Hooray! Xbox Account 'hacked'/stolen etc

Psymonkee · 5 Feb 2012 at 20:32

Yep it's still happening!

Got some missed calls from the banks fraud dept. and was told they were for transactions to MS. Quick login to the xbox account and 10,000 MSPoints have been bought and 12,460 been spent :\

Card cancelled and new one issued but now to deal with xbox support. Just what I needed

Anyone else know how long this takes?

Ampeg · 6 Feb 2012 at 02:35

They say it takes around two weeks, was roughly that for me. Have to say I'm surprised this saga is still going some five months later :mad:

. Take it your points were spent on Fifa stuff?

Psymonkee · 6 Feb 2012 at 03:19

Yup! FIFA stuff all over the place :\ Lost the 2k+ points I had on the account as well.

Password has been changed plus something else I spotted in the System menu:

You can force the console to ask for email/password each time you log into Xbox Live on both your own console & any other console.

Well worth changing and I can't believe MS aren't making a bigger noise about it given the amount of time this has been going on

Alpherah · 6 Feb 2012 at 08:41

Surely if its a problem at MS's end, it would result in more then just FIFA packs being purchased?
Maybe its time to start asking questions of EA?

For example, unless I'm wrong can't you log onto that FIFA card thing from a web client, with just your EA details, and purchase packs because its linked to your console?

fieldy · 6 Feb 2012 at 09:07

so glad I removed my card details from my live account!

dannyjo22 · 6 Feb 2012 at 09:12

I'm glad I have never and will never put my card on live. My account got hacked and my live Id password changed but luckily they could do nothing with it other than cause me a couple of hours grief getting my password changed and account back.

El_Commi · 6 Feb 2012 at 09:15

Alpherah said:
Surely if its a problem at MS's end, it would result in more then just FIFA packs being purchased?
Maybe its time to start asking questions of EA?

For example, unless I'm wrong can't you log onto that FIFA card thing from a web client, with just your EA details, and purchase packs because its linked to your console?

People buy Fifa packs with stolen Gamertags, because they are the easiest thing you can buy on the marketplace that translates into cash.

People sell Fifa ultimate team players/coins all the time on popular auction sites.

*edit*

You can log on to the Fifa webapp ( http://www.ea.com/uk/football/fifa-ultimate-team ), using just your email address and password and security question. However, you cannot buy/spend any MS points from the webapp. That can only be done from the console.

Psymonkee · 6 Feb 2012 at 11:01

Done the phone calling nonsense, account locked down for 25 days, console effectively rendered useless!

Pretty annoyed now since I'm on holiday all this week and had planned to set up a new console and transfer it's data/licenses

Also off to a LAN at the weekend as well.....gonna be crap without XBL :\

Timber · 6 Feb 2012 at 13:09

Sorry to hear about your bad news. I understand the official line if that the investigations from MS take 3 to 6 weeks, but recently they have quicker than they used to be.

Out of interest did you have an EA online account from playing Dragon Age, ME2, BF series or another EA game?

I personally still suspect this is the route in, although it's fair to say nothing has been confirmed. A while ago an article was run showing the loophole in EA webpage where people could request a password reset from EA and then try this gamertag/password combo (amazingly a lot of people are using the same password on both services) on Xbox Live (all from the URL). The other suggestion is that there is a brute force method which has recently been tightened up by MS. One of numerous Eurogamer stories:

http://www.eurogamer.net/articles/2...d-xbox-com-security-secretly-tightened-report

Either way for anyone else; remove your card from Live if possible, change your password (long, unique, random, and misture of alpha and numeric characters - no words easier to break) and turn off the auto log in as mentioned.

Mark1989 · 6 Feb 2012 at 13:13

Alpherah said:
Surely if its a problem at MS's end, it would result in more then just FIFA packs being purchased?
Maybe its time to start asking questions of EA?

For example, unless I'm wrong can't you log onto that FIFA card thing from a web client, with just your EA details, and purchase packs because its linked to your console?

Yeah but you cant buy with MS points only coins but chances are most people use same login for both which i guess makes it easier for hackers

ince · 6 Feb 2012 at 13:14

reports that MS are refunding and re-activating accounts a lot quicker now.

my advice is to remove all cards and make sure your EA account email and pass are not the same as you MS one.

ps3ud0 · 6 Feb 2012 at 13:19

Timber said:
Sorry to hear about your bad news. I understand the official line if that the investigations from MS take 3 to 6 weeks, but recently they have quicker than they used to be.

Out of interest did you have an EA online account from playing Dragon Age, ME2, BF series or another EA game?

I personally still suspect this is the route in, although it's fair to say nothing has been confirmed. A while ago an article was run showing the loophole in EA webpage where people could request a password reset from EA and then try this gamertag/password combo (amazingly a lot of people are using the same password on both services) on Xbox Live (all from the URL). The other suggestion is that there is a brute force method which has recently been tightened up by MS. One of numerous Eurogamer stories:

http://www.eurogamer.net/articles/2...d-xbox-com-security-secretly-tightened-report

Either way for anyone else; remove your card from Live if possible, change your password (long, unique, random, and misture of alpha and numeric characters - no words easier to break) and turn off the auto log in as mentioned.

If it was EA at fault why doesnt this happen to the same extent on PSN? Especially considering the much publicised issues regards to security? Just doesnt make sense if the whole same login details was the main route to getting hacked...

ps3ud0 :cool:

K1LLSW1TCH · 6 Feb 2012 at 14:20

I bet that a fair amount of the time this sort of thing is due to people succumbing to a phishing attempt. The players in the FIFA thread that have had their accounts compromised have all been known to buy coins from dodgy sources for example.

Timber · 6 Feb 2012 at 14:51

ps3ud0 said:
If it was EA at fault why doesnt this happen to the same extent on PSN? Especially considering the much publicised issues regards to security? Just doesnt make sense if the whole same login details was the main route to getting hacked...

ps3ud0

I don't know for a fact, obviously it's just a suspicion I have. From one of the other forums I'd seen people admit they were using the same password for EA/Origin accounts. So it's reasonable that if your using the same password for different services (i.e. equally a webmail or something similar) you're at a higher risk of your account being compromised.

Regarding PSN, what springs to mind:

Does PSN allow 'one-click' purchases in the same manner as LIVE? I've not bought anything off PSN for a long-time but I've heard that the CVV number is stored locally rather than stored with your card details. My guess is there is an extra security measure making it harder to buy on PSN.
Also are Fifa UT purchases transferable, or can Points be transferred in the same manner as LIVE? If not then perhaps Sony's machine activation system is more secure.

Also just because Sony were found to be wanting on security recently of storage of customers details (on such a massive scale) doesn't mean they aren't stronger in other areas (i.e. having a 'Captcha' system on customer web portal for example).

I should add this to the next-gen wish list thread, but I hope that MS/Sony/Nintendo etc. do think about adding; Security/Mobile App Authenticators, 'Steam Guard' or 2-stage verification systems, forced password/question logins on purchases and NOT storing card details all in one place as standard. I know they hate this because it reduces the impulse purchases, but I think better account or services protection is long required.

EDIT: Actually thinking about it, there is probably few reasons why better security measures can't exist now. So actually this should be a priority for MS, Sony and Nintendo etc. if just to help customer confidence.

El_Commi · 6 Feb 2012 at 18:02

Timber said:
I personally still suspect this is the route in, although it's fair to say nothing has been confirmed. A while ago an article was run showing the loophole in EA webpage where people could request a password reset from EA

Source on this?

I know there was definitely an issue with both the NWN db and the SWTOR forums recently.

In both cases however, EA did notify customers almost indefinitely. TBH- I'm more inclined to believe that a lot of FUT Compromised accounts are the result of phishing scams. (My brother plays, and he literally gets messages dozens of times a night with links to websites, and people offering him "Duplicate player tips".

I was aware of the MS password issue, good to see they making changes to fixing it. With brute forcing tho, a secure password can often prevent that.

Timber · 7 Feb 2012 at 00:00

El_Commi said:
Source on this?

I know there was definitely an issue with both the NWN db and the SWTOR forums recently.

In both cases however, EA did notify customers almost indefinitely.

I remember that the Bioware Forums were broken into in June of last year and they enforced a password reset in October.

There were a few threads suggesting (c.November) the method for gaining acces to the Xbox live tag via EA password reset. Although it was meant to have been fixed. The method listed would be outrageous if was one of the causes.

http://www.rllmukforum.com/index.php?/topic/252590-xbox-live-security-issues/page__st__120

The first page of the post above includes some further links and summaries of media stories etc.

Again there might be other tricks (contacting MS or EA for reset password etc.) for getting access to users accounts which are being abused, and I've noticed the MS Security Support (http://www.xbox.com/en-US/Live/Account-Security/) pages talk about these methods in detail.

El_Commi · 7 Feb 2012 at 10:04

Timber said:
I remember that the Bioware Forums were broken into in June of last year and they enforced a password reset in October.

There were a few threads suggesting (c.November) the method for gaining acces to the Xbox live tag via EA password reset. Although it was meant to have been fixed. The method listed would be outrageous if was one of the causes.

http://www.rllmukforum.com/index.php?/topic/252590-xbox-live-security-issues/page__st__120

The first page of the post above includes some further links and summaries of media stories etc.

Again there might be other tricks (contacting MS or EA for reset password etc.) for getting access to users accounts which are being abused, and I've noticed the MS Security Support (http://www.xbox.com/en-US/Live/Account-Security/) pages talk about these methods in detail.

Nothing solid then. hopefully if it did exist, it's been fixed by now.

On the other hand, I do think that it is likely phishing/scamming; a lot of Xbox users use the same password for both EA and Xbox live, not to mention that most of them are kids- who aren't too clued up on security.

Never underestimate the gullibility of people when free stuff is offered.

El_Commi · 7 Feb 2012 at 11:13

El_Commi said:
Nothing solid then. hopefully if it did exist, it's been fixed by now.

On the other hand, I do think that it is likely phishing/scamming; a lot of Xbox users use the same password for both EA and Xbox live, not to mention that most of them are kids- who aren't too clued up on security.

Never underestimate the gullibility of people when free stuff is offered.

Yeah- if you read through the thread, by page 12, they're pretty sure it's not-EA specific, but MS related. Makes me happy I'm a pc gamer

Timber · 7 Feb 2012 at 12:04

El_Commi said:
Yeah- if you read through the thread, by page 12, they're pretty sure it's not-EA specific, but MS related. Makes me happy I'm a pc gamer

I'm still not sure. The EA tricks, the URL loophole or account recovery crop up far to many times for my liking when you start reading about this stuff. Particularly if simple loopholes like the EA account defaulting to the LIVE password when it was created from a Fifa or Madden demo were true at some point (again too long since I've created my EA account). The fact that EA have so much data on their service in comparison to other publishers means the eye of suspicion will point there. Again I'm convinced that at least some of these 'hackings' have been due to people having the same password for EA/Origin and then LIVE.

Of course there are multiple other routes in to people's accounts though.

For me it feels like it's happening on too large a scale just to be phishing. I think there have or are loopholes that been exploited, as much as people have reusing passwords or have too simple passwords.

Again highlights the need for better security from MS. A lot of PC services do go that extra mile in terms of 2 step verification or authenticators.

El_Commi · 7 Feb 2012 at 12:31

Timber said:
Particularly if simple loopholes like the EA account defaulting to the LIVE password when it was created from a Fifa or Madden demo were true at some point Again I'm convinced that at least some of these 'hackings' have been due to people having the same password for EA/Origin and then LIVE.

Of course there are multiple other routes in to people's accounts though.

For me it feels like it's happening on too large a scale just to be phishing.

I'm not sure about way back then, but I know now that if you don't have an EA account with your gamertag, you will be asked to make one. I think it does default to the xbox email/pass, but you are asked to confirm that you want to use those before you can make the account.

A lot of Xbox users are young kids, (same is true with fifa players). i imagine it is primarily phishing or scamming. If they use the same password on other forums for example, that's probably gonna cause it as well. I honestly don't think there's anything else going on, other than people being stupid and handing over information.

Look at someone's Facebook profile for example, how much information can you glean from one of those- and most people don't even have the privacy settings set secure enough.

I think if it was EA related, there'd be a lot more PS 3 users effected. Correct me if I'm wrong, but the PS 3 demographic, is a lot older than Xbox? Fifa is available on the PC as well

Also, how many people will use football passwords. I guarantee you, there is a lot of peopel out there with a full Arsenal team, and the password Arsenal1.