How Bad Is Microsoft's Xbox Live 'Hacking' Issue?

So late last year, people began to complain that their Xbox Live accounts were being "hacked". Microsoft said no, they weren't, but acknowledged there was an issue with unscrupulous types "phishing" for account info.

"It's not a hack, it's really just a different way to monetise stolen accounts," Microsoft's Doug Park said at the time. Well, that was a few months back and still, people are complaining that this is happening.

One such person, whose story makes for pretty grim reading, is 23 year-old Xbox Ambassador Susan Taylor, who claims that not only has her Xbox Live account been illegally accessed, but that when contacted about the problem Microsoft endlessly bounced her around customer support divisions then ultimately failed to lock her account, and as a result she's lost over $US300 in purchases taken straight off her PayPal account, around half of it disappearing after Microsoft were supposed to have suspended her account for security purposes (see below).

The scam supposedly works like this: an Xbox Live account holder's login information is somehow obtained (how exactly this happens is unclear, and is why this has been bubbling along for a few months now). The "hacker" (or however they obtained the info) buys a Family Gold Pack, which lets the culprit gift Microsoft Points to nominated accounts. They then buy a ton of Microsoft Points, set up new Xbox Live Gold accounts and siphon the points into these new accounts. Finally, on the black market these loaded accounts are sold to customers for less than it would cost to subscribe to Xbox Live Gold and buy the points themselves.

Susan tells Kotaku that she has never played FIFA 12, the title which is most often thought to have been the cause behind the scam. She also tells us that her PayPal account and Xbox Live account did not share either a username or password (though they were obviously linked via her Xbox system).

Microsoft's inaction had a slight upside, though, as she also says the fact she could still log into her Xbox meant she could track down and message one of the people who received the stolen points.

That user claims he purchased the Xbox Live account from a Polish auction site and hands over some of the details of the person they bought the account from so Susan could track them down.

What sucks here is that, if the story checks out, Microsoft's failure to lock her console down once notified of the breach resulted in Susan losing even more money. What sucks even more is that, three months after this mess first blew up, it's still happening and that even though Microsoft claims this is not a "hack", users are still losing accounts and money and receiving very poor customer service in return.

To see how poor, check out Susan's full account at the link below. We've also contacted Microsoft for comment, and will update if we hear back.

Microsoft: A Company With No Brains, Heart or Soul [Hacked On Xbox]


    My friend has also had this. Same problem, FIFA 12, MS Points purchased. Seems hundreds/thousands/probably more users are experiencing this?

    What I want to know is, why isn't this front page news "ZOMG END OF WORLD" like when PSN was hacked? This is a situation where people are getting hacked and losing money? Isn't that worse than the PSN hack? Not only that, but Xbox claiming that it isn't their problem? If your system is getting hacked, it's YOUR problem.

      Because, if MS are telling truthsies, this is not a hack but a phish. It's like the difference between someone pickpocketing your wallet, or walking up and saying "Hey mate can I have $5have your wallet"?

        Sounds like semantics wrapped in spin.

          Well it depends on whther MS is telling the truth or not, but its hardly a "semantic difference" - one was a breach to Sony's poor security, the other is due to the user. I think MS response in this story is poor (they could have closed the account sooner), but there is nothing they can really do if someone hands over their account access to a third party. Also, why didn't this person contact paypal?

          If it was phishing, then MS would post detailed info on how this is carried out, i.e example emails, websites, or messeges.

          The fact that MS is quiet reminds me of the "These is no systematic hardware fault" statement on the systematic hardware fault that caused red-rings.

          That is, I wold not be suprised if thers is a wide scale security breach, and MS are simply not telling anyone.

        My friends only game she played on her Xbox was Harry Potter Deathly Hallows. Wakes up one morning, FIFA 12 is in played list, 3 achievements, MS points gone.

        At no point has she entered any details anywhere which could've been intercepted/acquired by the thief. Thats the mysterious part, how do they get access to your account? Surely they must access it through XBL or the portal somehow.

        If it was a phish surely you'd find email accounts etc compromised also but it only seems to affect the XBL accounts.

      All of those 'FREE XBOX LIVE STUFF' websites are most probably the culprit, seeing as 99% of the interwebs are too stupid to use different passwords for different websites.

      When PSN was hacked peoples credit card details were obtained.
      In this case the best they can manage is to buy stuff on LIVE.

      It's terribad that Microsoft aren't locking the accounts and tracking the culprits the moment customer service is contacted, but at least in this case it's not any actual Microsoft servers being breached.

        With the PSN hack, they were encrypted credit card details and not a single case of fraud was ever tied to that. Microsoft are being a bit funny about this one, if you are an xbox owner you should be concerned.

    Haha crappy microsoft suck, if hackers a getting into thier system then its microsofts problem thats why sony is better.

      Yet, if you did any reading of the article, you'd see that no one has been 'hacked.'

      PSN was hacked. As in, hackers got into the system and access to all of the data.

      Xbox Live has not been hacked. People are getting phished, and in some cases people are using social engineering to grab vulnerable accounts. People keep calling it hacking in the headlines because they're retards.

        If you read the article, it's unclear HOW they got into these accounts - until that's determined then nobody can say with certainty whether it's hacking or phishing or whatever.

        One thing that the article doesn't make clear is what, if anything, MS is doing with these XBL accounts that have been loaded up with stolen points and on-sold (such as RipplyCorgi16. I hope they're shutting them down and refunding the purchases to the owners of the "hacked" accounts - those "gifted" points are stolen property.

        Whether it's hacking or phishing is merely semantics at this point. Once an account has been compromised, that account should be suspended IMMEDIATELY. Can you imagine if a bank or credit card company had reacted this slowly?

    Well one thing u need to remember, wen psn got hacked, despite all the hype very very few bank acc details were stolen, and as such very little lost in terms of money from the consumer, this crap wit MS tho, that is money out of the customers wallet

      People give Sony a lot of shit over the PSN hack, but what do you know? Few weeks > few Months when it comes to problem solving. Really MS, step up your game.

        so your saying a few weeks is greater than a few months well done

    This happen to me, fifa 12 and ms points and microsoft dont resolve that issue crap.... :(

    Customer service reps able to change Account Passwords?

    Wouldn't be the first time it's'll have to be some form of social engineering or phishing of some description, maybe even an exploit in FIFA12.

    It's kinda the same scenario with World of Warcraft, people pissed and moaned for ages it was Blizzard at fault, but from what I know, in every instance it's been the user.

    The only common theme here for a phishing scam sounds purely like FIFA12 is the culprit.

    The Windows Live ID is also used in multiple places, not just all comes down to someone having your e-mail address, and if it's occurred that e-mail address used for an account (on ANY website) which has been hacked and using the same password as your XBL one, well it doesn't take a genius does it??

    Similar thing happened to me, a predominant security website's forum was breached, one of my gmail accounts (which was used to register on this website) was exposed, along with the password..which was exactly the same for my PayPal $1500+ debited from my account and a crapload of e-mails later... I don't use the same password for multiple sites anymore...

      "a predominant security website’s forum was breached" if they stored a password instead of just a hash, then their own security is awful, and I wouldn't dare use them for your own security.

    My account was also breached using the fifa 12 glitch. I've read into further and the general concensus is that EA is to blame, and not microsoft. There is a way to steal EA accounts which in turns allows people to gain access to the associated live accounts.

    Recently had this happen to me. Being that I have never responded or clicked any phishing links it would be hard to know where they go my login from. But as I check my email often seeing an email from Paypal for a payment at 3am and then an email added to my live account it was very suss to say the least.

    But dealing with the issue via PayPal was less of a pain then Microsoft

    I suppose the question I need to ask is have you ever been to one of those sites that offer free MS points, you know the ones that encourage you to put all your account details up and sign up all your friends?

    Essentially the same as all those people who signed up for the free mount/pets in WOW.

    A fool and their money are soon parted...

    Im an IT consultant and im damn sure I didnt get phished and I protect my usernames/password securely. I dont use pirate sites and take special care to not download an trojan or worms. My xbl password is also a strong one.

    But i also got my account stolen, there is an achievement for FIFA12 which i dont have and points used up. MS investigated and reinstated sure XBL database got hacked...

    I to have been hacked. Mine starts back about six months ago. I noticed on my account someone had charged 9.99 I know now that I should have not had my cc on there but I figured all was good should be secure right? Wrong! For 6 long months I went back and forth with XBOX finally I threatened to go to the media. A lady from what they call tier 3 calls me. She somehow gets my account unlocked has me make up a new email goes through all the things to be secure again. I was a beta tester so I had a 2 charactor name I guess that is what the hacker was after? So about 2 weeks ago I go back to playing and this time I buy all prepaid etc etc. The guy once again hacks my account and is online playing while I am at work. Well I change the password he changes the password. This goes on for about an hour. Then all the sudden my phone rings it is the hacker yes the hacker called me and wanted to know why I put that on my account really? He then proceeded to to tell me where I lived he shouted out my amazon account information along with credit cards etc etc this is stuff all linked to my email hot mail that is also linked to my xboxlive account. I am now in the process of trying to have them just close my account. I have tried to close the email addresses but have not had any luck with that. I get the run around and now I have some weirdo calling me. I have went to the authorities this is getting way out of hand there should be something someone can do. We do pay for this service we should be protected.

    i blame it on third party xboxlive apps. i was stupid enough to use apps on android etc before 1st party solutions came along. i really believe alot of these phishing scams originate on the android platform. complete speculation... but this crap happened to me a few months after i got my galaxy s and i started using third party apps that i kinda trusted but found useless....... good reviews can easily b faked.

Join the discussion!

Trending Stories Right Now