Xbox Live Account hacked - anyone else had any experience?

halvorsb

halvorsb

CAGiversary!
Feedback
8 (100%)
Long story short - going to bed on July 3rd and I'm doing my last email check before plugging in my phone to find an email confirmation for a purchase of 6000 MS points on my live account. Interesting, don't remember doing that. I have 9 year old twin boys in the house, so it's possible that they made the purchase in error.

Went downstairs, pulled up live.xbox.com and couldn't log in - my password had been changed. Uh oh, immediately thought my account had been hacked. Called 1-800-4-MYXBOX to see what I could do to get my account back. I was told at the time that they could do one of two things (a) basically recover my account and I'd be out the purchased points or (b) do an investigation that would take 7-10 days and they would likely be able to credit my account back the points. I opted for (b) to have them investigate rather than filing a dispute with my credit card company. They advised my account would immediately be locked and no one would be able to access it.

Fast forward to Wednesday 7/6, a friend lets me know that it looked like I was on line playing Bully, some D&D game and Gears 2 that Tuesday night. Called MS and they said "oops, looks like we forgot to lock the account..." and another purchase was made. They did mention that the investigation was ongoing but should be resolved "shortly".

I called yesterday, 13 days into the process and was told that the investigation is still ongoing! I asked how long it can take, she says "7-10 days..." I mentioned that we were already on day 13, so clearly they were going to be going over that time frame.

Has anyone else been through anything similar? What should I be expecting from a timeframe? I really don't care too much how I get reimbursed for the points (I can just as easily file through my credit card company and still be on live) but it just seemed like the right thing to do to let MS investigate.

The worst part for me is that I have no idea how the account was hacked - I didn't have any weird "phishing" or anything out of the ordinary happen recently. Once the investigation is done, I'm going to go through the process of changing my live sign-on email and the password...not sure what else can be done to prevent these kinds of things from happening in the future.

Just looking to hear what other people have experienced!
 
I don't have any experience with getting hacked but I do work in the IT Security field so I can offer possible speculation as to how it may have happened. They probably somehow got a hold of your email address and guessed your password or both. The person probably isn't very smart and probably got your information pretty easily if they were stupid enough to be playing games on your account as well.

For example my email address is the same as my XBL gamertag so that's not hard to guess, but I don't have anything sensitive attached to my account so it's not a big deal.

Or you could just have been a victim of a brute force attack, there's a lot of easily obtainable password crackers on the web that script kiddies can use, it's not surprising they were playing games on your account.

I'd avoid passwords with the following:


  1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. “password”
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner’s or your child’s.
  7. “god”
  8. “letmein”
  9. “money”
  10. “love”

Sorry I can't offer any incite on the investigation process but good luck though.
 
I actually had this happen to me about 2 and a half weeks before you did. I did the same thing, called xbox support and they got the investigation started.

The thing they didn't tell me was they won't refund the money, only the microsoft points. you have to go through your bank to get your money back.

Also, change your windows live ID ASAP as it looks like you're already planning, and change the password too. I don't know why it's taking them so long, but maybe a lot of people have been hacked lately (seems like it) so they have a bigger work load than normal.

Hope this helps and I'm sorry about your unfortunate circumstance!
 
Interesting. I had a feeling it was kids just hacking to get access to my games and buy more. The fact that they only made two point purchases and haven't used the credit card for any non-live purchases helps me feel a little better.

I don't think it's a situation where they could have guessed my password, it followed all the appropriate guidelines and wasn't anything like hustletron noted above.

The whole thing is just frustrating!
 
Finally got some resolution - called yesterday and was told "minimum of 11 business days" despite being told 7-10 days numerous times.

Today is business day #11 - got an email this afternoon that they found the purchases were made when I wasn't in control and gave me instructions on how to recover the account/change the windows live ID and password. Took care of all of that and then did a profile recovery - all seems good.

They did a full refund on my credit card of the charges, didn't just get the points back like a prior post mentioned.

What's interesting though is that the games that were purchased by the hacker are still in my purchase history so I can re-download them - I figured MS would have taken those purchases out of my purchase history!
 
Was your email and password the same as PSN?

Maybe your PSN info got stolen then they used it to log into live.

Or if you have a short easy password then maybe someone brute forced their way in.
 
[quote name='halvorsb']Long story short - going to bed on July 3rd and I'm doing my last email check before plugging in my phone to find an email confirmation for a purchase of 6000 MS points on my live account. Interesting, don't remember doing that. I have 9 year old twin boys in the house, so it's possible that they made the purchase in error.

Went downstairs, pulled up live.xbox.com and couldn't log in - my password had been changed. Uh oh, immediately thought my account had been hacked. Called 1-800-4-MYXBOX to see what I could do to get my account back. I was told at the time that they could do one of two things (a) basically recover my account and I'd be out the purchased points or (b) do an investigation that would take 7-10 days and they would likely be able to credit my account back the points. I opted for (b) to have them investigate rather than filing a dispute with my credit card company. They advised my account would immediately be locked and no one would be able to access it.

Fast forward to Wednesday 7/6, a friend lets me know that it looked like I was on line playing Bully, some D&D game and Gears 2 that Tuesday night. Called MS and they said "oops, looks like we forgot to lock the account..." and another purchase was made. They did mention that the investigation was ongoing but should be resolved "shortly".

I called yesterday, 13 days into the process and was told that the investigation is still ongoing! I asked how long it can take, she says "7-10 days..." I mentioned that we were already on day 13, so clearly they were going to be going over that time frame.

Has anyone else been through anything similar? What should I be expecting from a timeframe? I really don't care too much how I get reimbursed for the points (I can just as easily file through my credit card company and still be on live) but it just seemed like the right thing to do to let MS investigate.

The worst part for me is that I have no idea how the account was hacked - I didn't have any weird "phishing" or anything out of the ordinary happen recently. Once the investigation is done, I'm going to go through the process of changing my live sign-on email and the password...not sure what else can be done to prevent these kinds of things from happening in the future.

Just looking to hear what other people have experienced![/QUOTE]

A good friend (and occasional CAGer) had the same exact situation happen to him. He had a pretty obscure password and we couldn't think of anyone in his apt that would have incentive/knowledge to get into has account. One day he's checking his email and the same thing happened - a ton of purchases were made. The hacker purchased a family gold pack, transferred the account and then bought like $50-100 worth of MS points. I'm pretty sure that he wound up being temporarily out ~$200.

Thankfully, after about two weeks or so, Microsoft was able to sort things out, refund all his money, and reinstate his account. He wound up making a password that is random numbers and letters, and so far so good.

You should be totally fine in the end, but he did say it was a nightmare to go through, especially since that was a somewhat significant amount of money to be tied up.
 
I got hacked today too. My friend got hacked 2 weeks ago as well. I don't know how they even did it. I've never done anything weird with my Xbox account and haven't even used my Xbox or the website in like a month. They bought 6000 MS points and a 12 month live subscription. I called Xbox and they're investigating it for up to 7 days. fucking bastard hackers.
 
[quote name='tcrash247']I got hacked today too. My friend got hacked 2 weeks ago as well. I don't know how they even did it. I've never done anything weird with my Xbox account and haven't even used my Xbox or the website in like a month. They bought 6000 MS points and a 12 month live subscription. I called Xbox and they're investigating it for up to 7 days. fucking bastard hackers.[/QUOTE]

Yeah...hackers...right...
 
[quote name='dotCody']Yeah...hackers...right...[/QUOTE]

You're right, I put all my info all over the internetz and on a poster in the subway. Eat my asshole.
 
[quote name='The Holy Pretzle']Try checking this list. Not sure how accurate it is or whatever, or if it still works, but it's worth checking.


http://gizmodo.com/5812545/find-out-if-your-passwords-were-leaked-by-lulzsec-right-here[/QUOTE]


Not sure how accurate this is. I'd fathom not very but what do I know.

Against my better judgement, I entered my own emails and of course nothing came back, I also tried some generic, or my opinion of what generic would be, email address i.e. jsmith@gmail/hotmail/live/yahoo.com, johnsmith, rdavis, raydavis, etc etc and all came back "not released to the public".

Like I said though, there are a lot of resources on the web for people with enough time to piss someone off, there are script kiddies a plenty on the web these days and google makes everything obtainable within seconds.

I just assume there's people in the world that have everyones information already, but one thing I'd suggest is get your credit card removed from your XBL account when you get a chance.

EDIT: Somewhat relevant, my boss sent this around late last night. http://www.foxnews.com/scitech/2011/07/19/exclusive-fbi-search-warrants-nationwide-hunt-anonymous/
 
Last edited by a moderator:
[quote name='hustletron']I just assume there's people in the world that have everyones information already, but one thing I'd suggest is get your credit card removed from your XBL account when you get a chance.[/QUOTE]

I tried doing that when I called Microsoft last night but they said I was in a billing cycle for Live and couldn't remove my credit card at this time. Ridiculous.
 
I have a friend who had an account hacked. His story, unfortunately, did not end as well as the others. He first noticed lots of purchases being made on his account, and then I noticed that his account was gone. Essentially they bought lots of stuff and transferred it to another account, then deleting his old one. He called Microsoft, who promised to sort it out, but it took them forever since whoever hacked it did a good job. They tried and tried to get him his original gamertag back, with achievements and save files, but it never worked. Eventually (like three months after the initial process) they gave him a new account, meaning he had to start over in all games, achievements, etc. He got all of his XBLA games back, but it still really sucked.

Hopefully you won't end up like my friend, but his seems like a nightmare scenario!
 
I had mine hacked a couple months ago. I started receiving a bunch of “Thank you for purchasing Microsoft Points” messages while I was at breakfast, and I knew it wasn’t me. When I got back to my place I was able to log in to my account and see that the person had spent all the points I had in my account, and they bought $100 more in points and purchased a ton of FIFA content. I was able to change my password (I’m not sure why they didn’t change this first) and get control of my account back. Besides the fifa content, they deleted all my friends.

Now two months later Microsoft is still “investigating”. They already closed the first investigation, and concluded that they would refund me $100 but mentioned nothing of refunding the 2300+ points that I had in my account before. Unfortunately they only refunded $20 of the $100. They made me wait 30 days to make sure that the remaining amount didn’t come through, and that has come and gone, but I’m still out $80 until they finish the follow up investigation. I was told the follow up investigation was supposed to be faster because it was escalated, but it seems slower than the first. They do call me every week to let me know there has been no progress.

The only odd thing that occurred prior to this was a few months back I received a strange thank you email for downloading or registering Age of Empires III. I bought the game during the $0.99 promotion last year, but I never actually downloaded or played it, although I’m sure it is tied to my Windows Live Account. I don’t think it was a phishing email, I think somebody actually activated it.

I also know that an old roommates hotmail account was hacked, I get a lot of spam messages from it, but I never open them. I think he abandoned it a long time ago. I’m thinking Microsoft was hacked, either through Windows Live, hotmail or somewhere. This is just too common a scenario for them to have cracked people with simple xbox live passwords, or a phishing email or site. There must be an exploit of some sort on one of Microsoft’s sites.
 
You must log in or register to reply here.
bread's done
Back
Top