back to article No Xbox Live hack say insiders

Microsoft sources have denied a claim that Xbox Live has been hacked, stating instead that gamers said to have had up to £100 lifted from their accounts were victims of phishing scams. Allegations that cyber criminals have "hacked into thousands of Xbox Live accounts to steal millions of pounds" in the UK were made by The Sun …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    On a similar theme ....

    My lad got very into an online (not XBox) RPG, and found a website where you could "buy" (with *real* money) "gold" for use in said game. There was an online outfit with an obvious domain name where you paid up via paypal, and then they went "in game" and traded the gold with you. Which seemed distinctly whiffy to me - quite against the games T&Cs, although I was surprised they hadn't contested the sites domain name. Anyway, son asked me to cough up - I took his money and warned him no good would come of it. He got his gold, and a few hours later, his account was hacked, and all his gold and "stuff" had gone.

    I can only presume that this outfit paid (peanuts) to gamers who built up the gold, for them to sell - against the main sites T&Cs, so anyone dealing with them risked their account anyway.

  2. Spearchucker Jones
    WTF?

    Seriously?!?

    "At the moment gamers aren't being properly authenticated when they log on as gaming companies continue to use static passwords."

    User name and password wouldn't be proper authentication - if your business is selling smart cards.

    Oh, I know - let's spend £10 protecting an asset worth £1.

    Idiot.

  3. Anonymous Coward
    FAIL

    Hacked

    Well I know someone who logged on yesterday to find all his Xbox points had been spent. Microsoft were initially very unhelpful although quickly woke up to the fact there was some fury on Twitter at their rubbish response.

  4. Anonymous Coward
    Anonymous Coward

    Had mine hacked.

    But I tracked this back to a hack of the customer DB from code masters, hacked by LuSec who had published the DB online, and I had been stupid and used the same user name and password for my xBox live account.

  5. Drefsab

    No hack my arse

    I had a notification that someone tried to by points on my xbox live account. Thankfully the payment failed as the card linked to the account had expired. I've not used the account in year, it has a separate username and password to others I use online, I never provide those details to any other place so it wasn't phished etc.

    I tried to report it to microsoft and they just didnt give a damn or care, the few times I managed to get my email read by a person or speak to a human on the phone their response was basically well your card was declined so whats the problem, do you want to give upto date card details... hell no. At no point did they want to look into who had tried to buy stuff on my account, god forbid they try and track down those trying to steal from and most likely other customers.

    Just one more reason I dont and wont use xbox live.

  6. Tsung
    FAIL

    Single Sign In.

    For me this is the problem, Microsoft wants me to use the same login for Xbox live, Messenger, Microsoft sites and PC Games (GFLW). I'm sure I've seen sites that are not microsoft which ask for your xbox logins (eg. 360voice.com).

    With so many different sites all asking for the same login information which has to be the same across the board, I'm not surprised if one service gets comprised. Log into messenger on your mobile phone using a 3rd party app and you have no idea if the developers have stolen your details "for sale" later on?

    I generally have several Microsoft accounts and keep my xbox login separate from my PC one. Microsoft might not like it, but tough, give me better account controls / security and then I might only use one sign in.

  7. pete45

    SiteAdvisor

    A good way to avoid phishing is to install something like SiteAdvisor, a secure toolbar addon for IE or Firefox that rates sites and warns of any problems such as dodgy downloads, malware and phishinh so that you never visit them. Also create a email account using yahoo, gmail or whatever, which you can use to sign in to suspect sites and not give anything vital awaay

    See http://www.siteadvisor.com/

  8. CowardlyAndrew
    Windows

    I guess the safest way is to have no credit card linked with the XBox live account, and only buy the points card in the high street.

    Then all that is at risk is a points balance of perhaps 1000 or so, i.e. don't keep 100,000 points in the wallet.

    1. Sir Runcible Spoon
      Thumb Up

      Sir

      This is exactly what I have done ever since M$ refused to remove my credit card details from the account. I had to wait until the card expired, then just never associated another one.

      I purchase points online from reputable sellers to cover what I need to buy, they send me the code via email which I redeem through my xbox live account. Then I buy what I need, usually leaving around 2-300 points in the account.

  9. Anonymous Coward
    Anonymous Coward

    Well I got an email last night that I'd just 'bought' 2000 ms points, which was odd.. as my xbox wasn't on and I was watching TV. Then minutes later an email saying I'd added an '@163.com' email address as an alternative address to be contactable on.

    So a quick visit online, reset my password & security question for my account and phoned MS Support. Got put through to a very helpful customer service operative that confirmed the points were bought and that I'd have to get my account locked out for up to 25 days while the Fraud Investigation team looked at it.

    As a vaguely tech savvy person I've not been stupid enough to click on any random emails or enter my details anywhere apart from official MS sites. So I've not had my details phished.. this leaves only two options to my mind.. that either my account was brute forced or a database has been compromised (and they've been stupid enough to leave passwords unencrypted somewhere in there). My password wasn't a dictionary word, and contained lower/uppercase letters and numbers so definitely not something guessable.

    Moral of the story.. someone, somewhere has screwed up badly. And as the affected customers we're left without Xbox Live for upto 25 days, and the money they spent on points won't be refunded until they've finished investigating.

    Thank god for Skyrim being an offline game!

  10. Mike Judge
    Mushroom

    Something fishy here. Microsoft covering up?

    I had my account emptied too.

    I havn't clicked any scam links and the username and password are unique to Xbox Live, so there is no risk of it being obtained from elsewhere.

    This sounds like a hack to me, but it's conveniently being blamed on phishing. Something stinks at Redmond on this one.

  11. roselan
    FAIL

    liars!

    Nearly 2 years my xbox is well, in a box. Tag name, address, and password are unique to the xbox. I mean, I did forget about it.

    So I was quite surprised when my phone bipped in excitement 7 time in a row. I was Like what the hell is this is address? It doesn't belong to me! So the next two seconds I imagined It was my phone mail app that had been hacked, or aliens, a super IA (puppet master like) pranking me, etc... But when the messages said I bought something on the live thing, I got quite suspicious. I mean the messages themselves were surely phishing attempts, right?

    That was Saturday night, so I called Visa. They confirmed the transactions and blocked my credit card. Next day I contacted xbox call center, and (after 40 minutes of waiting), they confirmed the hacking of the live account, and blocked it.

    I don't know if I can access it since the xbox still in it's box.

    Phishing scam? right! I use a scam bucket address since 96, before phishing really existed, and that was actually my very first "online" email address (yeah I'm that paranoiac) .

    I mean how can it be phishing when the xbox live email account received exactly *zero* email (before the ones confirming the transactions) ?

This topic is closed for new posts.

Other stories you might like