http://www.eurogamer.net/articles/20...king-and-fraudHas Xbox Live been hacked?
In November we were told no - Microsoft blamed phishers.
Whether hackers or phishers, new evidence has arisen detailing how an Xbox Live account was fraudulently used to buy and then transfer large sums of Microsoft Points.
The Xbox Live account belongs to "Susan T". Her "Hacked on Xbox" diary of events began on 2nd January, when she was emailed confirmation of purchasing 10,000 Microsoft Points and a Gold Family Pack - $214.97 worth of goods. These were then transferred to an unheard of Xbox Live account.
"Susan T" contacted the "Phone Support Team", which forwarded her case to the Xbox Live fraud department. They said her account was now blocked while they investigated. (Copies of the emails are provided on the "Hacked on Xbox" blog.)
On 4th January, the Xbox Live account belonging to "Susan T" was fraudulently used again - and again to buy 10,000 Microsoft Points (around $124.98). These points were transferred to a different unheard of Xbox Live account - "RipplyCorgi16".
"In total (including tax), I have had $366.06 stolen from me. Just how I am going to feed my son this month I just do not know. "
"Susan T" was told on the phone by Microsoft that, "The fraud department was unable to block your account."
Contacting the Xbox Support Twitter account proved equally fruitless.
"They were about as helpful as everyone else I have been in contact with regarding my stolen money," wrote "Susan T".
"In total (including tax), I have had $366.06 stolen from me. Just how I am going to feed my son this month I just do not know. I can only hope that Microsoft will return my money back to me soon.
"At this point in time I just feel like I am being lead around in circles here. I have spoken to numerous people from Microsoft and the only information I am given is that they will pass it on to the next person."
But on 5th January (mistakenly labelled 5th December on her site, it seems), "Susan T" had a breakthrough.
She managed to log in to her apparently blocked Xbox Live account and found a new friend was online, "RipplyCorgi16" - the account that had received fraudulently bought points.
"Susan T" innocently messaged "RipplyCorgi16" and discovered that the user bought the account on allegro.pl, a Polish eBay-like site.
"His listings all state that you must use the MS points 'as quickly as possible', and that if they disappear it's not his fault, as there was a stated 'warranty' in his auction site listing."
"Susan T" found the auction site for the person who sold the "RipplyCorgi16" Xbox Live account. She found listings of Xbox Live accounts with amounts of transferred Microsoft Points. Some Xbox Live accounts were being sold with a fraudulently bought game.
"His listings all state that you must use the MS points 'as quickly as possible', and that if they disappear it's not his fault, as there was a stated 'warranty' in his auction site listing," she shared.
"If the points have gone you will have to purchase more from him, end of story. The same goes for the games; you must recover the purchased GamerTag, transfer the licenses for the games as quickly as possible or you may miss out."
"Susan T" discovered the seller's contact details but has yet to make contact, and asked that you do the same.
"Sysan T" also talked to Microsoft again.
"I have spoken to Microsoft again and the rep I chatted to was appalled that no one else had actually managed to get my account blocked since the moment I first reported the issue on Monday," she wrote.
"He said he is going to (wait for it) 'pass my case onto the Tier 3 team' who will phone me once my account has been blocked and the investigation began.
"I don't have much hope of it getting blocked. I'm beginning to get used to the idea of never being able to use my account again."
Please let Eurogamer know if you have been a victim of a similar hacker or phisher on Xbox Live.
It seems lots of ppl in the comments section of this article are coming out now and claiming they have had similar problems. It seems they are adamant its not a phishing problem either.
Giantbomb (esp. Patrick Klepek) had a lot of articles about these issues too... yet someone (although it seems very widespread) MS doesn't acknowledge that it is a problem, at all. The same strategy they used for RROD.
Kept you waiting
Although I do have a Live account (GFWL ftl), there's NO CC information saved there... it has even 50 gamerpoints or so^^
Kept you waiting
Why didn't the lady cancel her credit card? Is she retarded?
Some of these you have to wonder if something like the persons son didn't go in and add his friend's on to the account and then give them all free points or have a friend steal the account etc.
[Do you like our articles? Do you like us? Want more? Share our articles on Twitter, Facebook, or any other social networking site with just a click of a button below. Clicking that really helps us out and shows your support for us.
Hey, you can even follow me on Twitter if you'd like (@Crazybone126) or follow the E-mpire homepage. If you don't have a Twitter, you probably have a Facebook. Visit the E-mpire Facebook page here.
If you want to play video games with me personally, add me on Xbox Live (Crazybone126) and Steam (ThaPr1meK1ng) to connect with me. Just tell me who you are.]
Giantbomb reported of a case where it took MS more than 3 (or was it 6?) month to give the account back to the original owner... I just don't get how it could ever take this long to authenticate a person.
Kept you waiting
.....but.... you can't transfer MS points between accounts..... is she saying someone made a family pack and then added that "unknown" GT to her family and sent the points through?
Even so..... if she weren't phished, then she should have been able to have her account immediately deactivated. I really can't believe there isn't something more going on in the story.
Also if she could log in later, she probably could log in the whole time. Why would they change her password to lock her out but then change it back??? ...No.
And also, she's an idiot for not canceling her card right away. Seriously.
You can transfer points in a family pack. That's why I suggested maybe it was something someone else or a friend did.
Last edited by masteratt; 01-09-2012 at 08:07 PM.
wow, that's one hell of a woman
Ohhh, ""Microsoft: A Company With No Brain, Heart or Soul"", this Susan Taylor has balls.
We are made of the same stuff of dreams
Is this the hack used to exploit Xbox Live accounts?
Last week we asked if Xbox Live had been hacked. We used the detailed account of Xbox Live fraud victim Susan Taylor to suggest that yes, it had.
After publishing the article, Eurogamer was approached by half a dozen other readers who had experienced similar exploitation on Xbox Live.
All the while, Microsoft staunchly denied any such security breach on Xbox Live.
But now we may have discovered how those Xbox Live accounts were broken into.
Eurogamer was contacted recently by "Jason", a man who claimed to know how to hack into Xbox Live accounts. He offered us an explanation via email last night. But our efforts to validate his claims were cut short by website AnalogHype, which today posted an uncannily similar "how-to", based on information provided by a source named Jason Coutee.
The same Jason? Probably.
Coutee and Eurogamer's "Jason" point the finger at Xbox.com - the website. This allows eight password attempts at a Windows Live ID before CAPTCHA is triggered - the system that presents those squiggly words. A simple password-generating script can apparently be used to exploit this system before CAPTCHA kicks in.
The Windows Live IDs come from playing Xbox 360 games online. Gather Gamertags and Google search them in the hope you'll find related email addresses. Try these as Windows Live IDs and the Xbox.com website will let you know if they're valid - "the email address or password is incorrect" - or not - "That Windows Live ID doesn't exist."
Using these methods you can apparently brute force your way into a near-limitless supply of Xbox Live accounts and use their saved banking details to buy Microsoft Points. That's how it sounds. We haven't tested this, naturally.
Eurogamer has contacted Microsoft about this issue. Microsoft is aware of the issue and Eurogamer is waiting for a formal response.
AnalogHype says that Jason Coutee is a network infrastructure manager who had his own Xbox Live account hacked and used to fraudulently buy 8000 Microsoft Points. He called Xbox Support, who offered to freeze his account but couldn't refund him. He declined the offer and investigated himself, eventually stumbling upon the answer.
Since publishing Susan Taylor's account of Xbox Live fraud, Eurogamer has been contacted by half a dozen other people who were victims of similar exploitation. Thank you, those who have written in. And please do keep letting us know if you've had your Xbox Live account fraudulently used.
Huh... so MS are morons in implementing a secure login... (and people are, because they use easily crackable passwords via dictionary attacks, hence I use 12 or more characters, numbers etc. for mine).
Kept you waiting
i think it's more the run around she got that upset her so much. yes she could have taken measures but clearly MS wanted to keep it as quiet as possible. perhaps hoping she would just go away eventually
That's very often the case with bigger companies... also they often underestimate the power of the Internet (or the "community") in these cases. Well, most people don't go around and open up a website for this, but others do or they email Giantbomb or whatever.
Kept you waiting
There are currently 1 users browsing this thread. (0 members and 1 guests)