Individuals have reported problems with their Xbox LIVE accounts showing hundreds of dollars of FIFA related DLC, but a Microsoft spokesperson says that the company has no evidence that accounts have been compromised.
Xbox LIVE users first reported problems with their accounts on forums such as NeoGAF, and the official Xbox forums. A forum poster at GiantBomb reported an incident as early as June. One report at the Consumerist has a subscriber detailing how his money was taken from his account.
I received 2 emails from firstname.lastname@example.org. 1 was for 4000 Microsoft XBOX Live Points ($49.99) and the other for 6000 Points ($74.99). I am sitting at work so I know I didn’t make these purchases. Maybe my cat did at home. He is pretty smart.
Thinking this was a scam, I typed in microsoft.com and navigated to their billing page (NEVER CLICK ON LINK IN AN EMAIL THAT LEADS TO LOGGING IN OR GIVING PERSONAL INFO LIKE THIS) and verified that both charges were made to my XBOX Live account and thus charged to my credit card I had on file.
I immediately called XBOX Live Support/Billing and told them about what was happening and the gentleman was very helpful. He immediately locked my account so now more purchases (cash purchases) could be made. However the thief could still spend all the MS Points that were on my account. Also, he said that he put a ticket in and their systems would start tracking the IP address of the thief while he was making the purchases.
This last point doesn’t really mean all that much. I am a very knowledgeable computer security individual and know that for someone to do this as quickly as they are, I am sure they are in a hotel under a false name and credit card so it can’t be traced back to them.
I was informed that I would need to call Microsoft back when I get home with the Serial # and ID # of all my XBOX’s (I have 3) so they can verify that the purchases were not made on my systems… I just hope someone didn’t break in to my condo and steal them. Once I give Microsoft that information, they will review it and within 25 days they will refund my money.
I watched from my computer as the account went from 10,680 MS Points down to 70. There is nothing on XBOX Live Market Place that is under 120 points ($.99) so I am sure they left it at that and are moving on to the next victim.
Details on how accounts are chosen and exploited are thin at this time but Activision community manager Dan Amrich said in a podcast that the illicit activity is related to a FIFA hack that lets individuals buy collectible content packs for the game through accounts they’ve hijacked. The exploit Xbox LIVE gamertags to be restored on a different console, giving these individuals free access to the account.
We contacted Microsoft and received the following statement about the issue from a spokesperson.
“We do not have any evidence the Xbox LIVE service has been compromised. We take the security of our service seriously and work on an ongoing basis to improve it against evolving threats. However, a limited number of members have contacted us regarding unauthorized access to their accounts by outside individuals. We are working with our impacted members directly to resolve any unauthorized changes to their accounts. As always, we highly recommend our members follow the Xbox LIVE Account Security guidance provided atwww.xbox.com/security to protect your account.”
If you are affected by this exploit and call Microsoft support, they will lock your account for 30 days, refund your money and offer a three-month Xbox LIVE Gold code.
We also suggest keeping your Xbox LIVE password different from any email or forum passwords that you may own as well.