Xbox ‘Hacking’ Continues, Microsoft Still Quiet

We’ve mentioned this a few times now, but it appears that Microsoft still aren’t doing a great deal about the recent Xbox 360 account compromises – least of all making sure their paying customers are being looked after.

However, it looks like those affected are taking the matters into their own hands, like this individual who has set up a blog about her ordeals.


“On January 2nd 2012 I received a few emails in a quick succession that completely ruined my day,” starts the author. “Someone had logged into my Xbox Live account, purchased 10,000 Microsoft Points and a ‘Gold Family Pack’ for a grand total of $214.97 + Taxes.”

“They had purchased the Family Gold Pack so they could then transfer the MS Points to a dummy account that they had created. I immediately attempted to log into my Xbox Live account and, when that proved unsuccessful, I got straight onto the phone with the ‘Phone Support Team’.”

And this is where it all starts to go wrong.  Indeed, if you’re not Geoff Keighley, chances are this will be somewhat indicative of your experience with the so-called Support Team.

The account in question was ‘locked’ for thirty days whilst Microsoft investigated.  Amazingly, during that period, her account was hacked again, and further funds were removed from her account, with Customer Services seemingly unable to do a great deal about it.

An investigation on NeoGAF suggests that the reality of the whole ongoing issue is that there are blackmarket sites set up with accounts stolen (and created with stolen cards) for sale – and whilst nobody seems to really know for sure how the accounts are being compromised, Microsoft’s attitude is baffling.

Why, for example, is there no proper two-step authorisation required for Windows Live (and thus Xbox Live) accounts, like Google offers?  Thankfully, this is now starting to get some traction, with Kotaku and Edge picking up on the story.

Microsoft’s last statement on this was that the problem is a user one, and cited ‘phishing’ as the explanation.  TheSixthAxis maintains this is largely nonsense.



  1. At least Sony got shit done when they were hacked. Sure, it was on a larger scale so they *had* to do something, but still, I’ve not heard anyone say they’re Credit Cards were abused afterwards, but seen plenty suffer due to ‘phising’ on Xbox Live.
    Serious bs here.

    • The way Xboxes are validated once a profile is downloaded is crazy. They simply don’t check your password once it’s in once unless it’s forced via an online form. So if I get your password I can grab your account and download what I want until it’s blocked… Changing the password doesn’t do anything, I don’t think, as the Xbox doesn’t bother to check… :/

      • If that’s true, it’s not just a stupid way of ‘logging in’, it’s bordering on the imbecilic… if you can connect to LIVE it should be challenged on every login, even if the password is stored on the machine; something like Steam’s New Access passcode should be fairly trivial to implement.

        Either that or realise that sometime Single Sign-On isn’t the panacea that some tech comapnies think it is. Given that the WL account can be attached to both a financial account (XBL) and your email (hotmail), you should be forced to keep them separate

      • thats the craziest thing ive seen in ages, if thats true then i dont see how anybody could buy into a company with such an idiotic view on security measures.

        This from a company that has been dealing with hackers and their consistent attacks since the dawn of the internet age…simply shocking.

      • Then again everyone also bought into the ‘Our CC details weren’t stored in an encrypted fashion’ ruse with the Sony hack, which turned out to be totally false. There is the possibility that phishing is to blame, if Windows Live is single sign on and someone has got hold of their sign-on token via some nefarious website, and remember the site that obtains the WL data, may have been hacked themselves and not even realise that this data is going to hackers through their site.

        At the very least MS needs to do a full investigation and try and find out what connects all these users.

      • @blarty – ha ha, you said ‘hotmail’

      • frankly, that’s bloody shocking.

        if that is true, and considering who we’re talking about i can well believe it, that’s just ridiculous.

        but then ms have always had a backwards idea of what security is.

      • @Amphlett Hangs head in shame…..

    • thanks for heads up mate im gonna be removing my card off my xbox and go back to vouchers

  2. Jese, glad I have always used voucher codes brought from a game store. Sony’s attitude was bad enough but this is so much worse.

    • To be fair, Sony didn’t have anywhere near the amount of concrete evidence there is in this case. Data was stolen from them in one move, so they wanted to be sure what was at risk before moving. This is criminal activity being carried out continuously on Microsoft’s own servers!

    • Also Sony was the tip of the iceberg – and although the Sony one was more problematic because of the risk of CC data, numerous software and tech companies have had their servers / forums hacked since the Sony breach; I think this is what makes the silence from Microsoft all the more galling.

      • The media were REALLY quick to crucify Sony, and make up all sorts of false claims (creditcards were stolen, numbers were stored unencrypted etc etc), none of which was true. These sites should have hung their heads in shame. This site included, basically reporting anything they read on the internet as FACT.

        Yet Microsoft seem to be getting off scott-free with this. Go figure.

        The power of Microsoft’s money yet again. They can bury any bad new they want to…

  3. And people said Sony did a bad job of handling the hacking fiasco…

  4. From the blog:

    No one can tell me how this happened in the first place.
    No one can tell me why my account was not blocked when I was told it had been.
    No one can tell me why this was allowed to happen a second time.
    No one can tell me this will not happen again in the future.
    No one can tell me when I will get my money back.
    No one can tell me exactly what is happening with my ‘investigation’.
    No one can explain the inconsistencies between the amount of points purchased and the amount of points that were logged as being transferred.
    Everyone seems to be completely dumbfounded by the whole situation despite knowing that this is not a new occurrence; that many gamers are waking up to these emails every day.
    Everyone who is currently reading this should go and change their passwords right now.

    • Seems like Microsoft ought to be looking to hire some of these hackers. They have a far better understanding of the way the system works than anyone at Microsoft!

      • Yeah, I’d have thought they’d have hired people to test out stuff like this. Obviously not..

    • Blimey, that’s bad.

      I do hope these people get their accounts back and everything sorted. No company should be able to ignore these issues, even if it effects a single person.

    • I agree, this is very bad indeed – the possibility is this is a cross-site problem, while an XBL account may be locked for access, could there be a possibility of the billing account could still be enabled, because, as I recall, you have to go to billing(dot)microsoft(dot)com to see your billing history; coincidentally, most other account oriented links go through live(dot)xbox(dot)com

  5. This is unacceptable. Microsoft are throwing the minority of customers under the bus to avoid the PR damage of all their customers (and potentials) finding out. The longer they try to cover this up, the more people are going to be hacked. It might have been bad news for Sony, PR wise, but they handled their problem correctly. Warn everybody and go into complete lockdown until you can be confident the problem is resolved.

  6. This is just as bad as Sony and their 3 weeks of silence when PSN got hacked, except MS don’t even realise there’s a problem.
    I guess it’s not Fifa and Ultimate Team then, EA were right.

    • Just as bad? I’d say it was a bit worse.

      People are having money stolen from them and MS are doing nothing about it? Come on, really?

      • I’d agree it’s worse as well, people are being actively hacked and losing money here, whereas when PSN went down, I didn’t hear about anyones credit cards being used, we just couldn’t use online.
        I’d say this is worse simply because Microsoft is ignoring the situation.

      • But in terms of the number of people affected, I think that out of all the XBL Users, only a few have been affected, whereas with PSN, everyone was affected in someway.
        Don’t get me wrong, it is terrible how MS aren’t doing anything when people have lost money though.

    • Three weeks of silence? There were daily, albeit not very helpful, updates and an acknowledgement of the breach within 3 days.

      I’d consider this to be far, far worse.

  7. Since I got my Xbox in December, I’ve funded my account once through PayPal. No way am I adding my card details. I’m also off to change my password.

    • The woman in question only funded her account through PayPal. And her account was hacked a second time. More money was leeched out of her PayPal account. Read the blog. Scary.

  8. why do i imagine the XBOX Support team as 3 people in a windowless room like the IT-Crowd right now?

  9. It gets worse as well, one of the community team guys over at 1UP had his account hacked and items bought, and when he contacted them to get it sorted, they said they wouldn’t do anything about it.

    To make matters worse, they BANNED him for providing “falsified” information on his account, because when he registered his account he put in “J” and “K” as his first and second names, instead of his full name Jay Kartje.

    He only got it sorted when he managed to cause enough of a fuss about it all.


    • That’s fecking insane! You gotta wonder, if he was just an average person, he probably would just have been ignored. I bet theres a few who *have* been completely ignored.
      Scary stuff.

      • Dear me! It looks like MS only bothered to treat him properly once 1UP got a little attention on Twitter about his case.

    • BLOODY HELL! MS were dicks to him. I mean, instead of doing the most sensible thing, they go ahead and ban him for daring to save time by putting the first initals of his first and last name. There is crap customer service then there’s this. I’ve just lot a crapload of respect for MS.

      • You have lot (lost) a crapload of respect for MS?

  10. Looks like Major Nelson ought to be demoted a few ranks at the least ;)

    • bust him down to private i say. ^_^

      • on second thoughts, i think a court martial and then a dishonourable discharge would be more apt.

      • Yes!

        Feed him laxatives until he ‘dishonourably discharges’!!

Comments are now closed for this post.