Microsoft: Xbox Live has not been hacked

By Wesley Yin-Poole Published 22 November, 2011

Gamers suffering from "malicious" phishing scams.

Microsoft has once again insisted Xbox Live has not been hacked.

The company issued a statement today following an article published on the front page of today's The Sun newspaper titled: "XBOX CYBER FRAUD."

The Sun alleged thousands of Xbox Live accounts have been hacked into and millions of pounds have been stolen, with an average loss to UK gamers of around £100.

In response, Microsoft blamed the issue on phishing scams.

"The security of Xbox Live members is of the utmost importance, which is why we consistently take measures to protect Xbox Live against ever-changing threats," a Microsoft spokesperson said.

"Xbox Live has not been hacked. Microsoft can confirm that there has been no breach to the security of our Xbox Live service.

"In this case, a number of Xbox Live members appear to have recently been victim of malicious 'phishing' scams (ie. online attempts to acquire personal information such as passwords, user names and credit card details by purporting to be a legitimate company or person). As a result, we are currently:

  • Working closely with affected members who have been in touch with us to investigate and/or resolve any unauthorized changes to their accounts resulting from phishing scams;
  • Warning people against opening unsolicited e-mails which may contain spyware and other malware that can access personal information contained on their computer without their knowledge or permission;
  • Reminding all customers that they should be very careful to keep all personal information secure whenever online and never supply e-mail addresses, passwords or credit card information to strangers.

"Microsoft remains vigilant at all times regarding the security of Xbox Live customers."

It advised those affected to call Xbox Live Customer Service on 0800 587 1102 or visit www.xbox.com/security.

Earlier this month Microsoft told Eurogamer the recent spate of Xbox Live account hijackings involving unauthorised FIFA Ultimate Team pack purchases were not due to a system exploit or hack.

Microsoft's online safety director Doug Park insisted that the problem didn't represent "a new attack vector".

"It's not a hack, it's really just a different way to monetise stolen accounts," he explained.

"Any service has compromises. Facebook has compromises, WOW has compromises. What they're really doing is trying to make money off those compromises. So FIFA is a very popular title - it's just a new way for the bad guys to make money. It wasn't, based on our investigation... we didn't see anything new. It was just a different avenue."

Park suggested that a run-of-the-mill data phishing scam was the cause, though wouldn't go into specifics.

The FIFA issue first raised its head last month, when a significant number of users reported that their accounts had been taken over by cyber thieves and were being used to purchase FIFA Ultimate Team content packs, presumably for re-sale.

At the time, Microsoft announced that it was "working with our impacted members directly to resolve any unauthorised changes to their accounts."

Picture of Wesley.

About Wesley Yin-Poole

Wesley is Eurogamer's news editor. He likes news, interviews, and more news. He also likes Street Fighter more than anyone can get him to shut up about it.

You may also like...

Comments (45) Latest comment 1d ago

Log in or register to post a comment!

  • neilka #1 2d ago

    But what about the Gibson?

  • wizlon #2 2d ago

    If you have suffered because of a phishing scam then lets do something about it!! PM me your Name, Address, Credit Card details, Date of Birth and National Insurance Number and together we can stop this menace!

    Please don't send me any of your details, I will only sell them to the Russians.

  • ZuluHero #3 2d ago

    I AM A NIGERIAN PRINCE. IF YOU WOULD LIKE TO ENSURE THE SAFE KEEPING OF YOUR XBOX LIFE ACCOUNT PLEASE SEND ME YOUR BANK DETAILS AND I WILL GIVE TO YOU A BONUS ONE TIME OFFER OF 1 MILLION MICROSOFT DOLLERS TO YOUR LIFE ACCOUNT. IN GOODWILL GESTURE. THANKS YOU!

  • darkmorgado #4 2d ago

    The Sun in printing a load of bullshit shocker!

    Good timing too, considering the inquiry into the media is currently going on :D

  • CaptainQuint #5 2d ago

    It's funny, when I clicked on that Sun link, for a minute I thought I was still on EG. The style of the headline and the sensational wording made both publications difficult to tell apart.

  • slippysloppy #6 2d ago

    Listen to me very carefully, this is very important. What is your mother's maiden name?

  • Toothball #7 2d ago

    Phishing scams have been going around on Xbox Live for years. I've seen plenty come and go, mostly luring people in with the promise of free MS points for logging into a fake site somewhere. I've also seen a few people lose their progress and characters in online RPGs where the scammers were more concerned with digital loot than any associated MS points.

    There was a copy of the Sun in the office here, and the funniest part of the whole story is that the page 3 girl was apparently also concerned enough with this issue that it was mentioned in the accompanying blurb.

  • Ace-Reject #8 2d ago

    Good Afternoon sir my name is George i'm calling from Microsoft Xbox Lives, you have won a thousand ugandan dollars worth of microsoft points to recieve these all i require is your Xbox live Deatails and bank acount details so we can verify you are who you say you are :lol:

  • arcam #9 2d ago

    To be fair, the Sun seem to be using the mainstream media definition of the word "hacked" which has been used here on EG and elsewhere many times. In the article they mention that phishing is the likley culprit: "THERE are two main ways criminals can access your Xbox Live account and steal cash or buy Microsoft points with your credit card. These are a fake website "phishing" con and a password scam."

  • Cadence #10 2d ago

    GOOD AFTERNOON MADAAAM!

  • Buztafen #11 2d ago

    I can't feel sorry for stupid people who have money stolen due to these scam's. In fact i'm hoping it keeps them of the internet for good.

  • Adam_T #12 2d ago

    So its average Sun readers that have been duped then?

    Ohh looky free money woop woop!

  • PaulieWaulie #13 2d ago

    The sun want to use the word hack to help people forget that News International are the most prestigious hackers around.

  • mattjpea #14 2d ago

    No coincidence this story appeared on the same day as the Levinson enquiry.

  • Astro-Creature #15 2d ago

    Microsoftlol

    Am I doing it right, Xbox owners?

  • lollage #16 2d ago

    "Am I doing it right, Xbox owners?"

    No, cos Xbox Live hasn't been hacked. Sony got bent over and utterly shafted by hackers and they had to take PSN down for weeks. When that happens with Live, you can type "Microsoftlol" if you want to.

  • Bruce_One #17 2d ago

    XBox Live HAS been hacked.

    I switched on my XBox about 2 weeks ago and it asked me to retrieve my gamertag. I thought that was odd, as I haven't assigned it to any other console, but once I had done that, I noticed that all my MSP had been used. When I checked on live.com, I found out that my points had been used to buy all sorts of game packs for games that I don't own. I also have 2 achievements for Fifa 2012, which I also don't own.

    I don't use the email and password combination that I use for Live for any other site and I haven't given these details to anyone. I haven't even signed into live.com in over a year.

    The only way that my account could have been hacked is through a weakness in Microsoft security.

    My Live account is now suspended and has been for 2 weeks, while they slowly investigate the problem. =( The only positive is that I don't have a credit card on that account and have always bought MSP with pre-paid cards. Otherwise, it would have been a lot worse.

    A quick search on the net reveals that there are hundreds of other people who have experienced the same thing with loads of forums dedicated to this!

  • gotyourmoney #18 2d ago

    It's not an electronic hack, but it is a social hack. And frankly, though this may seem heartless, I can't find the time to pity anyone caught out by phishers.

    Boring anecdote: I once prank called someone (By mashing the keys repeatedly until I heard ringing) and without any preparation at all, while being pretty fucking drunk, at about eleven at night, I had some guy giving me a lot of personal details.

    Reminds me of Revolver:

    The bigger the trick, and the older the trick, the easier it is to pull, because they think it can't be that old, they think it can't be that big, for so many people to have fallen for it.

    Some (most?) people just need to upgrade their wetware.

  • bionic #19 2d ago

    The Sun said: XBOX LIVE HACKED

    So it must be true :D

  • GamesProgrammer Games Team Programmer, Eutechnyx Ltd. #20 2d ago

    @Bruce_One

    I thought this Fifa hack, was because EA got hacked, and if youve ever played any EA game on live, then EA have your username and password?

    Or was that a load of crap?

    Verified

  • Mayhem64 #21 2d ago

    What happened to Bruce_One has happened to a few people I know, and in a couple of cases, they have never played an EA game on the 360 (amazing, huh?!). So the details must be compromised in some other way, and they are savvy enough to not be caught out by any phishing attempts. So what is it? My money is on a security flaw Microsoft's end, and it is doing its best to conceal it. Decrying there is no breach reminds me of that scene from "The Running Man"...

    Damien: "Please sit down everyone, we are experiencing technical difficulties!"
    Old lady: "Bull****!"

    In this case, the "old lady" is hundreds of affected 360 users...

  • lockload #22 2d ago

    @GamesProgrammer Well i have read elsewhere this is not a phising scan and is not a hack on xbox live either

    The passwords are being captured elsewhere on another linked forum

    There are not many trusted networks that link with abox live im sure ppl can think which one it could be that hosts their own authentication servers maybe

    Ive not read yet if this is simply a problem where someone is using the same password for xbox live as the compromised service

    Edited by 1 at 22/11/11 @ 18:21

  • Bruce_One #23 2d ago

    @GamesProgrammer I didn't even think about that; the last EA game I played was Burnout Paradise... quite a long time ago! It's the only site that I have used the same login details as Live (although I have a different username on EA than my gamertag). Just logged onto the EA site and, sure enough, same email address and password combo as Live was!

    /closes EA account

  • GamesProgrammer Games Team Programmer, Eutechnyx Ltd. #24 2d ago

    @Bruce_One

    Glad i could help :)

    Verified

  • Bruce_One #25 2d ago

    Turns out that there IS a record of your Live Gamertag on EA, for Xbox but also for PS3 AND Wii (if you have registered games from those systems as well)!

    There doesn't seem to be any easy way to delete your account, but I have emailed them. As well as changing my password on there to something I don't use ANYWHERE else!

  • DAN.E.B #26 2d ago

    EA- "Who loves you and you do you love?"

  • darkmorgado #27 2d ago

    HELLO SIR, I AM CALLING ABOUT YOUR BANK. WE HAVE A PROBLEM WITH YOUR ACCOUNT BECAUSE A BIRD IS TRAPPED INSIDE AND WE NEED YOUR PIN NUMBER TO GET INSIDE AND LET THE BIRD OUT.

    Seriously, how do people fall for phishing scams? They are so blatantly fucking obvious you really do need to be a moron to fall for them.

  • Collymilad #28 2d ago

    Yeah bullshit.

    It is phishing, and half the idiots that got done wouldn't even admit to giving out details even if they had.

    I've never lost anything through security related stuff on XBL in 8 years and neither has anyone else I know.

  • Feanor #29 2d ago

    Psychotext's missus's account was hacked even though her password was only ever used on the 360 itself. MS are just trying to shift the blame.

  • dillingerdan #30 2d ago

    Hmm I had my account "hacked" a few weeks back, and they bought about 6000 points, changed the gamertag and bought something for FIFA (I couldn't see what it was exactly, showed as an unknown item when I took back the account myself.

    I have never used the phishing scam things or been on any "free MS points" sites or whatnot. The thing is I logged into XBOX.com the DAY BEFORE I was hacked. The only other explanation for it could be the fact the password is the same as what my PSN ID was before they hacked PSN, so my ID could have been on one of those lists going around P2P, and it could have been that simple, luckily thats the only password that is the same as each other (I have 5 passwords in rotation).

    The thing that annoys me is how lax the security is on XBL. They added a second email address to the account, that they could then obviously use to authorise purchases WITHOUT any form of check. They (MS) sent me an email that said "If this is correct YOU NEED TO DO NOTHING". That's complete BS. If you need to add or change an email the original email should have to be verified OR you should have to ring MS and go through some checks like say you lost the email account or such. And my account was verified, so this is complete balls up on MSes part. And it's also been 19 days I still have no access to my account (so I cannot play some of my pre-orders that have come through), and have not been refunded any money yet either.

    MS needs to up their game.

  • Jon1292 #31 2d ago

    I should imagine there's quite a bounty up for Microsoft right now, they're one of the only big tech companies around right now that haven't been hacked.

  • SeesThroughAll #32 2d ago

    LOL @ Sony, I'm sorry guys, but you should know better than using that PSN crap!
    You what they say, you get what you pa...


    .. Oh.

  • Snake_2011 #33 2d ago

    lollage ether way it is bad for MS owners just like with Sony no ones fault but hackers.

  • VibratingDonkey #34 2d ago

    Sure. Whatever you say Mr. Y'know Things Break.

    Meanwhile I'll believe the experience of the users, indicating that this is not phishing. And that Microsoft needs to add some security and customer support improvements to deal with this situation.

    Something worth noting is that if Microsoft is telling the truth here and there is no security exploit, implementing two-step authentication would still be an obvious solution to what is a too common problem in account hijacking. But instead of doing that they do nothing whilst boasting about how great they are at security. And also taking care of their customers by locking down their accounts for a month.

    Journalists should start asking the right questions. Or hell, ask any questions at all to anyone instead of just reiterating what Microsoft PR says. Not calling out Eurogamer or anything, just in general.

  • Primatori #35 2d ago

    On another note. The cause for this scam is the fault of the account holder and has nothing to do with Microsoft. However, why are Microsoft issuing refunds of money stolen though the fault of the account holder? If it was 100% the fault of the account holder for being a stupid gobshite and giving their details away then if i were Microsoft and had people complaining i would not be issuing refunds.

    Is there another underlying issue?

  • funkateer #36 2d ago

    "I've never lost anything through security related stuff on XBL in 8 years and neither has anyone else I know. "

    Yeah I never lost anything through security related stuff on PSN either, so the PSN hack obviously never happened too.
    Also, no plane has never crashed because I've never experienced it and neither has anyone else I know. It's all lies.

  • VibratingDonkey #37 2d ago

    http://www.guardian.co.uk/technology/2011/nov/22/xbox-live-users-phishing-attacks

    Kudos to Steve Boxer for making an effort.

  • Kaminari #38 1d ago

    Phishing sure works with many dumb people.

    But not everyone affected by this fraud is a drunken mugu. There IS something wrong with XBL security, and MS are too afraid to ever admit their paying service might have been compromised.