It's been several months since we started following the "FIFA hack," a rather blunt scam that saw Xbox Live accounts drained so thieves could purchase in-game FIFA 12 'Ultimate Team' cards for use and sale. We have been tracking the FIFA issue and following up on other tips that weren't necessarily rooted in the FIFA hack, but related in that users saw exploitation of payment methods tied to their account. A recent Shacknews editorial detailed accounts compromised by the FIFA exploit.
"I was sitting on my couch watching ESPN on my daughter's Live account when the Xbox Live friends notification popped up and said that I had just signed in to XBL. I took a quick look at my status and to my surprise I was online playing Worms Armageddon. I logged in to my Xbox Live account to find out what was going on," hacked user Michael Adcock told us. "All of the Microsoft points that were stored in my XBL account had been spent on Prince of Persia: The Forgotten Sands and an in-game item for FIFA 12. Whoever spent my MS points had then tried to purchase 6,000 more. Lucky I was able to log in and change my Windows Live ID, bank account and email passwords before any more damage could be done."
Adcock's incident occurred on December 27 and his account is currently locked while Microsoft investigates.
Justin Heard is another victim, with $241 spent using the PayPal account tied to his Windows Live ID. "It seems the access point was through Microsoft's website, as Rift CE was purchased for Games for Windows and that can't be done on the Xbox 360," Heard said. He explained that the hackers purchased several point bundles and then a Family Gold package, which he believes was to transfer the points from his account to the new account.
Heard's account is also locked while Microsoft investigates.
"I can state we've not been made aware of anything like that either from users or PayPal to my knowledge -- a partner we work with closely," Xbox Live Director of Policy and Enforcement Stephen Toulouse told Shacknews. Heard had previously told site VGW that when he contacted PayPal, a representative told him the online banker had received 19 calls within the past hour about the issue. Toulouse dismissed that claim. "I just checked with a counterpart at PayPal who said they have no idea what that source is talking about."
"I got an email from Microsoft saying I had purchased 10,000 points. I immediately tried to get on my Xbox, and found that I couldn't sign in," another victim, Zackh Mackey, tells us. "I checked my credit information online, and sure enough, there were charges tied to the points. I called customer support and they locked my account for a month to investigate. This happened back in early November."
It took about 28 days before Mackey's account was investigated. He tells us his account was tied to Gmail and he used a credit card.
"Two months of [Xbox Live] Gold was credited by email and the money has been refunded to my credit card. No problems since, knock on wood."
The people we've spoken to don't feel they were victims of phishing or a social engineering scam to obtain their passwords. In some cases their Windows Live IDs were tied to email addresses they hadn't used in years.
"Enough people I know in the industry with good password discipline have been victims of some kind of hacking attack that I'm taking every precaution with my own account," expressed Ben Kuchera of Ars Technica, one of the first sites to report on the FIFA hack. "The easiest way to limit your exposure is to remove your credit cards and just use point cards for purchases and to pay for your account. It's slightly inconvenient, but I feel much safer."
We've been in contact with Microsoft regarding our Windows Live ID concerns, having asked directly if the system has been compromised and, for clarity, how the hack occurs.
"Windows Live ID was not compromised. The FIFA '12 and other similar incidents are cases of social engineering or phishing, which are industry wide problems. Microsoft constantly audits its systems and reviews its processes in an effort to help protect customers from such issues," a Microsoft spokesperson told us. "To help avoid becoming a victim of phishing, people can use the guidance found at the Microsoft Hotmail: Serious About Safety site. They can also visit the Windows Live Hotmail Help Center, if they believe their account was compromised."
At this point we feel comfortable in expressing that we can't explain exactly what's going on, but we are concerned. Changing your Windows Live ID and password would be prudent, as would disassociating any credit card or PayPal and relying on point cards instead.
We will continue to look into this. If you have more information to provide, please contact us.