Microsoft said it has intervened to restore the Xbox Live account of a customer hit by an overseas phishing scam, and refunded all unauthorised charges the scammers were able to make as her complaint got lost in customer support and was never properly locked down.
Further, a Microsoft spokesman tells Kotaku that the company is reviewing its procedures in light of this incident, another embarrassing manifestation of a phishing crime wave that has snagged ordinary users and even journalists.
"The online safety of Xbox Live members remains of the utmost importance, which is why we consistently take measures to protect Xbox Live against ever-changing threats," the company said in a statement. "However, we are aware that a handful of customers have experienced problems getting their accounts restored once they've reported an issue. We are working directly with those customers to restore their accounts as soon as possible and are reviewing our processes to ensure a positive customer support experience."
Microsoft went on to say that "While we do not ordinarily comment on specific cases, Microsoft can confirm that the account in question has been reinstated to its rightful owner and all unauthorised charges are being refunded in full." The victim in question said she had lost $US300 from her PayPal account to the thieves as her complaint was being mishandled.
The company repeated its assurances "that there has been no breach to the security of our Xbox Live service," which is fine to hear but it misses the larger point that customers really care about: there still is a way whereby someone's account gets broken into and plundered for Microsoft points or downloadable content, which is then sold on auction sites.
It's a delicate message, but in order to be phished, the information used to break into the account typically comes from a third party, like a compromised web site where the victim uses the same login and password. Microsoft doesn't want to blame the victim, and neither do we.
But it would be as good a time as any to remind folks to change their passwords, and perhaps use something that is unique to Xbox Live, so that a phisher who uncovers your email address and password because of another site's bad security can't use the same login and password on Xbox Live. Really, it's a good policy to have a unique password for any site that stores your credit card information. It's a pain in the arse, but it's the only way to be sure.