Microsoft investigating possible Xbox Live hacking
by Kyle Orland 
{ Mar 21st 2007 at 11:05AM }
CNet has the scoop on what a Microsoft representative calls "reports of fraudulent activity and account theft taking place on the Xbox Live network." The company is investigating the claims, which include use of stored credit card information to run up massive Xbox Live points charges.It's not yet clear how extensive these problems are, but anecdotal evidence from forums and web sites shows how the apparent theft can manifest itself. It's not yet known if the unauthorized use is the result of hacking in Microsoft's network or a phishing scam to get login details from individual users.
We're waiting to hear back from Microsoft on the extent of the problems and what specific steps are being taken to fix them. We'll keep you posted.
Update: Major Nelson: No Xbox Live security breach
Get a WordPress.com Blog
Reader Comments (Page 1 of 1)
CowboyGA @ Mar 21st 2007 11:18AM
Just to point this out, but if MS can find the culprits (with static IP addresses and easy to find points-recipients, they will find at least a few), then MS can and will press charges. If the culprits are in the US, they could possibly face felony charges.
If the thieves are outside of the US, things will take a bit longer, but it's safe to say that some misguided hacker will be sharing a cell with lonely inmate.
Hope it was worth it!
delldude420 @ Mar 21st 2007 11:54AM
why not just not allow pc to xbox online play? its pointless unless they force users to play witht he xbox 360 controller. not fair to use keyboard anyways, plus the pc can easily be used for hacking, meaning way more cheaters on live than needed.
Goober @ Mar 21st 2007 11:32AM
Can you say Norton Internet Security for Xbox?
Norton 360 for Xbox 360
Believe it.
Hannibal @ Mar 21st 2007 11:33AM
With how few people have reported problems, I'm going to guess that they either got phished or are using easily-hacked modded 360s. In either case, cry me a river.
Admiral @ Mar 21st 2007 1:02PM
It's good to see that XBL has many of the same features as Windows. Hackers welcome! Put your feet up and stay awhile!
Great work, Microsoft. Looks like the price of XBL is about to go up.
Blizz4l9 @ Mar 21st 2007 11:39AM
i hope not goober, Nortons is the absolute worst anti-virus to use.
joe smith @ Mar 21st 2007 1:41PM
no way the servers and system have been hacked. I mean why bother trying to do something that difficult when scamming people is so much easier?
And if those two links are the best Joystiq can dig up, I find myself totally unconcerned.
Wintermuted @ Mar 21st 2007 12:22PM
Holy Sensationalism Batman! One person posts a remark in the xbox forums about his account getting 'hacked', and by his grammar and spelling looks to be a few sandwiches short of a picnic, and one other person has his account stolen, and this is news?! Wow, must be a slow news day around the world for this to make CNN...
kris @ Mar 21st 2007 11:46AM
@ cowboyGA....I can't see that if some one has gone through all the hassle and technical problems of hacking the xbox live accounts and managing to get to a credit secure account, only to be undone by a static IP address.....
Jake @ Mar 21st 2007 11:53AM
There aren't enough details to even know what is going on yet. When you give your credit card info to Live, it can only be used to charge things given to your box. So, I see several possibilities here.
1) Standard Credit Card theft. People stole some credit card numbers and used them to buy stuff for their box. Extremely unlikely that this is the case, as most thieves aren't stupid enough to buy stuff with a perfect electronic trail to their 360.
2) People getting account info and/or hacked/modded xboxes to just charge a ton of stuff to somebody to f with them. Run their bill up on stuff they got, but never ordered.
3) People actually hacked Live and used it to extract credit card info or make false charges. Scary.
All in all, this isn't surprising. Has anything ever not been hacked?
Virtua Fanboy @ Mar 21st 2007 11:53AM
I bet it's from phishing and not "hacking" necessarily.
-=v00d00=- @ Mar 21st 2007 12:05PM
Two things to note:
1. Microsoft is the second most attacked entity in the world. Second only to the US government. They know how to implement security.
2. Given #1, there is most likely a more germaine explanation such as plain old credit card theft or other phishing attack. Not a weakness in Xbox Live! security architecture.
MS frequently posts large cash rewards for catching the more prolific of hackers so if this is indeed happening, his friends will be sending him up the river for a couple hundred thousand bucks to spend on MS points to be sure.
:-)
Matt Wagner @ Mar 21st 2007 12:02PM
@ 8
Shadowrun claims no difference between PC and Xbox players. i personally hate using the mouse and keyboard, i think it's a matter of preference, so i don't see what the problem is. the more people to play against, the better.
Vidikron @ Mar 21st 2007 12:03PM
@8
What are you talking about? Your comment has nothing to do with this new item.
Anyway, I haven't look at any of the claims, but it makes me wonder it maybe some children or asshole friends are responsible for these charges? If you enter your credit card info it gets saved so that you don't have to sent it again when purchasing stuff on the Live Marketplace. I can easily see someone's kids getting on Live without the parents around and racking up charges buying games and such. Then the parents either don't realize what happened or claim they charges are fraudulent to try and get out of them.
Perno @ Mar 26th 2007 12:44AM
@ Hannibal: "With how few people have reported problems, I'm going to guess that they either got phished or are using easily-hacked modded 360s. In either case, cry me a river."
1. Not that I have a clue, but I don't think hackers would go after people with modded 360's, that's like cannibalism.
2. CC info is stored on the MS servers, not on the 360's. So I would agree with the phishing angle.
Grindstone @ Mar 21st 2007 12:17PM
Allow me to add my circumstance. I sold off my old Xbox after I got the 360. Last June on my credit card billing statement there was a $49.99 charge for XBL. Odd, as I had already paid for it on my 360 earlier. After I called the service number, I was informed that my old Xbox had connected onto Live, and that my embedded credit card number on the harddrive had been used to do so.
So, what if Msoft is sending out refurbished 360s to people with someone else's credit card number still on them? Sure, seems like a grevious oversight, but is it plausible?
Effing BS @ Mar 21st 2007 1:46PM
If this is true then this f-ing blows. I've tried a number of times to get my credit card removed from their systems, but for some unknown reason they "can't do it." If my credit card gets charged, I'm seriously going to go ape-fu--ing-sh-- on MSFT's customer service representatives.
Robert Andrews @ Mar 21st 2007 2:08PM
@12
I'm irate right now at Microsoft Xbox Live. Their policy inside the Terms Of Service says that they will not delete your credit card information, even if you ask them. I called them yesterday because i had received a charge on my debit card, and i didn't buy anything. Well someone bought points, and even though i had another card active in the 360 it charged the other one. So i asked customer service to remove my information and they said theres no way to delete a credit card from your XBOX live gamer tag. They hold on to your info forever, so now i have to cancel my card.
-=v00d00=- @ Mar 21st 2007 2:11PM
Let me assure you as an information security/compliance expert that Microsoft is NOT storing card holder data in the clear on an Xbox HD. That would be a clear violation of plenty of privacy laws as well as Visa/Mastercards own PCI standards, not to mention common sense. Crypto is being leveraged, there are far easier ways to get your information than via Microsoft. Fake ATM card readers, crooked waiters, a gas station attendant with a card reader and a laptop have all worked before and are far easier to implement than hacking Xbox Live!
snapper @ Mar 21st 2007 2:27PM
This is why I refuse to ever put in my credit card on any system. It includes consoles or any other web server.
For XBL, I simply buy a card from the store and use that.
Admiral @ Mar 21st 2007 5:19PM
Wow...the Microsoft apologists are hard at work today.
There's a reason why people attack Microsoft's products...they have large gaping holes in security.
Why should XBL be any different?
WebPimp @ Mar 21st 2007 1:09PM
Phishing...can almost promise you that is the problem.
Ebolaboi @ Mar 21st 2007 2:02PM
Ahhh Microsoft!! this is just as crappy as Vista!!
Contra666 @ Mar 21st 2007 1:17PM
@ 6
If you sign in with an account on an Xbox (doesn't have to be yours), any purchases you make will be tied to that console. So hackers could use a different console, buy lots of content and then they could disconnect and it would work forever.
@12
It sounds like you never cancelled Xbox Live on your original Xbox.
Credit Card details aren't stored on the console, they are stored at Microsoft's servers.
Contra666 @ Mar 21st 2007 1:52PM
@ #17
You can go to http://billing.microsoft.com and remove OLD credit cards as long as you have a current one to switch your account to.
But once you put a credit card on the account, it's not possible to not have a credit card on file.
Lord Avedon @ Mar 21st 2007 2:00PM
Symantec sucks.. I want McAfee for 360
Contra666 @ Mar 21st 2007 1:53PM
@ #19
That wont get you anywhere. They are the only people (other than your credit card company) that can help you.
Be polite and they are more likely to help.
Matt Wagner @ Mar 21st 2007 2:05PM
@ 17
i had a similar problem. i switched banks, and in doing so, got a new credit card. everytime i go to purchase something on XBL, i have to switch from my old credit card to my new credit card. it's a minor inconvenience, but i would feel better about it if i could just delete my old account information.
Matt Wagner @ Mar 21st 2007 2:09PM
so i should have read further before posting. my mistake. thanks #20 for helping me out with that one.
Larry @ Mar 21st 2007 4:44PM
I dunno...Everything I've read on XBL forums it seems more like a case of phishing than actual hacking. Judging by some of the complaints and the Third Grad English used by the complainers they seem to have phish me and fry me scrawled all over them.
Not defending Microsoft one bit, and believe me I am a bit concerned. But whenever someone screams HACKER when a CC account 9 times out of 10 its just someone who got conned by a fake email or some Nigerian promising millions.
rfom @ Mar 22nd 2007 1:04AM
WELCOME
To the GREAT "Much better than PS3 online service" -
XBOX Live (USD 200/4 years)
Funny, just like the PS3 console never burns and dies like 360, you never hear stories like these about the "woefully poor" PS3 network (Some snippets from the cnet article)
Gamers have been reporting the incidents for some time.....frustrated with the response to date.
..account was hacked and all credit card info was stolen and used to run up points...Microsoft says: 'Oh, well, better call your credit card companies, nothing we can do...
...was playing Halo when some of their opponents threatened to steal their accounts...Literally the next day my girl's account was locked out.....calling Microsoft was no help and that he got the runaround from the support people...My account is currently being investigated after about seven frustrating calls
Rod Oracheski @ Mar 21st 2007 5:26PM
I agree that it sounds a hell of a lot more like people giving out their account info than any actual hacking took place.
It reminds me of the constant "I GOT HACKED!!!" posts on Blizzard's forums for World of Warcraft. Every single time it comes down to someone giving out their account info or downloading something they shouldn't have, not Blizzard being hacked.
Stupid people will be stupid. Period. Giving them a computer just makes their damage potential greater.
D @ Mar 21st 2007 10:42PM
Why are you people surprised? You are talking about Microsoft - creators of the most comprised operating system in the world.
Do you not research the company you buy products from?
If you don't, well Caveat Emptor.