Following an increasing occurrence of Xbox Live account hack reports, we are growing concerned over Microsoft's Windows Live ID system, the only layer of protection between a hacker gaining access to a person's Xbox Live account and their information. In our research, the only consistency we saw across users who were hacked was the general inconsistency of what email and payment method was used on their account. Hotmail, Gmail and school emails were used for their Windows Live ID, while payment methods used were credit cards and PayPal. Other than a compromised Windows Live ID, there wasn't a common thread we could identify.

It's been several months since we started following the "FIFA hack," a rather blunt scam that saw Xbox Live accounts drained so thieves could purchase in-game FIFA 12 'Ultimate Team' cards for use and sale. We have been tracking the FIFA issue and following up on other tips that weren't necessarily rooted in the FIFA hack, but related in that users saw exploitation of payment methods tied to their account. A recent Shacknews editorial detailed accounts compromised by the FIFA exploit.


"I was sitting on my couch watching ESPN on my daughter's Live account when the Xbox Live friends notification popped up and said that I had just signed in to XBL. I took a quick look at my status and to my surprise I was online playing Worms Armageddon. I logged in to my Xbox Live account to find out what was going on," hacked user Michael Adcock told us. "All of the Microsoft points that were stored in my XBL account had been spent on Prince of Persia: The Forgotten Sands and an in-game item for FIFA 12. Whoever spent my MS points had then tried to purchase 6,000 more. Lucky I was able to log in and change my Windows Live ID, bank account and email passwords before any more damage could be done."

Adcock's incident occurred on December 27 and his account is currently locked while Microsoft investigates.

Justin Heard is another victim, with $241 spent using the PayPal account tied to his Windows Live ID. "It seems the access point was through Microsoft's website, as Rift CE was purchased for Games for Windows and that can't be done on the Xbox 360," Heard said. He explained that the hackers purchased several point bundles and then a Family Gold package, which he believes was to transfer the points from his account to the new account.

Heard's account is also locked while Microsoft investigates.

"I can state we've not been made aware of anything like that either from users or PayPal to my knowledge -- a partner we work with closely," Xbox Live Director of Policy and Enforcement Stephen Toulouse told Shacknews. Heard had previously told site VGW that when he contacted PayPal, a representative told him the online banker had received 19 calls within the past hour about the issue. Toulouse dismissed that claim. "I just checked with a counterpart at PayPal who said they have no idea what that source is talking about."

"I got an email from Microsoft saying I had purchased 10,000 points. I immediately tried to get on my Xbox, and found that I couldn't sign in," another victim, Zackh Mackey, tells us. "I checked my credit information online, and sure enough, there were charges tied to the points. I called customer support and they locked my account for a month to investigate. This happened back in early November."

It took about 28 days before Mackey's account was investigated. He tells us his account was tied to Gmail and he used a credit card.

"Two months of [Xbox Live] Gold was credited by email and the money has been refunded to my credit card. No problems since, knock on wood."

The people we've spoken to don't feel they were victims of phishing or a social engineering scam to obtain their passwords. In some cases their Windows Live IDs were tied to email addresses they hadn't used in years.

"Enough people I know in the industry with good password discipline have been victims of some kind of hacking attack that I'm taking every precaution with my own account," expressed Ben Kuchera of Ars Technica, one of the first sites to report on the FIFA hack. "The easiest way to limit your exposure is to remove your credit cards and just use point cards for purchases and to pay for your account. It's slightly inconvenient, but I feel much safer."

We've been in contact with Microsoft regarding our Windows Live ID concerns, having asked directly if the system has been compromised and, for clarity, how the hack occurs.

"Windows Live ID was not compromised. The FIFA '12 and other similar incidents are cases of social engineering or phishing, which are industry wide problems. Microsoft constantly audits its systems and reviews its processes in an effort to help protect customers from such issues," a Microsoft spokesperson told us. "To help avoid becoming a victim of phishing, people can use the guidance found at the Microsoft Hotmail: Serious About Safety site. They can also visit the Windows Live Hotmail Help Center, if they believe their account was compromised."

At this point we feel comfortable in expressing that we can't explain exactly what's going on, but we are concerned. Changing your Windows Live ID and password would be prudent, as would disassociating any credit card or PayPal and relying on point cards instead.

Microsoft's security is typically top-notch, but recent, shady activity on Xbox 360 has left a certain group of gamers cold and with limited access to their accounts. Xbox.com describes unauthorized access as "the use of your Xbox LIVE account without your knowledge and consent," and it's a growing concern for some subscribers. Victims of security exploitation and phishing scams could find their accounts migrated to another country, their password changed, and their Microsoft points spent -- and there's not much they can do about it.

As it turns out, this isn't the worst part of the problem. We received numerous notes from fine IGN readers who noticed an out-of-place pattern with customer support solutions: users weren't getting help. We explored the horror stories, justifiable complaints, and unresolved problems after months of waiting. It gets worse. An upset user created a Tumblr blog simply called Hacked on Xbox tumblr to share her nightmarish experience with Microsoft's security, customer service, and unauthorized access. In her crazy case, the blogger even stumbled upon and spoke to the Gamertag her stolen money had been funnelled into. It was stolen, too, and sold via online auction. This is an out of control case, and she's still waiting for a solution.

So what's Microsoft doing about it?

The ball is like your account, and this is the jerkoff who stole it.

When an account is compromised and you call Microsoft customer support, the estimated time for resolution is around 25 days. "The goal would be days, if not hours," says Stephen Toulouse, Xbox Live Director of Policy and Enforcement. For the most part, he explains, that's how it plays out. Problems pour in through Xbox support and they're resolved quite quickly. Those waiting an unreasonable amount of time represent "a tiny fraction of the millions of people coming through Xbox Live every month." He qualifies this by saying instances of long-term problems with customer service "should not happen."

It does, though, and we can't always help ourselves from getting there. You might find yourself in a bind not necessarily if you own FIFA 12, but because of it. EA's soccer sim allows hackers to launder real-world money by way of the in-game economy. They dig their way into your account using a stolen password, which compromises your account. Your account may be migrated to another country, and recovering it is a bit of a hassle. Now you not only need to wait for Microsoft customer support to investigate your case, but to move the account (and all the licensed content) back to its country of origin. "The original goal...was that [changing regions] wouldn't be used very often," says Toulouse. Those who do it frequently, deliberately or otherwise, have to pay the price.

This isn't the only way accounts are broken into, but it caused quite a stir when the problem arose late last year. We're still seeing and hearing from users suffering unauthorized access problems. Customer support has compensated victims of such crimes with one-month Xbox Live tokens, but the running consensus within the Xbox.com community is that stolen money is gone and Microsoft Points are only occasionally refunded. Your mileage may vary.

Toulouse is confident in Microsoft's ability to enforce security and protect its users, but he's also aware that customer support is an imperfect system. He's genuinely passionate about improving security and assisting the affected, and that's the first step in solving these issues altogether. With the FIFA 12 exploit still hurting the Xbox Live user-base, regardless of how small the number, Microsoft can more easily identify other games primed for criminal targeting. "Security is a journey, not a destination. We do have to get better at doing it," he says. "It's on us to keep security on the forefront and to improve it...and we've been getting better."

In turn, stronger defense means fewer interactions with customer service at all. Until then, we're stuck in whatever limbo support leaves us in while waiting for resolutions. Changing your password, avoiding unscrupulous emails, and keeping a sharp eye on your account couldn't hurt in the meantime.

UPDATE: Microsoft has addressed concerns surrounding an alleged Xbox.com hacking trick as reported here at IGN. The official line is as follows:

"Microsoft can confirm that there has been no breach to the security of our Xbox Live service. The online safety of Xbox LIVE members remains of the utmost importance, which is why we consistently take measures to protect Xbox LIVE against ever-changing threats. Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. We continue to evolve our security features and processes to ensure Xbox LIVE customers information is secure. Online fraud and identity theft are industry-wide problems, and as such people using any online services should set strong passwords, not share those passwords across multiple services and refrain from sharing any personal details that could leave them vulnerable. As always, we highly recommend our members follow the Xbox LIVE Account Security guidance provided athttp://xbox.com/security to protect your account."

Microsoft also specifically states, "This is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue." In addition, it reiterated that account compromises are often a result of phishing scams and malware used to snatch your password.

Original story follows:

Security on Xbox Live is a growing concern, and a hacked subscriber has found one more reason to make us paranoid. Jason Coutee had $100 stolen after someone broke into his account, but rather than let Microsoft investigate the how and why, the network infrastructure manager took matters into his own hands. Coutee found an egregious exploit on Xbox.com that acts as a loophole for password thieves.

Clicking the link squared off in red looped me back to my login -- with my email address filled in automatically.


Failing to log into your Xbox Live account using your Windows Live ID eight times in a row presents you with a few options. You can recover your password with the usual "Reset your password" option. You can try entering it a ninth time, with a CAPTCHA box to fill in, thus proving you're not an Internet robot from the future. Finally, you could try logging in with another ID. Clicking that link brought me back to my login page with my Live ID already filled in. The password box was waiting for me -- the CAPTCHA box was gone.

Hackers, then, could run a script that enters various passwords for Live accounts until it eventually busts into your account. Failing entry on that eighth attempt, hackers could avoid the CAPTCHA aimed at stopping them by way of the "Sign in using another Windows Live ID" link. AnalogHype reports this gives the user eight more attempts without a CAPTCHA interruption, which was not the case in my experiment. I got the prompt each time I failed to log in after that eight -- but I could loop back around and just try again without the CAPTCHA again.

What does this mean for you? Well, you're vulnerable. Anyone with know-how could cook up a script to run passwords and circle back using that link all day and potentially break into your account to steal your stuff. Time to strengthen those passwords, folks.

We've asked Microsoft what's going to be done about this security bungle.