Options

X-Box Live hack? Fifa run mengamuk?

189101113

Posts

  • Options
    TurkeyTurkey So, Usoop. TampaRegistered User regular
    My live expired today, so I removed my card as fast as I could and switched to using cards/codes.

  • Options
    projectmayhemprojectmayhem Registered User regular
    Hey. This happened to me. I was out 120$ for about a month. Microsoft took care of everything, slow, but hell as long as I get my money back.

    Biggest complaint is how I learned during this process xbox live, windows live id, and whatever you use to log on to xbox.com can all be totally different things.

    Either way, removed CC from everything, switching to game cards.

  • Options
    HandgimpHandgimp R+L=J Family PhotoRegistered User regular
    Turkey wrote:
    My live expired today, so I removed my card as fast as I could and switched to using cards/codes.

    If anyone else is waiting for their sub to end so they can remove their CC, just get on support chat with Microsoft and they'll cancel your sub so you can remove the card, then give you codes for your remaining time.

    PwH4Ipj.jpg
  • Options
    TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Just going to ask, since we have more than a few folks who were hit by this nasty and unfortunate breach: What kind of passwords were in use at the time of account compromise? Alphanumeric? Mixed case? Any symbols? How many characters? Don't share anything you don't want to, of course, but I'm still trying to get my head around the possibility of a brute force.

    Now that I think about it, I do wonder if the password recovery portion of the Live login page is susceptible to brute forcing. If the same oversight that was just fixed for the logins was also present in the recovery page, I'd start to believe a brute force attack being very possible. Not only are the answers to most password recovery questions fairly short, but they're also by and large dictionary-attack vulnerable. Or at least predictably letters-only and case-insensitive.

  • Options
    Warlock82Warlock82 Never pet a burning dog Registered User regular
    edited January 2012
    Doesn't password recovery force you to click a link in an e-mail though? The hacker would have had to compromise your e-mail account to use that.

    Anyways, I have heard various things on password strength from various people who have been hacked. Some said they used strong passwords that were not used anywhere else. I know mine was admittedly not strong, but it was at least an unusual word.

    Warlock82 on
    Switch: 2143-7130-1359 | 3DS: 4983-4927-6699 | Steam: warlock82 | PSN: Warlock2282
  • Options
    TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited January 2012
    Warlock82 wrote:
    Doesn't password recovery force you to click a link in an e-mail though? The hacker would have had to compromise your e-mail account to use that.

    True, but not always the case, sadly. Back during the PSN hacking debacle, there was a second, smaller upset when someone discovered just such a vulnerability in the PSN recovery webpage. Essentially all that the recovery process does is email a "token" to the email address, usually embedded in a link you have to click. The token validates the recovery process, but so long as you have it, you don't need anything else. Someone found a way to intercept the PSN recovery token and gain control of an account without ever getting into the target email. Not terribly likely, but nevertheless another option.

    I'm just wracking my brain over this issue each time I see it pop up. I feel like there's more to it than just brute force.

    TetraNitroCubane on
  • Options
    Warlock82Warlock82 Never pet a burning dog Registered User regular
    Honestly brute force doesn't seem likely to me. I still think there was a breach *somewhere*.

    Switch: 2143-7130-1359 | 3DS: 4983-4927-6699 | Steam: warlock82 | PSN: Warlock2282
  • Options
    DocshiftyDocshifty Registered User regular
    captaink wrote:
    Docshifty wrote:
    Warlock82 wrote:
    Ha, "industry-wise issue." Most in the "industry" are not stupid enough to allow unlimited login attempts without locking the account.

    Fucking BNet locks the goddamn account.

    Mind you, its only for like an hour, but still.

    Really? When I played WoW, it let you try to log in to the game unlimited times. Are you talking about the account page itself?

    I mean, like, WC3 Bnet, that you can just make free accounts for in ten seconds.

    I'm just saying, even they lock accounts, to illustrate how stupid it was for Microsoft not to.

  • Options
    AthenorAthenor Battle Hardened Optimist The Skies of HiigaraRegistered User regular
    Okay, I'm getting a bit worried.

    When they recovered my Gamertag and all my info, they did it by issuring me a new live ID, for all intents and purposes. I haven't yet logged into my Xbox, simply to avoid the hassle of typing in my new Live ID.

    The thing is, when they recovered it they issued me basically a random string of numbers. They told me I could change that in a month.. It's been a month, I think, and I still can't reset it back to something sensible - or anything at all, really.

    I really want to reset it, to see if that will fix my Windows Live ID issues. Anyone know how long before they'll let me do that?

    He/Him | "A boat is always safest in the harbor, but that’s not why we build boats." | "If you run, you gain one. If you move forward, you gain two." - Suletta Mercury, G-Witch
  • Options
    PhasenPhasen Hell WorldRegistered User regular
    edited January 2012
    I dunno, sorry. I did not have a problem resetting the password they gave me.

    Phasen on
    psn: PhasenWeeple
  • Options
    BullioBullio Registered User regular
    Athenor wrote:
    Okay, I'm getting a bit worried.

    When they recovered my Gamertag and all my info, they did it by issuring me a new live ID, for all intents and purposes. I haven't yet logged into my Xbox, simply to avoid the hassle of typing in my new Live ID.

    The thing is, when they recovered it they issued me basically a random string of numbers. They told me I could change that in a month.. It's been a month, I think, and I still can't reset it back to something sensible - or anything at all, really.

    I really want to reset it, to see if that will fix my Windows Live ID issues. Anyone know how long before they'll let me do that?

    Does it look like the SR number for your case? You can use that "new" ID to recover your Xbox profile back to your console and have access to all of your stuff.

    steam_sig.png
  • Options
    BerkshireBerkshire Earth Federal Forces MassachusettsRegistered User regular
    Found out my account was compromised about 1:30am this morning. Was on the line to my bank and MS in minutes. Bank killed the card, opened their investigation. I got a very nice CSR with MS who locked down my account, took my information, and passed it on to their investigative services. I was told that within 7 days, I should hear from those folks.

    Email this afternoon from MS saying that they'd completed their investigation and un-fucked my account, along with steps to retake control of my account. They replaced the points I had on the account (which I would have been furious about otherwise) and gave me a free month of Gold in compensation. It's not much, but it's a nice gesture on their part. My account now appears to be back in good shape, my bank issued me a new card while they investigate, and I've reworked my passwords to be tougher. Is there anything else I ought to consider that I haven't? I know I'll eventually need to fight MS over taking my card information off the account, but other than that? Are my t's crossed, i's dotted, etc.?

    This thread, for what it's worth, was a wealth of information. If I've learned anything, it's that you can always count on fellow Arcadians!

    "And don't you ever stand for that sort of thing. Someone ever tries to kill you, you try to kill 'em right back."
    GT: FootlongKaPow
  • Options
    TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Hot damn, less than 24 hour turnaround? That's mighty impressive right there.

    Sounds like you've taken all the right steps. I'd ensure that your secret question for password recovery is secure, and also ensure that the email address tied to the account is secure (if it's GMail, turn on two-factor authentication). Other than those optional final details, I'd say you've probably done all you can.

    Oh, though if you've been accessing your live account through a PC, you might want to do a cursory malware scan just to be safe. Obviously if you were only ever accessing Live through a 360, though, that point is irrelevant.

  • Options
    Zombie GandhiZombie Gandhi Registered User regular
    I just noticed about $40 worth of MS points missing from my account, and tracked it down to Fifa.
    I can't for the life of me find the damn Xbox Live support phone number. I probably just missed it, but hey, I'm annoyed right now.
    Anybody able to provide any help?

  • Options
    Psychotic OnePsychotic One The Lord of No Pants Parts UnknownRegistered User regular
    Berkshire wrote: »
    Found out my account was compromised about 1:30am this morning. Was on the line to my bank and MS in minutes. Bank killed the card, opened their investigation. I got a very nice CSR with MS who locked down my account, took my information, and passed it on to their investigative services. I was told that within 7 days, I should hear from those folks.

    Email this afternoon from MS saying that they'd completed their investigation and un-fucked my account, along with steps to retake control of my account. They replaced the points I had on the account (which I would have been furious about otherwise) and gave me a free month of Gold in compensation. It's not much, but it's a nice gesture on their part. My account now appears to be back in good shape, my bank issued me a new card while they investigate, and I've reworked my passwords to be tougher. Is there anything else I ought to consider that I haven't? I know I'll eventually need to fight MS over taking my card information off the account, but other than that? Are my t's crossed, i's dotted, etc.?

    This thread, for what it's worth, was a wealth of information. If I've learned anything, it's that you can always count on fellow Arcadians!

    Make sure in your live account there is no other associated email addresses. They didn't do it to mine but I"ve heard they'll put an email of their own to "recover" the password even if you change it. Other wise just make sure your live password is unique and your security questions are hard to guess. I generally choose a gibberish answer to security questions. Like City You were born in: Taquittos or something just as silly.

  • Options
    BullioBullio Registered User regular
    edited March 2012
    I just noticed about $40 worth of MS points missing from my account, and tracked it down to Fifa.
    I can't for the life of me find the damn Xbox Live support phone number. I probably just missed it, but hey, I'm annoyed right now.
    Anybody able to provide any help?

    1-800-4MY-XBOX (1-800-469-9269)

    Good luck. It's worth contacting your bank about the charges as well. Microsoft will probably tell you to get in contact with them anyway.

    Bullio on
    steam_sig.png
  • Options
    Zombie GandhiZombie Gandhi Registered User regular
    Thanks for the help.
    Odd, because there wasn't a new charge for more points, just that they spent a bunch of points I had recently purchased. MS locking it down will help, but I'll tackle the bank as well.
    Crappy that this seems widespread. I'd like to think I didn't fall for any social engineering, but I guess password could have gotten cracked at some point. Ugh.

  • Options
    OptyOpty Registered User regular
    Every time I read this thread I just want to go through and change all my passwords to completely new ones just in case. Instead I just generally log into my account and double check that nothing's happened.

  • Options
    Jealous DevaJealous Deva Registered User regular
    Hacked last night, happened to notice that I got a welcome email from ea for FIFA 2012 with tips for arsenal. No credit card use, but drained the 1800 live points I had. I went to windows live, changed email and password associated with account, checked cc activity, any other containment steps I need to do?

    Is it worth involving ms support at this point with no cc involvement?

  • Options
    captainkcaptaink TexasRegistered User regular
    edited April 2012
    It's possible you'll get the points back if you do report it to MS. It's possible that you won't.

    Might want to remove any credit card associated with your account.

    captaink on
  • Options
    LarsLars Registered User regular
    So tonight I got some email from EA talking about some NFL game and telling me I need to activate my online pass.

    Except I don't own any NFL games, and nothing gaming related is registered to that particular email. I don't even actually give that email out, so I'm kind of confused as to how I got this message.

  • Options
    HandgimpHandgimp R+L=J Family PhotoRegistered User regular
  • Options
    BullioBullio Registered User regular
    Handgimp wrote: »

    Perhaps for some, but I never used Hotmail on my XBL/GFWL/Live account. Or at least I don't ever remember setting it up for Hotmail.

    steam_sig.png
  • Options
    Warlock82Warlock82 Never pet a burning dog Registered User regular
    edited April 2012
    Bullio wrote: »
    Handgimp wrote: »

    Perhaps for some, but I never used Hotmail on my XBL/GFWL/Live account. Or at least I don't ever remember setting it up for Hotmail

    ^ ditto

    I still think they were hacked and don't want to admit it.

    Warlock82 on
    Switch: 2143-7130-1359 | 3DS: 4983-4927-6699 | Steam: warlock82 | PSN: Warlock2282
  • Options
    ZenitramZenitram Registered User regular
    Hard to believe this is still going on and MS is still pretty tight-lipped about it.

  • Options
    Jam WarriorJam Warrior Registered User regular
    Warlock82 wrote: »
    Bullio wrote: »
    Handgimp wrote: »

    Perhaps for some, but I never used Hotmail on my XBL/GFWL/Live account. Or at least I don't ever remember setting it up for Hotmail

    ^ ditto

    I still think they were hacked and don't want to admit it.

    Nonsense. Fun as conspiracy theories are, a widespread hack just does not fit the pattern. It is simply a high reward account to breach due to easy monetisation and so many methods will be used by many shady people to do so.

    MhCw7nZ.gif
  • Options
    Warlock82Warlock82 Never pet a burning dog Registered User regular
    So then how did a shit ton of people get hacked with absolutely no commonalities other than having a live account?

    Switch: 2143-7130-1359 | 3DS: 4983-4927-6699 | Steam: warlock82 | PSN: Warlock2282
  • Options
    Jam WarriorJam Warrior Registered User regular
    Because there are a shit ton of ways to get 'hacked' from key loggers to duping phone support to the linked hotmail exploit to hacking another service with a common password and so on and so on.

    If it were a full on XBox Live database hack then everyone would have been compromised at once. These stories that keep coming are numerous but as a percentage of Live users are really very small.

    MhCw7nZ.gif
  • Options
    OptyOpty Registered User regular
    edited May 2012
    Kotaku put up an article outlining how the scammers hijack your accounts by messing with the customer service, complete with screenshots of hijacker forums and their outlining of how to trick the customer service into giving up the goods. I'm pretty sure that this coupled with FIFA being worth actual real world money is why so many of the hijackings are happening and are connected to FIFA. It might be happening more to people you know because they 1) have a high gamerscore, 2) have a low member number, 3) own some form of Call of Duty, 4) or their name is desirable.

    Opty on
  • Options
    AZChristopherAZChristopher Registered User regular
    Thy is why you don't outsource your tech support. Social Engineering is a known issue that every support call center has to deal with. Not having adequate security is not acceptable Microsoft.

  • Options
    Commodore75Commodore75 gothenburg.seRegistered User regular
    Opty wrote: »
    Kotaku put up an article outlining how the scammers hijack your accounts by messing with the customer service, complete with screenshots of hijacker forums and their outlining of how to trick the customer service into giving up the goods. I'm pretty sure that this coupled with FIFA being worth actual real world money is why so many of the hijackings are happening and are connected to FIFA.

    I get how they (EA ... and MS maybe) thought trading would keep people playing the game, and spending more money buying stuff.
    But MS has to ask them selves if giving jackers the (extra) incentive to SE MS' customers out of their accounts/money is really worth it (to MS) in the end.
    OTOH, I doubt any bad publicity will prevent people from buying games or paying for Gold. Hell, even just having a GT with an attractive name or high GS is enough to be a target. So getting rid of the [trading of stuff that costs real money] isn't enough to end the jacking.

  • Options
    captainkcaptaink TexasRegistered User regular
    Opty wrote: »
    Kotaku put up an article outlining how the scammers hijack your accounts by messing with the customer service, complete with screenshots of hijacker forums and their outlining of how to trick the customer service into giving up the goods. I'm pretty sure that this coupled with FIFA being worth actual real world money is why so many of the hijackings are happening and are connected to FIFA.

    I get how they (EA ... and MS maybe) thought trading would keep people playing the game, and spending more money buying stuff.
    But MS has to ask them selves if giving jackers the (extra) incentive to SE MS' customers out of their accounts/money is really worth it (to MS) in the end.
    OTOH, I doubt any bad publicity will prevent people from buying games or paying for Gold. Hell, even just having a GT with an attractive name or high GS is enough to be a target. So getting rid of the [trading of stuff that costs real money] isn't enough to end the jacking.

    Yeah, but you've got to figure the market for "cool" gamertags and high scores is smaller than the market for straight up cash.

  • Options
    Warlock82Warlock82 Never pet a burning dog Registered User regular
    Opty wrote: »
    Kotaku put up an article outlining how the scammers hijack your accounts by messing with the customer service, complete with screenshots of hijacker forums and their outlining of how to trick the customer service into giving up the goods. I'm pretty sure that this coupled with FIFA being worth actual real world money is why so many of the hijackings are happening and are connected to FIFA. It might be happening more to people you know because they 1) have a high gamerscore, 2) have a low member number, 3) own some form of Call of Duty, 4) or their name is desirable.

    I like how Microsoft's response was that this was no longer possible. Remember how about halfway through this whole mess their phone customer support started asking for way more info? Yeah....

    Switch: 2143-7130-1359 | 3DS: 4983-4927-6699 | Steam: warlock82 | PSN: Warlock2282
  • Options
    DirtyboyDirtyboy Registered User regular
    edited June 2012
    Head's up, looks like another wave of Xbox "hacks" are going around. Someone tried to get into my account two days ago and @Malakaius just had his stolen. I'm going to make a wild, unverified assumption that it has something to do with the rash of websites that had passwords stolen within the last couple weeks.

    Dirtyboy on
  • Options
    urahonkyurahonky Cynical Old Man Registered User regular
    Take this time to change your passwords folks.

  • Options
    NightslyrNightslyr Registered User regular
    Has anyone used KeePass or LastPass? If so, how is it/they?

  • Options
    HandgimpHandgimp R+L=J Family PhotoRegistered User regular
    Nightslyr wrote: »
    Has anyone used KeePass or LastPass? If so, how is it/they?

    I use keepass, and am happy with it.

    PwH4Ipj.jpg
  • Options
    BullioBullio Registered User regular
    Thanks for the warning. My account wasn't tampered with, thankfully, but I changed up the pass anyway.

    As for password managers, I use a physical notepad next to my desk. It might be paranoia, but I'm still uneasy about backing up my computing passwords on my PC or cloud service. And no, I don't have to worry about people in my residence, but if I did I have a fireproof lockbox to put it in if need be.

    steam_sig.png
  • Options
    HandgimpHandgimp R+L=J Family PhotoRegistered User regular
    Bullio wrote: »
    Thanks for the warning. My account wasn't tampered with, thankfully, but I changed up the pass anyway.

    As for password managers, I use a physical notepad next to my desk. It might be paranoia, but I'm still uneasy about backing up my computing passwords on my PC or cloud service. And no, I don't have to worry about people in my residence, but if I did I have a fireproof lockbox to put it in if need be.

    Keepass at least keeps its passwords encrypted, and I vastly prefer being able to use the clipboard for transferring passwords. It automatically clears the clipboard after ~5 seconds. I have to remember enough random crap for work; if I were to manually enter passwords they'd stick in my memory and probably eject something useful.

    PwH4Ipj.jpg
  • Options
    AthenorAthenor Battle Hardened Optimist The Skies of HiigaraRegistered User regular
    I use KeePass stored in my dropbox account, synced to my phone, work PC, and home PC. Every password is different.

    The only piece I'm missing to fully protect myself is a sheet of paper with my Dropbox and Keepass passwords on it, stored in a safety deposit box.

    He/Him | "A boat is always safest in the harbor, but that’s not why we build boats." | "If you run, you gain one. If you move forward, you gain two." - Suletta Mercury, G-Witch
Sign In or Register to comment.