around 10k points), then empty them on the above DLC. The kicker is, those DLC packs don't appear in your download lists for whatever reason, but they do at least appear on your Billing and Payment page on the XBL site.

This has been going on at least since the back end of last month, and Microsoft don't seem to be doing much about it except on a reactionary level. I.e. nothing gets done until customers phone and complain about their accounts getting hacked. It seems there's absolutely nothing you can do about your account getting jacked, as I have read reports of people spotting the unauthorised purchases and nabbing their account back, changing their password, only to have their account re-jacked in minutes.

This suggests to me that whoever is doing this, has a major door-jam holding open a backdoor to LIVE's database somewhere. What boggles my mind is this has been going on for at least a couple of weeks now and nothing has been done to try and combat it. MS haven't even tried warning customers that this is going on, keeping it all very hush hush. This smacks of the PSN hack a few months ago and the way this is going, it certainly is almost at the same level.

So yes, this a warning to my fellow Escapists that own 360's to disassociate any credit/debit cards that are on your XBL account to avoid any surcharges. To those who don't have cards but do have points, just cross your fingers and hope you don't fall victim.

A couple of threads on this at the XBL forums, just so I don't look like a raving lunatic:

http://forums.xbox.com/xbox_forums/xbox_support/f/12/t/103484.aspx (I have a post in here, first response)
http://forums.xbox.com/xbox_forums/xbox_support/f/12/t/97215.aspx?PageIndex=1

There are more, lots more, but obviously I'm not going to link them all. Damn hackers.

CAPTCHA: buotio Helfmeyer), Mmm, sounds tasty.

 

[penguindogexd]

wow, this sucks. this blows the psn hack away like it was a minor annoyance. you see few accounts were actually stolen in the psn hack but this is a new level of arsewipery on the hackers part. also a new low for microsoft for sticking their fingers in their ears and singing until we stop bugging them.

CAPTCHA: steve sociou (is that a name or whut?)

 

[Dalek Caan]

I think a lot of people are only getting hacked for their money, which is a good thing since I don't have a credit card and only have about 20 MS points. Still better change my password to "hackersgofuckyourself".

 

[Idsertian]

I think a lot of people are only getting hacked for their money, which is a good thing since I don't have a credit card and only have about 20 MS points. Still better change my password to "hackersgofuckyourself".

Well, you can hope that changing your password might do something mate, but from what I was reading yesterday, it doesn't make a blind bit of difference. But like you say, the main target seems to be the dosh, so maybe you'll be safe.

*le sigh* Indeterminate amount of time with no LIVE. I am disappoint. I just hope I get my account back before November, I was planning to buy the Gears 3 season pass. :/

EDIT: To clarify, I don't have access to LIVE because the MS fraud team is investigating, not because some hacker has it.

 

[Hisshiss]

Every thread about this makes me feel a little bit better, because on semptember 9th, my account got cracked into, they charged about 150 bucks in worth of microsoft points, about 10,000, and played some fuckin Fifa. I reported it the day it happened, they suspended the account and whatnot, and just have not heard a word from microsoft since. Its been an insane pain in the ass, especially since my best friend is in town for just a few more weeks and we havnt gotten to play live together in years (His home away from home doesnt really afford him the time to game because of how the household works.), so Im gonna miss that bonding experience if this doesn't wrap up. On top of that, my moms credit card was on the account from god knows how many years ago, as Ive been using my own for atleast a good 24 months, so shes now down 150 bucks that microsoft is clearly in no rush to refund.

All in all, Im just glad this isn't an isolated event, it means that other people will actually understand what Im talking about, and gives me a tiny bit of faith that MS customer support isnt just this bad all the time.

I just want it to be over -.-. Ive had gears of war 3 for atleast 2 damn weeks, and I still havn't gotten to play it with anyone else, or input the vast pile of frikkin DLC codes Im just praying will still work when this is all sorted out.

Edit: One of the things that creeped me out is that I have never mentioned my windows live ID to anyone, and I know for I fact I have never logged onto the account from any computer ever, it was made on my xbox, and its been logged onto with my xbox for the roughly 5 years Ive had that profile.

And on that note, I want my 40 thousand gamerscore, and hundreds of dollars worth of game licenses on that profile back xD. If it wasn't for that stuff I would just start over for all the trouble this caused me. It's a mixture of anticipation and just plain fear, because the general time the recovery process seems to fit into is 25 to 30 days, which is what they told me on the phone as well, but alot of people insist that it can drag well into 2 to 3 months. which isn't gonna work, If we get into mid november and my live isn't back up, Im breaking a piggy bank open and jumping ship to PS3, because I am not missing dungeon defenders, Skyrim, and saints row the third xD. This isn't a fanboy comment, I really just cannot be down an online profile and whatnot for another high profile launch, being knocked totally offline for gears 3 fucked my social life man xD. My friend's were not merciful about my situation. The 30 day range ended a few days ago anyways, as my account was breached and reported on the 9th of september as stated above. So in a just world, its any day now...as if.

 

[Idsertian]

-snip-

Shit dude, that's bad. I was told 7-30 days on the phone, but with the caveat that, and I quote: "obviously, there are exceptional cases". The guy on the end of the phone was actually quite friendly and helpful, particularly patient when I had to reset my secret question because I forgot the answer (derp).

I'm in pretty much the same boat as you in regards to my interwebs security. Never give out my details anywhere, to anyone. Even got one of those "gimme ur pass and get free shiz" messages on XBL. Dutifully ignored it. I accessed my LIVE account briefly when I first set it up, but haven't touched it for ages. Closest I've ever come to revealing anything XBL related is linking my GT here on Escapist, which I told the support guy.

So yeah, hope you get your account back soon fella. If you haven't got it back by the end of the week, give them a ring and find out what the deal is.

 

[Hisshiss]

-snip-

Shit dude, that's bad. I was told 7-30 days on the phone, but with the caveat that, and I quote: "obviously, there are exceptional cases". The guy on the end of the phone was actually quite friendly and helpful, particularly patient when I had to reset my secret question because I forgot the answer (derp).

I'm in pretty much the same boat as you in regards to my interwebs security. Never give out my details anywhere, to anyone. Even got one of those "gimme ur pass and get free shiz" messages on XBL. Dutifully ignored it. I accessed my LIVE account briefly when I first set it up, but haven't touched it for ages. Closest I've ever come to revealing anything XBL related is linking my GT here on Escapist, which I told the support guy.

So yeah, hope you get your account back soon fella. If you haven't got it back by the end of the week, give them a ring and find out what the deal is.

You and me do appear to be in the exact same boat, my gamertag is mentioned on my escapist profile, and my facebook, otherwise there hasn't been a trace of it anywhere. The girl I talked to on support was also incredibly friendly, guess they have to be. And she said 25 business days, which I assume means excluding weekends and all the buggerfunkin holidays that crop up out of nowhere.

That being said, they insisted that if it takes any longer than exactly 25 business days, I will get "reimbursed", who know's what that means and if its even true. As for the phishing things, I played MW2 and black ops for a few months after each of their releases with a friend, and we got those bullcrap 1600 microsoft points 10th prestige invites and whatnot after literally every single match for months on end, so needless to say I make wide turns around any and all things of that nature, which I was very aggressive in pointing out to the customer support line, I'm not letting them pin this shit on me, my account is sparkling clean, and has been for the like 5 years (atleast) I've been paying for Gold, and buying games off their marketplace.

The biggest kick in the teeth here is that after buying the 10,000 points, they tried to add another email to my windows ID, so all password resets would also go to them, bassicly making my account impossible to reclaim. And I assumed the original E-mail had to confirm this first, which is also what the confirmation Email I got over it implies. Problem is, when I follow the link to cancel the request, it makes me log in, which I cant without resetting a password. Which I cant do, because at the moment the account tries to send that password reset to me, and the other Email that is apparently already on the account even though I didn't confirm it.

Seriously, how the fuck does that work? -.-. I was thinking maybe I could reset the password, and then log in, and cancel that request, but Im paranoid that they could just hang onto that password reset email it would send, and then just jack me all over again...worst part is, I accidentally DID send one of those requests about 3 weeks back, so now I just have to pray they dont use that one to screw me over. I did mention in detail that the extra account was NOT mine, so heres just hoping microsoft will wipe it off the account in their cleanup process, and that for whatever reason, he cant use that first password change I sent by accident.

Edit: Online security should not be this goddamn complicated.

 

[Idsertian]

-snip again-

Hmmm, not sure I linked mine to FB or not, will have to check. But yeah, you're on the right track making sure they know what you do and don't do with your account. You'd think that that they'd be able to check into accounts a bit quicker as well, especially those without bank cards linked to their accounts, as they don't have to go waiting on people from X bank to get back to them. They should just be able to go: "Ah yep, this account has a lot of activity here, but then it suddenly zips off here to Russia and spends a load of points before being pulled back to the original location and console. Seems legit."

But then, that's large corporations for you; bogged down with their own size.

EDIT: Just seen your edit. That is majorly borked there, something has definitely gone tits up if you can't cancel a password change. I suggest you try and contact Windows LIVE support as well, see if you can't get that cleared up. Maybe mention you have a similar ticket open with XBL Support too and that this is related.

EDIT 2: Can you see what that new email address is? If you can, it could be instrumental in tracking down who's responsible, though I suspect it's probably a dummy address and will likely amount to nothing.

 

[Hisshiss]

-snip again-

Hmmm, not sure I linked mine to FB or not, will have to check. But yeah, you're on the right track making sure they know what you do and don't do with your account. You'd think that that they'd be able to check into accounts a bit quicker as well, especially those without bank cards linked to their accounts, as they don't have to go waiting on people from X bank to get back to them. They should just be able to go: "Ah yep, this account has a lot of activity here, but then it suddenly zips off here to Russia and spends a load of points before being pulled back to the original location and console. Seems legit."

But then, that's large corporations for you; bogged down with their own size.

EDIT: Just seen your edit. That is majorly borked there, something has definitely gone tits up if you can't cancel a password change. I suggest you try and contact Windows LIVE support as well, see if you can't get that cleared up. Maybe mention you have a similar ticket open with XBL Support too and that this is related.

EDIT 2: Can you see what that new email address is? If you can, it could be instrumental in tracking down who's responsible, though I suspect it's probably a dummy address and will likely amount to nothing.

I have the entire confirmation email about it foldered just incase, as Im afraid to attempt to cancel it for fear of just giving them a free password change in the process. Wasn't really sure if it was appropriate to disclose an Email adress on a public forum, particularly if its connected to a situation like this. But yeah I have it.

And I mean I could most likely cancel it, just do a password reset log in, and say fuck that email, but because of an obvious glitch in the way the system should work, they are gonna get a password change email out of this process. So my hands are tied =\.

Ive got that friend in question coming over for an in person visit later today, and having some company around is gonna give me the stones to make a move. So Im gonna take your advice and contact Windows Live support, depending on how that goes, i may just say fuck it and do the password reset, try to get that leech adress off my account, and possibly call xbox support again, see If I can squeeze any info out of them about exactly what the hell is going on. I dont have much constitution when it comes to hackers, these sort of things just make me feel sick and weak spirited, so I need a buddy at my side to really try to acomplish anything.

Having an account hacked is one thing, but when they try to attach, and in this case succeed, another address to it like that..I just feel violated. This whole situation is just a collosal breach of my virtual space x.x.

 

[BlueSinbad]

"Le LoL" I just realised when reading this and almost panicking thinking I better remove my card details, that my card registered to my account isn't even valid anymore, I broke the card and got a new one! That's a double whammy seeing as you can't easily remove your card from the system, suck on that both Hackers and Microsoft!

 

[Idsertian]

-so much snip-

That was probably an incredibly good bit of foresight there, keeping hold of that might do some good. Not much I can do with it (though thanks for the friending ), but give it to MS and they might be able to push it through appropriate channels. I'm sure they'll likely be pursuing every available legal channel they have, purely on principle, despite trying to keep it hush hush.

"Le LoL" I just realised when reading this and almost panicking thinking I better remove my card details, that my card registered to my account isn't even valid anymore, I broke the card and got a new one! That's a double whammy seeing as you can't easily remove your card from the system, suck on that both Hackers and Microsoft!

Ha, win. My dad has asked for a new card from his bank, since MS are refusing to let him disassociate it because he had auto-renewal on, despite turning it off. So he has to wait until the Gold period expires before he can remove it. Of course, he still has to wait until the 17th for the new card to get here and make the old one inactive, but now it's just a case of keeping a close eye on any transactions and nipping them in the bud via the bank should they crop up.

 

[BlueSinbad]

"Le LoL" I just realised when reading this and almost panicking thinking I better remove my card details, that my card registered to my account isn't even valid anymore, I broke the card and got a new one! That's a double whammy seeing as you can't easily remove your card from the system, suck on that both Hackers and Microsoft!

Ha, win. My dad has asked for a new card from his bank, since MS are refusing to let him disassociate it because he had auto-renewal on, despite turning it off. So he has to wait until the Gold period expires before he can remove it. Of course, he still has to wait until the 17th for the new card to get here and make the old one inactive, but now it's just a case of keeping a close eye on any transactions and nipping them in the bud via the bank should they crop up.[/quote]

Ha good, yeah Microsoft can be tools when it comes to removing your card and turning auto-renewal off, luckily my membership runs out in February, so when it finally does, I'll just be buying redeemable codes from stores instead seeing as that's always been the safer route, I've just been lazy in the past and paid by card...but I don't have to worry about that now do I...

Just to reiterate, suck on that Hackers AND Microsoft!

EDIT: Stupid quoting not working for some reason!

 

[Furioso]

From what I can tell the xbox website is down, so I get to live in fear for a while, yaaaaaay

 

[Idsertian]

EDIT: Stupid quoting not working for some reason!

Le lol. It's typical MS though tbh. Make things as difficult as possible for the consumer not to give us money, so they just give up and give us money. Winrar!

EDIT: That said, that's typical of most corporations.

 

[tharglet]

Heard of this before. Found a posts in May, Aug and Sept '11 on these boards that report the same thing - someone hacked their account and used it for FIFA.

Seems odd these reports keep cropping up.

 

[Idsertian]

Heard of this before. Found a posts in May, Aug and Sept '11 on these boards that report the same thing - someone hacked their account and used it for FIFA.

Seems odd these reports keep cropping up.

May?! Jesus Christ on a jumped up chariot driven crutch! (cookie for reference) If that's true, then this really is bigger than the PSN hack. Nice work Microsoft, real nice.

EDIT: Just thought of something. When it got bad, Sony killed the PSN while they fixed the issue. I cannot see this happening with XBL, as it's a paid for service and MS stand to lose money by doing so. Not to mention the legal minefield of denying people a service they've paid for. Which means, this will probably keep happening to people for quite some time.

 

[BlueSinbad]

EDIT: Stupid quoting not working for some reason!

Le lol. It's typical MS though tbh. Make things as difficult as possible for the consumer not to give us money, so they just give up and give us money. Winrar!

EDIT: That said, that's typical of most corporations.

Very true! Meh either way, I think I just inadvertently shafted Microsoft when I accidentally broke my card! Mwahahaha.

That's what they get for being cash-whores..

Also folks, hacking isn't cool, don't do it, those who do, a back-hand to the face for you and your many dirty hacker offspring.

 

[Idsertian]

Very true! Meh either way, I think I just inadvertently shafted Microsoft when I accidentally broke my card! Mwahahaha.

That's what they get for being cash-whores..

Also folks, hacking isn't cool, don't do it, those who do, a back-hand to the face for you and your many dirty hacker offspring.

Hehe, I like your style. Amen to that last, it is most definitely, uncool.

 

[GiantRaven]

There's something particularly weird about this. How many people are doing the hacking? It must be quite a lot since I imagine the same few people aren't playing FIFA 12 for the same three achievements and DLC over and over.

If it is quite a lot of people; how is this information getting around? Why is only being used for FIFA 12 DLC?

It literally makes no sense to me.

 

[Idsertian]

There's something particularly weird about this. How many people are doing the hacking? It must be quite a lot since I imagine the same few people aren't playing FIFA 12 for the same three achievements and DLC over and over.

If it is quite a lot of people; how is this information getting around? Why is only being used for FIFA 12 DLC?

It literally makes no sense to me.

I have heard it posited that it's not a person, but some sort of bot doing it. I honestly don't know how likely or easy that'd be, but it makes sense given the mindless repetition of the task. Unless whoever's doing it is a die-hard MMO fan or something, FIFA not withstanding.