Xbox Live 'FIFA hack' concerns continue to escalate, Microsoft states Windows Live ID not compromised

Additional reporting provided by Xav de Matos, Senior Editor for Shacknews.

Following an increasing occurrence of Xbox Live account hack reports, we are growing concerned over Microsoft's Windows Live ID system, the only layer of protection between a hacker gaining access to a person's Xbox Live account and their information. In our research, the only consistency we saw across users who were hacked was the general inconsistency of what email and payment method was used on their account. Hotmail, Gmail and school emails were used for their Windows Live ID, while payment methods used were credit cards and PayPal. Other than a compromised Windows Live ID, there wasn't a common thread we could identify.

It's been several months since we started following the "FIFA hack," a rather blunt scam that saw Xbox Live accounts drained so thieves could purchase in-game FIFA 12 'Ultimate Team' cards for use and sale. We have been tracking the FIFA issue and following up on other tips that weren't necessarily rooted in the FIFA hack, but related in that users saw exploitation of payment methods tied to their account. A recent Shacknews editorial detailed accounts compromised by the FIFA exploit.

"I was sitting on my couch watching ESPN on my daughter's Live account when the Xbox Live friends notification popped up and said that I had just signed in to XBL. I took a quick look at my status and to my surprise I was online playing Worms Armageddon. I logged in to my Xbox Live account to find out what was going on," hacked user Michael Adcock told us. "All of the Microsoft points that were stored in my XBL account had been spent on Prince of Persia: The Forgotten Sands and an in-game item for FIFA 12. Whoever spent my MS points had then tried to purchase 6,000 more. Lucky I was able to log in and change my Windows Live ID, bank account and email passwords before any more damage could be done."

Adcock's incident occurred on December 27 and his account is currently locked while Microsoft investigates.

Justin Heard is another victim, with $241 spent using the PayPal account tied to his Windows Live ID. "It seems the access point was through Microsoft's website, as Rift CE was purchased for Games for Windows and that can't be done on the Xbox 360," Heard said. He explained that the hackers purchased several point bundles and then a Family Gold package, which he believes was to transfer the points from his account to the new account.

Heard's account is also locked while Microsoft investigates.

"I can state we've not been made aware of anything like that either from users or PayPal to my knowledge -- a partner we work with closely," Xbox Live Director of Policy and Enforcement Stephen Toulouse told Shacknews. Heard had previously told site VGW that when he contacted PayPal, a representative told him the online banker had received 19 calls within the past hour about the issue. Toulouse dismissed that claim. "I just checked with a counterpart at PayPal who said they have no idea what that source is talking about."

"I got an email from Microsoft saying I had purchased 10,000 points. I immediately tried to get on my Xbox, and found that I couldn't sign in," another victim, Zackh Mackey, tells us. "I checked my credit information online, and sure enough, there were charges tied to the points. I called customer support and they locked my account for a month to investigate. This happened back in early November."

It took about 28 days before Mackey's account was investigated. He tells us his account was tied to Gmail and he used a credit card.

"Two months of [Xbox Live] Gold was credited by email and the money has been refunded to my credit card. No problems since, knock on wood."

The people we've spoken to don't feel they were victims of phishing or a social engineering scam to obtain their passwords. In some cases their Windows Live IDs were tied to email addresses they hadn't used in years.

"Enough people I know in the industry with good password discipline have been victims of some kind of hacking attack that I'm taking every precaution with my own account," expressed Ben Kuchera of Ars Technica, one of the first sites to report on the FIFA hack. "The easiest way to limit your exposure is to remove your credit cards and just use point cards for purchases and to pay for your account. It's slightly inconvenient, but I feel much safer."

We've been in contact with Microsoft regarding our Windows Live ID concerns, having asked directly if the system has been compromised and, for clarity, how the hack occurs.

"Windows Live ID was not compromised. The FIFA '12 and other similar incidents are cases of social engineering or phishing, which are industry wide problems. Microsoft constantly audits its systems and reviews its processes in an effort to help protect customers from such issues," a Microsoft spokesperson told us. "To help avoid becoming a victim of phishing, people can use the guidance found at the Microsoft Hotmail: Serious About Safety site. They can also visit the Windows Live Hotmail Help Center, if they believe their account was compromised."

At this point we feel comfortable in expressing that we can't explain exactly what's going on, but we are concerned. Changing your Windows Live ID and password would be prudent, as would disassociating any credit card or PayPal and relying on point cards instead.

We will continue to look into this. If you have more information to provide, please contact us.

[Pavel Ignatov via Shutterstock]

Reader Comments (161)

@jpatern21

Not going to post it all on here, but have a look at my GT (grex9101) on trueachievements.com . In summary, I was told my account had been suspended the first time I called. It hadn't. The tosser who hacked me had 2 hours to wreck more damage on my account before (by chance) i looked at my profile and realised the hacker was still playing FIFA on my GT.

My account was stolen as well about a week ago with the person buying over $100 worth of microsoft points to spend on Fifa, I've never used my Windows Live ID anywhere other than live.com and don't have any other accounts associated with my email and password. At the moment I'm stuck using a temporary account while Microsoft 'investigates' on my currently locked account. It figures that when I finally have time before my next semester starts that I now have zero progress in games I usually play.

This is freaking ridiculous. I haven't been affected by this(yet, it seems), and my SO has a credit card on her account and we're using the family plan. Looks like we're going to have to fix her info primarily, and I just got done fixing mine. We're going to be removing all payment info from her account, mine's been gone for a long time.

Some MAJOR problems(no pun intended) are on their Live site already. These problems sum up to one thing- they are not requiring email confirmation to change your sign-in email at the very least. It's not a lot, but without that small measure in place, the hacking is pretty much easy. If they have your original email and password, they can change both continuously. If they can't change the email, you at least have something small to fight with. You could get the password changed since they couldn't change an ID so easily, etc. It wouldn't prevent exploits, but it'd help a bit. It's disturbing to know that MS is using less secure measures than Nexon(Maplestory).

Two, not that there's a point with how easily info can be changed on the Live site at this moment, but Gmail two-step verification. You can use an iPod Touch, smartphone, or just a regular SMS message(text) to phone authenticator to get into your email account. It's essential in my opinion- especially considering that email loss is one of the oldest exploits that has never really gone away.

I'd make a unique gmail, and use that as a log-in. Before even associating it with the account, make sure it has two-step verification on it from Google. That's what I did, especially since no one seems to know exactly what's going on here. It could have been a table database leak for all Microsoft is helping(aka, their joke of action in this situation).

This is also truly disgusting. Under rug swept is not what this situation should be. Sony took a week to come out and say they've had a problem- this has been apparently happening to people for months, and MS won't own up to the problem. People who barely even use Live to do anything besides chat with a couple friends are being hit with this, and no, social engineering isn't going to explain this wide of scope hacking. It could be EA at this point, but I think it could definitely also be MS since not everyone being hacked has ever even played an EA title online.

Microsoft needs to just come forward, and say they're in trouble. Easy as that- blaming customers is the last thing they need to be doing. Their joke of a TOS about "lol please dunt sueee ussss" wouldn't hold anything in court- it's real cute, but people losing hundreds of dollars in damages from a lack of company security is going to take a priority there. They should have learned from the PSN situation that ignorance of responsibility doesn't quite work that way.

Personally, if this issue is not acknowledged and/or resolved in a month, Microsoft can consider a lost customer for good. Until then, I won't be buying any sort of MS points.

Update ---
I filed my fraud complaint Wednesday night. They hit up my CC for 10k points and used those along with my 7600 points to buy Fifa crap. The girl that took my claim said my account would be locked and suspended for up to 25 days while they investigate. She mentioned a token being sent out so I can play xbox on another account while mine is locked.

Today I call to check on status since I never received any email confirmation of my complaint. I spoke to a guy named Jason. He said the girl setup the complaint correctly. I told him that I could still get on my account and was concerned that someone else could get on and do the same thing again. He looked deeper and said that my account was supposed to be suspended as well for the investigation. He went ahead and suspended my account today. I will check when I get home after work to see if I can log in. He said I won't receive an email from them until it's assigned to an investigator and that's also the time a token is sent out. So I guess it could take a while just to get a token. He looked in his system and said the current "time to process" these claims are approximately 15-20 days depending on complexity. I told him I hope this doesn't drag on for months as some have claimed online. His reply was don't believe everything you read online. Fair enough. He just told me to call back around the end of the month if I haven't heard anything yet. I guess I'll live on the PS3 while this plays out. He did mention that it's usually faster for the investigation to complete and get the CC charges back but it takes some more time to get my points back that were already there. I'm not sure why that is but will discuss it with the investigator should I get the chance.

@Protege420

Microsoft just withdrew 81 bucks from Susan's account.

I got hit with this a couple weeks ago. As soon as I found out, I put in a dispute with Paypal, and called Microsoft. Unfortunately, the Microsoft rep didn't put a lock on my account right then. I had to call them back again to ask for my account to be rolled back. It's still in the process. I'm going to be mad if I miss FFXIII-2 launch. -_-

I feel for Live users.

Whether it's the PSN getting hacked or Xbox Live, it's no fun either way having to deal with having personal account info hijacked. Frankly it's a big nuisance.

Like I said before, best deterrent to discourage would be console hackers is the threat of getting their balls cut off.

Just been hacked, thursday 10,000 pts put on my account and used for Fifa gold packs ect. The scum even logged on as me and entered my wifes xbox party!!!! luckily enough i was on the phone to MS as it happened reporting the FIFA card packs on my history (had reported hack earlier and was updating them). The agent put me on hold and froze account kicking my wife off live too (family gold membership). When he came back i was told the xbox he was on is banned from live now, and there tracking his IP! I also took the chance to pass comment to the scum bag, and pass on my thoughts of his lifestyle!! At least i felt a little better after lol

The hackers got me as well. I had at least 1000 gamerpoints, drained down to 20. Plus FIFA 12 shows up in my recently played games list and I have 2 achievements on it. I've never played a FIFA game for years and no-one in my family owns the game.

Happened on 31st Jan but only noticed it today since I haven't been on in so long.

I just bought a new xbox and saw that I got hacked on january 15th. I lost over 1600 points

FIFA Soccer 12

Xbox Live 'FIFA hack' concerns continue to escalate, Microsoft states Windows Live ID not compromised

Reader Comments (161)

Posted: Jan 5th 2012 3:19PM (Unverified) said

Posted: Jan 5th 2012 3:45PM justking said

Posted: Jan 5th 2012 6:44PM OrangeGamer said

Posted: Jan 6th 2012 2:21PM jpatern21 said

Posted: Jan 6th 2012 4:41PM Protege420 said

Posted: Jan 8th 2012 5:07PM mahouneko said

Posted: Jan 10th 2012 4:25PM chibiachika said

Posted: Jan 16th 2012 1:41PM kentuckyfried said

Posted: Feb 11th 2012 4:04PM Thunderguts said

Posted: Feb 18th 2012 7:30PM Land0fChocolate said

Posted: Mar 21st 2012 5:06PM jesse53 said

FIFA Soccer 12 Info

Description

MSRP

Release Date

Genre

Developer

Publisher

Rating

Breaking News

WB conjures up Harry Potter for Kinect this fall

Featured Stories

Stiq Figures, May 14 - 20: He's heating up edition

The Joystiq Indie Pitch: Ballin

Weekly Webcomic Wrapup is a stranger in a strange land

Engadget

TUAW

Massively

WoW