Microsoft responds to Xbox LIVE hacking story, denies security breach

By Tom Warren, on 22nd Nov 11 8:20 pm with 31 Comments

Xbox LIVE

Microsoft issue a thorough response to allegations its Xbox LIVE service had been breached.

British tabloid newspaper The Sun ran an “exclusive” story on Tuesday claiming that “online crooks have hacked into thousands of Xbox LIVE accounts to steal million of pounds.” The Sun, owned by News International – an organisation at the heart of an ongoing controversy involving alleged phone hacking, claimed on Tuesday that the average loss for UK gamers was around £100 following cyber thefts.

Microsoft responded to the story on Tuesday and issued the following statement:

Xbox LIVE has not been hacked. Microsoft can confirm that there has been no breach to the security of our Xbox LIVE service. In this case, a number of Xbox LIVE members appear to have recently been victim of malicious ‘phishing’ scams (ie. online attempts to acquire personal information such as passwords, user names and credit card details by purporting to be a legitimate company or person). The online safety of  Xbox LIVE members remains of the utmost importance, which is why we consistently take measures to protect Xbox LIVE against ever-changing threats.  As a result, we are currently:

  • Working closely with affected members who have been in touch with us to investigate and/or resolve any unauthorized changes to their accounts resulting from phishing scams;
  • Warning people against opening unsolicited e-mails which may contain spyware and other malware that can access personal information contained on their computer without their knowledge or permission;
  • Reminding all customers that they should be very careful to keep all personal information secure whenever online and never supply e-mail addresses, passwords or credit card information to strangers.

Microsoft remains vigilant at all times regarding the security of Xbox LIVE customers. As always, Xbox LIVE customers who have any queries or concerns should contact Xbox LIVE Customer Service on 0800 587 1102 or visit www.xbox.com/security.

  • Anonymous

    Why would anyone believe anything The Sun says? Actually, why does anybody even bother reading it?

    • ZipZapRap

      + eleventy. But there are millions of stupid Brits who buy it every day.

    • http://www.callumpy.co.uk Callumpy

      Im sure most people buy it to look at page 3?

      Also, to add to this, I heard that EA had alot to do with giving away peoples XBL passwords. Something to do with sending a line of code to their email server and it returning users information…

    • Anonymous

      Anyone stupid enough to buy a newspaper that is known to lie as much as Fox “News” for a still photograph of some airbrushed breasts clearly hasn’t heard of the internet ;)

    • Anonymous

      i got hacked, lost 1000 microsoft points and im pretty sure i didnt fell into any phishing scams. This is just some story microsoft wants ppl to believe to avoid problems like Sony had with PSN. Could be a weak password i must admit but i wonder where they got my liveid in the first place. I dont use it anywhere except xbox and i only have 3 close friends on my accout. Either way i dont think they can get my liveid/email anyway just by being a friend.
      All the ppl hacked were complaining about purchases for Fifa12 (EA Games) in-game items. I got hacked just after applying for battlefield3 Beta program on xbox (and lots of ppl said the same), another EA tittle. So could be an EA problem as well not Microsoft. 

  • adam

    can i just congratulate you on your website, it is so beautifully made and is the first thing i go on when i wake up and the last thing when i go to sleep, well done tom. =)

    • Anonymous

      Same story here! But just a LITTLE BIT off-topic ;)

    • http://www.facebook.com/people/Jairo-Luciano-Alves/100002545369889 Jairo Luciano Alves

      If you use IE9 and Windows 7, you can pin WinRumors to your taskbar. It will make it even easier and I could even say funnier.

    • Anonymous

      Who in the hell still uses IE, though?

    • Guest

      Only about 50% of all PC users. Hardly anyone. /s

    • Anonymous

      @Guest: Got a source for that? Every poll I’ve seen shows at more of a 30% share including business use, less than 20% for personal.

  • Anonymous

    Knock on wood, i haven’t had any problems, but a friend of mine recently did..  not sure what to make of this, i just wish we could password protect purchases, not just initial login. In fact, there is absolutely NO reason we shouldn’t be able to PIN protect any purchase..

    • http://www.facebook.com/thomas.bundgaard Thomas Bundgaard

      Stupid question – if they already have his account-info, what good would the password do?

    • Anonymous

      A Pin/password for purchase that didn’t match the account password would offer a 2nd validation of account ownership.. so if your account was hacked the hacker would still need your pin before they could purchase anything..

      it would also protect purchases from less malicious things such as kids clicking around and ordering stuff :)

      as it is right now, an xbox with a credit card hooked up to it is wide open to as much spending as possible without any of the verification.

      I would like to even see an email confirmation that has to be accepted before a purchase is complete – at least as an option.

    • Thomas Bundgaard

      Ahh, sorry. I thought you wanted to write your Live-password again. My bad.

      I agree with you – that would be a nice addition :)

  • NarcoSleepy

    I suspect a lot of this activity is also a result of the Sony hack earlier this year.  Several of my friends have accounts on PSN and XBOX Live and use the same passwords.

    • http://www.facebook.com/thomas.bundgaard Thomas Bundgaard

      Also, a lot of people probably use the same password for Windows Live Messenger and Xbox Live (can’t remember if they are connected?).. and I guess we all know the people, who will blindly click any link that says “show who has blocked you!!” and enter their credentials there :<

    • http://twitter.com/TroyGates TroyGates

      Same may be said of people using the same Live account for hotmail, xbox, wp7, etc. I use all of Microsoft’s services and products on one Live account. If it got phished, I’d be in a lot of trouble. Luckily, I am smart enough not to give out my password and its a very difficult password.

  • http://twitter.com/mcakins McAkins Online

    Jeez, I hate it when tabloids don’t get their facts right, or being blatant sensationalist. If people are gullible and give there credentials to a phishing idiot, is that the fault of Microsoft? I hereby nominate the most abused word in the 21st century; the word “Hacked”. This is what you get when people that has never wielded a soldering iron pretends to be Tech journalists. The internet if full of them.

    • Anonymous

      “the sun” HA, left to me they’ll be out of business!
      hate them with a passion

    • Tomdtlist

      I lost 300 hundred dollars. I’m extremely tech savvy and don’t use my xbox live e-mail account anywhere else on the web. This was NOT a simple ‘phishing’ scam.

    • Hype_519

      your right same here…just got taken for 81 dollars / 5000 MS pts

  • Brian Riggins

    I’d just like to add: I think there’s NO WAY there wasn’t a security breach of some sort.  I got hacked, and here’s how I know I didn’t get phished: I couldn’t answer any of my own security questions when I called Microsoft to notify them that someone had purchased $150 points and spent them immediately at 4:00 a.m. while I was asleep.

  • Bill

    I am an IT administrator at a 100+ user company. I have my CCNA, Comp TIA – A+ Hardware, MCITP, and more. My email account used for my XBox Live account is solely used for Xbox Live. I have never used it anywhere else. My password was over 10 characters long, including uppercase, lowercase, and numbers. I did not, and would not fall for any phishing attempt. 

    My account was compromised, e-mail account changed, and billed 10,000 MS points using my linked CC. Microsoft is investigating it and I am sure it will be resolved. However, I believe either EA or Microsoft is sweeping something under the rug. I have had the same XBox Live account since the original Xbox and never as much as a blip with problems. 

    The influx of Xbox Live users that this occurred to recently seem to be tech savvy people like myself. I do not accept Microsoft’s response as simple ‘phishing.’ There has to be more going on here. Please keep on top of this story. I want a better official response from MS. 

  • Paul

    I’m afraid that Microsoft’s denials ring a little hollow for me.  I awoke this morning to discover that my xbox live account had been hacked and 10000 ms points purchased fraudulently using my cc.  Interestingly one of my ‘live’ friends was online at about the time the hack took place and noticed that I was playing surprise, surprise… Fifa 12 (a game I don’t own, incidentally).  Like Bill, above,  I too am tech savvy and take my online security extremely seriously (more so, it seems than Microsoft do): I have not been subject to a phishing attack, nor have I revealed any of my online passwords to anyone.  So in absence of that, how did this person manage to hack my account??

  • Stephen

    Same story as above.  Hacked and I didnt even know the password or security questions to my own live account. I don’t use MS Live for anything other than xbox.  This isnt a simple phishing scam.
    However the first notification I got was that someone had added an additional email address to my live account for password resets.  How the hell did they do this? There is no way they had the password. 
    This has now been going on over a month and MS have still got my xbox live account locked and they have not refunded me a penny of the £85.  I have had to get my credit card cancelled and replaced and am now pursuing a refund through them.There is a lot more to this!

  • jarred buckley

    test

  • jarred buckley

    so i decided to do a lil research in google and see if i can get peoples gamertags
    and what do you know that pops up

    a site with tons and tones of GT and usernames… im no tech expert but i know a lil 
    so if i was generate a small program that takes all gt’s and usernames then simply tries to login such as user name bob password 123456 simple and yet no 1 uses it but at least 1% would have used it…
    booi yah for the ea side its a the same … ea supports pc gaming and ps3 and xbox right 

    someone should dig deeper and inform microsoft b4 a crisis of the 2012 virus bombs every1

  • jarred buckley

    http://www.neoseeker.com/xboxlive/gamertags/
    check it out im searching for my selfbut im guessing you have to be apart of the neoseeker community

  • Twinkleb0t

    My Xbox Live account (which I don’t use, as I don’t have my Xbox connected to the internet) was hacked this past weekend. I had two cards registered as part of the Zune service, and the hackers used them to make about £60 worth of purchases. As soon as I saw the email notifications of the charges, I changed the password on the account and removed the card details from microsoft’s payments site. My bank has refunded the money fortunately. There’s zero online help or guidance on the Xbox live website to address this sort of situation. Given other’s stories it looks like this is far more than an isolated incident.

  • ken

    I am a certified tech administrator and did not get involved in a phishing scam. 

    Last night I was forced logged out of my XBox and found out that someone purchased $130 of downloads from my linked CC. Somehow, they were able to keep asking Windows Live to reset my password, as they had linked their email address caiyunpiaopiao36@hotmail.com to my account.

    Eventually I was able to contact Xbox live and have them lock down the account, but they spent all 9600 points they purchased, and now I have to wait 25+ days to possibly get my account back and a refund.

    I guess I learned my lesson, not to keep a live CC on XBox live. I can’t understand how they accessed my account though. My Windows Live account is only used for XBox. I forgot I had it until I saw the email stream.