(Upd: Geoff Keighley haxd) Hijacked Xbox LIVE accounts not phished insists users

And finally an outlet bothers listening to what they have to say instead of purely acting as a megaphone for Microsoft PR.

Thank you The Guardian and Steve Boxer.

This outbreak of Xbox Live users being scammed has been widely reported as an instance of phishing – where hackers con people into giving away their account details – most notably on the front page of the Sun. But anecdotal evidence from games forums makes it clear that these are not simple cases of phishing.

There is no question that phishing scams targeting Xbox Live accounts are rife: their typical modus operandi involves setting up official-looking websites which purport to be giving away free Microsoft Points, but insist on users inputting their details before they do so. But the nature of the scam dictates that people know when they have been phished, and this particular outbreak only came to light when Xbox Live users scrutinised their bank and credit card statements, not when they snapped up free Microsoft Points. So it is clearly a sophisticated and more sinister new form of phishing – closer to hacking – in which people's crucial account details have been obtained not from them but from a third party.

It's easy to see why the scammers opted to purchase Ultimate Team Packs from EA Sports using their ill-gotten gains: they present the ideal means of turning virtual money into real money. FIFA Ultimate Team, for example, is a fantasy league-****extension for FIFA 12, in which players seek to build teams made from the world's best players, and player cards are traded more or less like Top Trumps, with real money changing hands. Clearly, EA Sports has no means of tracking such transactions, otherwise it would be easy to identify the scammers. We have asked the company whether it will introduce any such transaction-tracking in the future. Given that the company has actually profited unwittingly from this scam, it clearly has an obligation to embark on a full and frank inquiry into what happened.

There have been allegations on various online gaming forums and blogs which, it must be emphasised, remain completely unproven at this stage, suggesting that Xbox Live user account details may have been obtained from EA Sports' online gaming services, which form an extra layer on top of Xbox Live, since EA Sports charges for some services over and above the Xbox Live subscription.The Guardian

Microsoft clearly needs to look at how easy it is for third parties to make fraudulent transactions on its customers' payment accounts, armed only with their Xbox Live login data. And EA Sports needs to take a long, hard look at whether its downloadable content business is putting profit before security – we wouldn't recommend going anywhere near its Ultimate Team Packs until it has, at the very least, put in place a means of tracking transactions that arise from them. If EA Sports turns out to have been the victim of either large-scale phishing or hacking, it needs to come clean, compensate the unwitting victims and make sure nothing similar happens in the future. Otherwise its website will become the exclusive preserve of criminals.The Guardian

How do you feel Microsoft is handling the situation?

This has been going on for months.
Microsoft shuts your account down for upwards of a month, sometimes longer.

I will reiterate from other posts I've made in threads about this that regardless of anything else, the most important thing for Microsoft to do here is to implement a two-step authentication system. It is such an obvious move to make. For one thing it would keep users safe from the phishing Microsoft claims this to be. But that is evidently not a priority to Microsoft. Instead they're boasting about how great they are at security and shifting blame onto users. Meanwhile people keep getting their accounts and money stolen.

Bet EA loves getting all that illegal moneys. They certainly don't seem in a hurry of doing anything about it.

UPDATE
Geoff Keighley insists getting hacked is fun

twitter.com/geoffkeighley

lol of course they dont want to look like idiots by admitting they clicked a link or something else...untill hard evidence is brought forward that a hack has taken place all we have are hackees claiming they didn't fall to phishing scams.

I have no idea what to say about this. I had $50 taken out of an account I hadn't used in months and MS wants to do some "investigation" instead of giving me my money back. I didn't give away any personal information. I'm not sure if this is what they're talking about or not but if it is, yes they seem incompetent to me.

I feel their pain.

My Battle.net account or whatever they call it now, got hacked 3 times I think, and I never got phished either. I do get regular emails that I can buy authenticators so I guess that means they won't up their security to stop this.
I even changed the email address and the password several times.

They have to change the password through my email to which they are unlikely to have access or even know which one I use.
I have scanned for keyloggers, and it happened right after I got this new PC too.
So I am 99% sure that it is an inside job at Blizzard. It started since the day the Blizzard accounts merged into one.

Go online and it's 'you got phished'. Like whatever man. I've been using the PC before internet even got mainstream, I know what I'm doing in terms of e-mail and checking URL's and whatnot.

If these people are not being phished, then more than likely they are using the same username / password on other website. which were hacked.

For example I use the same username / password combo on Yahoo as Hotmail..my yahoo account is hacked. How hard is it for the hacker to try the same combo on another site? This just happened to a bunch of PSN users a few weeks back. Their username / password were hacked on another site, and someone gained access to their PSN accounts. Sony caught it before it went too far though.

That's why my Live and PSN passwords are different than any other sites. I also don't keep credit card info on either site after the PSN fiasco.

There is many different ways this could have happened other than entering details into a phising scam. Is it possible thatsome users may have malware or a keylogger installed on their PC? It is also possible that these people have bought the items themselves, the younger gamersusing a parents credit card and when pulled up have denied doing so. Left there account details on a friends Xbox? Maybe Xbox has been hacked, perhaps they use the same details on another site that has been hacked!

Not all Live hijacks have the same singular cause, but there is clearly a primary one responsible for the recent influx in reports of them. Microsoft says "a number of Xbox LIVE members appear to have recently been victim of malicious 'phishing' scams".
(Which in case it needs mentioning, is noncommittal and not a confirmation. Also in case it needs mentioning, I'm not saying Xbox Live has been hacked.)

Microsoft in the same statement also implies that they're on top of online safety and customer care in relation to this issue. Which you know...if that was the case investigations would not require accounts to be locked down for 4+ weeks, and Microsoft would, in the face of this increase of account hijacks, express an interest in keeping accounts safe by implementing two-step authentication. Both of these points should be addressed but haven't been.

And phishing scams happen all the time right? So why is it that after nine years of Xbox Live, this is the first instance of phishing to result in account hijacks being reported this widely?

Keeping that in mind, as well as how Microsoft handled the RROD situation, of which this is very deja vu, I opt to believe users over Microsoft.
I really don't know why anyone would trust Microsoft at this point. They've proven they'll keep denying issues up to the absolute breaking point.

There is many different ways this could have happened other than entering details into a phising scam. Is it possible thatsome users may have malware or a keylogger installed on their PC? It is also possible that these people have bought the items themselves, the younger gamersusing a parents credit card and when pulled up have denied doing so. Left there account details on a friends Xbox? Maybe Xbox has been hacked, perhaps they use the same details on another site that has been hacked!

ccagracing

The most compelling theory I've heard is that it isn't phishing, but that the hackers are using the emails and passwords from a different hacked database to get into the accounts of people too stupid to not reuse passwords. It would explain why there's so much noise about there being an issue (a significant number of people have been hacked) while MS/EA aren't taking any action (there aren't any systemic issues, and unless the hacked database was huge there aren't enough accounts at risk to bother with forcing everyone to reset their passwords).

Geoff Keighley got one of his accounts hijacked. Bad for him, good for us, as this ought to increase awareness, pressure and all that.

The most compelling theory I've heard is that it isn't phishing, but that the hackers are using the emails and passwords from a different hacked database to get into the accounts of people too stupid to not reuse passwords. It would explain why there's so much noise about there being an issue (a significant number of people have been hacked) while MS/EA aren't taking any action (there aren't any systemic issues, and unless the hacked database was huge there aren't enough accounts at risk to bother with forcing everyone to reset their passwords).

PBSnipes

When setting up an EA account from your 360 I'm pretty sure it automatically uses the same password as your Live account. Maybe someone can confirm that. But if that's the case, when EA and Bioware got hit earlier this year, it would come to people's mind to change the passwords of their EA accounts, not their Live accounts.

The most compelling theory I've heard is that it isn't phishing, but that the hackers are using the emails and passwords from a different hacked database to get into the accounts of people too stupid to not reuse passwords. It would explain why there's so much noise about there being an issue (a significant number of people have been hacked) while MS/EA aren't taking any action (there aren't any systemic issues, and unless the hacked database was huge there aren't enough accounts at risk to bother with forcing everyone to reset their passwords).

PBSnipes

Dude, let it go.

Every time I come to one of these threads, I say the same thing. First off, the reasons I don't believe I was phished because... 1) I haven't used my Xbox in months. 2) I haven't used XBL for nearly a year 3) I've known and been aware of phishing before the Xbox 360 was even released. I didn't even know the password to the account, and was unable to provide it when calling in to report the $160 worth of XBL purchased by the account thieves. This happened about three months ago, which at the time there were many reports of account hackings popping up around the forum. Phishing scams have been around for a long time. It doesn't really explain why all of sudden dozens of people on various forums are reporting their being accounts being hacked, especially considering I haven't heard many complaints of account hackings before a few months ago.KHAndAnime

[QUOTE="KHAndAnime"]Every time I come to one of these threads, I say the same thing. First off, the reasons I don't believe I was phished because... 1) I haven't used my Xbox in months. 2) I haven't used XBL for nearly a year 3) I've known and been aware of phishing before the Xbox 360 was even released. I didn't even know the password to the account, and was unable to provide it when calling in to report the $160 worth of XBL purchased by the account thieves. This happened about three months ago, which at the time there were many reports of account hackings popping up around the forum. Phishing scams have been around for a long time. It doesn't really explain why all of sudden dozens of people on various forums are reporting their being accounts being hacked, especially considering I haven't heard many complaints of account hackings before a few months ago.heretrix

Maybe he wasn't phished; maybe he just was using password123. Hey, it has letters and numbers, that means it's unbreakable right? ;)

[QUOTE="heretrix"]

[QUOTE="KHAndAnime"]Every time I come to one of these threads, I say the same thing. First off, the reasons I don't believe I was phished because... 1) I haven't used my Xbox in months. 2) I haven't used XBL for nearly a year 3) I've known and been aware of phishing before the Xbox 360 was even released. I didn't even know the password to the account, and was unable to provide it when calling in to report the $160 worth of XBL purchased by the account thieves. This happened about three months ago, which at the time there were many reports of account hackings popping up around the forum. Phishing scams have been around for a long time. It doesn't really explain why all of sudden dozens of people on various forums are reporting their being accounts being hacked, especially considering I haven't heard many complaints of account hackings before a few months ago.McStrongfast

That is EXACTLY what happened to me. Account locked for 25 days while they conduct their little investigation. I told them I would never own a MS console again. It absolutely infuriated me.

Glad I got my details off of XBL a while back. If they ever hack Steam comprehensively then I'm f***ed.

Maybe he wasn't phished; maybe he just was using password123. Hey, it has letters and numbers, that means it's unbreakable right? ;)

garrett_daniels

Good luck cracking that!

maybe geoff shouldn't have clicked that link in his email and put in his user name and password at the prompt?

Wasn't that your initial play on all of this?

If they weren't phished or hacked then what is happening?

heretrix

That is the question. Hopefully journalists will start asking it and other relevant questions to relevant people so we may eventually get a concrete answer. Oh, and a solution or two.

I expected this. Now that MW3 is out you gotta have dem prestige lobbies ;)

maybe geoff shouldn't have clicked that link in his email and put in his user name and password at the prompt?

WilliamRLBaker

God this frustrates me. This isn't happening do to poor judgement. Haven't touched my Xbox in 6 months and I got hacked. Now they're conducting an investigation on my account.

I've given out way more info than I should on PSN but the Xbox that I never use, that's not hooked up to the internet, that sends me emails that I don't click, that I never share with anyone, was the one that gets hacked. This is not the fault of the users, this is MS's problem to fix.

25 days?! That's a long time to "conduct an investigation". I feel like it's probably phishing, now that MW3 is out; but who knows?

25 days?! That's a long time to "conduct an investigation". I feel like it's probably phishing, now that MW3 is out; but who knows?

Shadow4020

I can 100% assure you that it was not phishing and yes, 25 days is a long time. I was furious and I don't even use my Xbox.

Wow, sucks to be him no more MW3 till christmas

maybe geoff shouldn't have clicked that link in his email and put in his user name and password at the prompt?

WilliamRLBaker

I love how since the PSN hack debacle earlier this year there has CONSTANTLY been accusations of XBL being hacked and despite Mirosoft finding NO evidence of haking on the network, people keep insisting ZOMG XBL BEEN HACKED!!!

[QUOTE="WilliamRLBaker"]

maybe geoff shouldn't have clicked that link in his email and put in his user name and password at the prompt?

AcidSoldner

[QUOTE="AcidSoldner"][QUOTE="WilliamRLBaker"]

maybe geoff shouldn't have clicked that link in his email and put in his user name and password at the prompt?

o0HAPPY0o

Stop giving out your email, your passwords, hell loads of information you will get phished or your password will get hacked based upon the information you put online.

I will fully admit Microsoft F***** up if and when it is proven beyond a shadow of a doubt this is a hack, till then all we have are users claiming they gave nothing out...and I'm pretty damn sure Cows were denying it left and right up to the point even when sony said hey we've been hacked. pretty sure if they were allowed that then I am as well.

The people that say that their accounts were hacked should look at this page on how to keep xbox live accounts secure. Check that site before you say xbox live was hacked.

http://www.xbox.com/en-us/Live/Account-Security

I don't use xbox live much and no longer have a gold account so I can't really comment too much on it. But none of my friends that use it haven't had anything happen to them, but they do tell me that they get message scams like"reply to this message with your password to win free xbox gold membership" you know stuff you would have to dumb to believe.

I get similar stuff on PSN, my favorite one was "Hi this is Kevin Butler and I am tired of the PSN message scams, so if you send this message to all the people on your friends list and give us your password you will get FREE COD map packs and 100$ in PSN Store" I thought that was pretty funny, you would have to be dumb to fall for that.

I always recommend though that people change their online passwords on a regular basis no matter what service they are using, you can never really be too careful anymore. Xbox Live or PSN or Steam or whatever, you don't know, xbox live hasn't been hacked I don't think and I hope it never does. But it doesn't mean it can't be hacked, just be safe and make sure your information is private and your pasword is changed every now and then.

Xbox.com appears to be down.
DUN DUN DUN!

downforeveryoneorjustme.com is also down.

I love how since the PSN hack debacle earlier this year there has CONSTANTLY been accusations of XBL being hacked and despite Mirosoft finding NO evidence of haking on the network, people keep insisting ZOMG XBL BEEN HACKED!!!

LostProphetFLCL

So if we could please finally get past the ZOMG XBL BEEN HACKED!!! phase that'd be swell.

ZOMG XBL BEEN HACKED!!!

WilliamRLBaker

No.

Stop giving out your email, your passwords, hell loads of information you will get phished or your password will get hacked based upon the information you put online.

I will fully admit Microsoft F***** up if and when it is proven beyond a shadow of a doubt this is a hack, till then all we have are users claiming they gave nothing out...and I'm pretty damn sure Cows were denying it left and right up to the point even when sony said hey we've been hacked. pretty sure if they were allowed that then I am as well.

WilliamRLBaker

And how would that be proven? You would have to be the 2% that gets hacked in order for you to believe it right? Look, I'm a PS3 man, I'm not going to act like I don't have any sort of bias, but I'm not going to criticize MS because anyone's service can get hacked. I'm going to criticizeyou for being unable to believe that your favorite corporation doesn't spend all its XBL money on firewalls. My password isn't just out there for people to use, I used a different email for my Xbox login than my PSN one and a different password for both and I have NEVER given either of these away to suspicious sites. I didn't let it slip online because I haven't been on XBL in 6 months. Now you could tell me I'm lying or that I'm too stupid to realize that I gave my information away to a website that I thought was legit but that's not true and the new SW rules give me the right to call you a dumbass for believing so. I am offended by your words and will not respect any more you produce.

even if XBL is hacked, it is odd that there isn't one massive attack, but I am sure MS has no reason to believe it was a hack, since there isn't a large amount of people getting hacked at once

Xbox.com appears to be down.
DUN DUN DUN!

downforeveryoneorjustme.com is also down.

[QUOTE="LostProphetFLCL"]

I love how since the PSN hack debacle earlier this year there has CONSTANTLY been accusations of XBL being hacked and despite Mirosoft finding NO evidence of haking on the network, people keep insisting ZOMG XBL BEEN HACKED!!!

McStrongfast

So if we could please finally get past the ZOMG XBL BEEN HACKED!!! phase that'd be swell.

ZOMG XBL BEEN HACKED!!!

WilliamRLBaker

No.

These topics keep constantly creeping back up. They aren't quite as bad as before when they were just trollfests after the PSN outage where cows were essentially just trying to use this as a rebuttal for Sony's epic failure, but even now they are just the same old tired BS of people claiming it is NOT phishing when Microsoft has already stated otherwise as there hasn't been any intrusion on the network.

Really, these topics are utterly pointless besides trying to be cow fuel trying to claim insecurities in the XBL network. It wasn't a hack and on top of that it is affecting an incredibly minute number of users. It is obviously either phishing or social engineering, nothing more. Cows are still supporting the vastly inferior networl and that is their problem.

The only real reason I see this even being brought up is because of what happened to PSN, plain and simple. One half is cows trying to use this as fuel and the other is just plain overracting to normal account issues that can happen. When my myspace account got "phised" (and I use quotations there because I do not recall ever licking on anything suspicious but rather think it was simple social engineering despite the fact it used the word phished in the warning message I got) there were no articles on mad myspace hacking going on and I was not dumb enough to try and suggest such a thing happened.

Very happy that my XBL service has never been interrupted and I have never had any account issues in the YEARS I have been on it. People who have been on PSN cannot say the same thing.

These topics keep constantly creeping back up. They aren't quite as bad as before when they were just trollfests after the PSN outage where cows were essentially just trying to use this as a rebuttal for Sony's epic failure, but even now they are just the same old tired BS of people claiming it is NOT phishing when Microsoft has already stated otherwise as there hasn't been any intrusion on the network.

Really, these topics are utterly pointless besides trying to be cow fuel trying to claim insecurities in the XBL network. It wasn't a hack and on top of that it is affecting an incredibly minute number of users. It is obviously either phishing or social engineering, nothing more. Cows are still supporting the vastly inferior networl and that is their problem.

The only real reason I see this even being brought up is because of what happened to PSN, plain and simple. One half is cows trying to use this as fuel and the other is just plain overracting to normal account issues that can happen. When my myspace account got "phised" (and I use quotations there because I do not recall ever licking on anything suspicious but rather think it was simple social engineering despite the fact it used the word phished in the warning message I got) there were no articles on mad myspace hacking going on and I was not dumb enough to try and suggest such a thing happened.

Very happy that my XBL service has never been interrupted and I have never had any account issues in the YEARS I have been on it. People who have been on PSN cannot say the same thing.

LostProphetFLCL

[QUOTE="LostProphetFLCL"]These topics keep constantly creeping back up. They aren't quite as bad as before when they were just trollfests after the PSN outage where cows were essentially just trying to use this as a rebuttal for Sony's epic failure, but even now they are just the same old tired BS of people claiming it is NOT phishing when Microsoft has already stated otherwise as there hasn't been any intrusion on the network.

Really, these topics are utterly pointless besides trying to be cow fuel trying to claim insecurities in the XBL network. It wasn't a hack and on top of that it is affecting an incredibly minute number of users. It is obviously either phishing or social engineering, nothing more. Cows are still supporting the vastly inferior networl and that is their problem.

The only real reason I see this even being brought up is because of what happened to PSN, plain and simple. One half is cows trying to use this as fuel and the other is just plain overracting to normal account issues that can happen. When my myspace account got "phised" (and I use quotations there because I do not recall ever licking on anything suspicious but rather think it was simple social engineering despite the fact it used the word phished in the warning message I got) there were no articles on mad myspace hacking going on and I was not dumb enough to try and suggest such a thing happened.

Very happy that my XBL service has never been interrupted and I have never had any account issues in the YEARS I have been on it. People who have been on PSN cannot say the same thing.

McStrongfast

Actually yes I do recall that when MS commented on the issue MONTHS ago they flat out suggested people were getting phished. Regardless, they have already de-confirmed this hacking nonsense.

I would say that to at least any sort of degree with ANY sort of online account system, there is an amount of people whose accounts will get hijacked through some means. It is just the nature of the world that there are jerkoffs out there always looking for ways to screw with other people.

No it is not considering it has been cows who brought this conspiracy theory up in the first place and keep bringing it back up DESPITE Microsoft already having stated there has been no hacking.

I mean it surely is plausible that I did something to get my myspace phished, but I do not recall clicking on anything suspicious and at the same time I had a very WEAK password for it then that could have easily been cracked by someone. Since the password change I have never had anything happen to any online account I have had.

Hah no it did not! That is a good one actually! :lol:

My account was broken into twice this year. Stolen credit cards were added to my account and thousands of points bought and transferred out all using my gamertag. My Live has been up for only two weeks since back in August, and is still currently locked with an investigation open.

I am an IT professional, I'm 36 years old, I know for a fact this is not phishing. I'm not an idiot and I am very computer savy, so don't give me any talk about weak passwords, or user scamming.

Its not Xbox Live that has been compromised either, Live is an internel network and user data would be extremely hard to get to from outside the network without everyone inside knowing.

This is a problem with Windows Live Id's being stolen from databases. Its very obvious. Microsoft uses Windows Live to log into Xbox Live accounts. You get the Id's off of a illegally compiled database, and phish consoles to recover gamertags. The log ins look legit to Live, and the hackers use either the account credit card or a stolen card number to get what they want.

Microsoft is not lying saying Xbox Live itself has not been hacked, but they are not telling you the true story either.