Xbox Hackers Alert-EA Servers etc

Explosions in the Sky

Guys just had a friend log into xbox and it said "Gamertag" was signed in on another console" and he had 1000 MS robbed. I had noticed today he was online on Fifa 12, a game he has never played.
The hack is someway linked to Fifa or EA Servers methinks

http://www.insidegamingdaily.com/2011/10/20/microsoft-responds-to-fifa-12-hacks/ here are the stories

Seems like it is going around

Meesared

Id agree, something is suspicious given all of the accounts are used to buy Fifa ultimate team packs

MiniNukinfuts

It'll probably emerge in a few weeks of a major plot hole in xbox live security, but by the time they announce it, everything will be fixed, so MS won't look all that bad. :P

Rochie IRL

My account was hit. I have 15 achievement points now for fifa 12 and it shows as one of my games and the game has never been in my console :eek:
They got well over 4000 ms points by downloading "Premium Gold Pack" "Gold Players Premium" "Rare Player Pack".
If you phone support they suspend your account for 30days while they investigate it. The first question I was asked by customer support was do I have fifa 12 so Microsoft no there is a problem. I'll get my points back etc etc but it does not make xbox look very safe at the minute.

Meesared

The reason they asked that was because you would have had fifa Ultimate team purchases on your account, and if you did, but not have the game, its a pretty definitive way of knowing whats happened.

I personally highly doubt Xbox Live itself has been accessed, if it was, all the high profile Xbox Live accounts would be being stolen (Major Nelson, E, Stepto)

calex71

There's been a few of these threads in recent weeks, and in all cases FIFA and points used to buy FIFA dlc have been mentioned. In most cases folks haven't even played it, so acc. data is not being phished that way.

At the moment I'd be pointing the finger at EA but we'll wait and see, I'd be interested to to see what happens if one of the bigger gaming sites picked up the story.

I haven't played fifa either so am a bit clueless but from what I gather isn't there some real world cash incentive here for selling teams or something? When I heard that even before these hacking cases I said to myself "trouble"

MiniNukinfuts

calex71 wrote: »

I haven't played fifa either so am a bit clueless but from what I gather isn't there some real world cash incentive here for selling teams or something? When I heard that even before these hacking cases I said to myself "trouble"

Yeah, the people who hack the accounts generally just buy some ultimate team pack, and sometimes a live sub on the account, then they sell the account on. That's what i've gathered from various posts around the place.

windingo

I am seeing a lot of this going around here and on other forums, scary stuff but I suppose things can only improve now that they know the hacking is going on.

If it is EA then they are treading murky waters.

AceCard Jones

If I'm to understand this right, the theory is EA have been compromised, and the people who made the mistake of using both the e-mail of their gamer tag, and the same password as their gamer tag when signing up the to EA services, are now having their accounts accessed? It's a bit of a "Silly Billy" mistake to use the same password across multiple services so people really need to watch out for that. Unless I have it all wrong and this is all being done in another way.

I can see no other way of EA being compromised resulting in your Xbox account being stolen, unless Microsoft themselves got infiltrated. Which in my opinion is just as likely since all these "Hackers" seem to be targeting all mainstream media and gaming companies.

Meesared

EA would be a softer target IMO

Explosions in the Sky

Those testimonials in the link at the top are from people who have had no games or accounts affiliated with EA aswell, although it seems like EA has been compromised. The theroy is with the Fifa 12, the hackers get rare cards in Ultimate team on Fifa as they can be auctioned off. They buy the packs with your microsoft points in the first place, thats why everyone getting hacked has 15 gamerscore on Fifa even if they never had the game (like my friend :mad:

spoongibbon

Just to note - my xbox account was hacked about two weeks after setting up my first EA account - to use with Battlefield 3. As far as I could tell the points that were spent on my account were not used to purchase anything FIFA-related.

Explosions in the Sky

spoongibbon wrote: »

Just to note - my xbox account was hacked about two weeks after setting up my first EA account - to use with Battlefield 3. As far as I could tell the points that were spent on my account were not used to purchase anything FIFA-related.

Have you ever played Fifa ? if you have not and recieved 15 gamerscore on it they used it to buy packs on Ultimate team

spoongibbon

No, I never owned it and as far as I'm aware, never got any achievements for it.

pH

http://www.insidegamingdaily.com/2012/01/13/xbox-com-password-exploit-fingered-for-xbl-hack/

They're calling it an "exploit" but it doesn't seem like an exploit to me - getting gamertags - checking google to see if they can match GT and an email address then using that email address as a live ID - then brute forcing a password.

I can't see what the "exploit"

Maybe MS allow brute-forcing of login attempts?

Anyway - keep email passwords separate - and don't have a guessable password - don't use a single dictionary word - have upper and lower case and at least one number.

gizmo

Aye, similar story on Eurogamer at the moment. If it's true then it's not "hacking" in the slightest, just a combination of certain lax checks on MS side combined with, what I assume, are terrible passwords.

Jericho.

pH wrote: »

http://www.insidegamingdaily.com/2012/01/13/xbox-com-password-exploit-fingered-for-xbl-hack/

They're calling it an "exploit" but it doesn't seem like an exploit to me - getting gamertags - checking google to see if they can match GT and an email address then using that email address as a live ID - then brute forcing a password.

I can't see what the "exploit"

Maybe MS allow brute-forcing of login attempts?

Anyway - keep email passwords separate - and don't have a guessable password - don't use a single dictionary word - have upper and lower case and at least one number.

I don't think this was the case. It happened to me a while ago.(I had a thread on it as well) My e-mail would be different to my gamertag and my password would've been good. It was the same password as my EA one, I reckon that's how they did it.

MayoForSam

My account was hacked months ago and my password was relatively strong (combination of a word followed by a number), my locale was changed to Russia and I can't change it back (bit difficult trying to interpret the Cyrillic alphabet on my dashboard). MS still haven't sorted it out even though they keep sending me XBL codes every month to keep me sweet.

This method of brute force hacking could conceivably have worked to access my account but it's unforgivable that Microsoft have never come up with a more robust way of preventing this, at least sending an email before major changes can be made to your account.

MiniNukinfuts

Brute force log attempts seems likely, MS is weird with their hotmail security, it blocks an IP from trying a password 3 times, and then it block all the password reset functions for 24 hours and your IP indefinitely. This is the case for chrome and firefox, but on internet explorer, the password can be guessed as much as you like. :P

Meesared

Na brute forcing passwords doesnt work, you block the account if you try it too often

MiniNukinfuts

Meesared wrote: »

Na brute forcing passwords doesnt work, you block the account if you try it too often

But it doesn't block when you use internet explorer, i did it last month to a friend (he gave me permission) :P

Meesared

It must have been a glitch, ive seen it happen on IE

MiniNukinfuts

Just saw this on ign. They show how the hacking was done.

Tea_Bag

sickened if someone steals my GT. I've 200MS points and no CC association. I assume it'd be completely useless to anyone?

MiniNukinfuts

Yup, it'd be useless to them, they only are interested in it if it has a CC associated with the account.

Tea_Bag

MiniNukinfuts wrote: »

Yup, it'd be useless to them, they only are interested in it if it has a CC associated with the account.

why do people use their CC though? its far cheaper to buy codes from all those websites listed in the stickied thread.

MiniNukinfuts

It's more convenient for people, just link the credit card, and then buy everything from MS directly and instantly. And lots of people wouldn't trust online shopping with their card. There are loads of reasons people would do it.

NORTH1

If this was a bank letting criminals to unlimited password attempts until access was gain to the accounts of their customers then letting the criminal take money from the account to spend, when this theft is discovered they then blame the customer for not having a good enough password there would be uproar in the media.....

No is a games console company, with its own currency letting its own stupid customers(That's what they are implying) getting robbed....

If this is true then the Fifa12 was just a conduit for fencing of the Ms points, again if this is true its another case of Ms letting another company take the initial blame for one of their problems!!

Strike another one up for Ms....

gizmo

Had a look at some of the other stories from people who have been affected and noticed this post from Venom in another thread on the issue. Given the makeup of his password, the chances of a brute force attack being successful is extremely slim in any kind of reasonable time frame on a site like xbox.com so I really would wonder if that's the issue, or indeed only issue, at play here.

Sidenote: Back in October MS officially said it's not specifically a FIFA issue. That would only leave the possibility of a hack on EA's side but since they didn't announce anything there either it's pretty safe to rule that out. Plus, I'm pretty sure if EA felt they were being blamed for it they would have issued a meatier statement by now.

NORTH1

Once again the major players are very quite, which leaves the rumour mills to work over time.

As long as they keep getting away with it, why should they inform their customers of anything?

I'm just glad its not me this time, but at this stage I am beginning to doubt their line we take security very seriously.

The online safety of Xbox LIVE members remains of the utmost importance, which is why we consistently take measures to protect Xbox LIVE against ever-changing threats

Keep saying it and it might come true.......

gizmo

NORTH1 wrote: »

Once again the major players are very quite, which leaves the rumour mills to work over time.

They haven't been quiet though? MS have already made a statement on the matter, they said XBox Live (and by extension its security) hasn't been breached. Technically speaking, they are correct even if it turns out the above system is the one which is being used. That doesn't mean they shouldn't change the current system. Personally I think they should lock the account down after 3 password attempts but that opens up a veritable can of worms with regard to dealing with the consequences.

As for EA, they have also said they haven't been hacked and have simply provided users with the usual directions on how to spot phishing attempts et al. As I said above, if they really felt they were being left out to dry by MS then they'd say something. The FIFA brand is far too valuable to be exposed to such criticism, especially when the Ultimate Team feature is involved which is also a significant money maker for them.

NORTH1 wrote: »

As long as they keep getting away with it, why should they inform their customers of anything?

Because, depending on the regions involved, MS would be legally obligated to inform its users of a hack.

pH

gizmo wrote: »

They haven't been quiet though? MS have already made a statement on the matter, they said XBox Live (and by extension its security) hasn't been breached. Technically speaking, they are correct even if it turns out the above system is the one which is being used. That doesn't mean they shouldn't change the current system. Personally I think they should lock the account down after 3 password attempts but that opens up a veritable can of worms with regard to dealing with the consequences.

Which means if you know just someone's liveid (and not the password) you can lock them out of live just by typing 3 random passwords - you'd open the door for barrel-loads of griefing.

NORTH1

gizmo wrote: »

They haven't been quiet though? MS have already made a statement on the matter, they said XBox Live (and by extension its security) hasn't been breached.

The evidence would seem to say they have a security issue. The fact the credit has been stolen from accounts, Ms is locking these accounts must lead people to believe that there has been unlawful access to these accounts. At the moment Ms is blaming the consumer, but they do that a lot, until the weight of evidence is too much to deny.

Ms denying they have a problem is nothing new for them....

gizmo

pH wrote: »

Which means if you know just someone's liveid (and not the password) you can lock them out of live just by typing 3 random passwords - you'd open the door for barrel-loads of griefing.

Exactly. Realistically they can't lock down the account due to entering incorrect passwords at all, only supplement the password request with additional security information such as CAPTCHA or a secret question.

NORTH1 wrote: »

The evidence would seem to say they have a security issue. The fact the credit has been stolen from accounts, Ms is locking these accounts must lead people to believe that there has been unlawful access to these accounts. At the moment Ms is blaming the consumer, but they do that a lot, until the weight of evidence is too much to deny.

Ms denying they have a problem is nothing new for them....

Having a security issue and having your security breached are two different things.

At no point have MS blamed the consumer, they've suggested they've been the victim of a phishing scam. Again, two completely different things.

Meesared

gizmo wrote: »

They haven't been quiet though? MS have already made a statement on the matter, they said XBox Live (and by extension its security) hasn't been breached. Technically speaking, they are correct even if it turns out the above system is the one which is being used. That doesn't mean they shouldn't change the current system. Personally I think they should lock the account down after 3 password attempts but that opens up a veritable can of worms with regard to dealing with the consequences.

As for EA, they have also said they haven't been hacked and have simply provided users with the usual directions on how to spot phishing attempts et al. As I said above, if they really felt they were being left out to dry by MS then they'd say something. The FIFA brand is far too valuable to be exposed to such criticism, especially when the Ultimate Team feature is involved which is also a significant money maker for them.


Because, depending on the regions involved, MS would be legally obligated to inform its users of a hack.

MS make next to no money from Ultimate Team

gizmo

Meesared wrote: »

MS make next to no money from Ultimate Team

Which is why I was referring to EA throughout that paragraph.

Meesared

gizmo wrote: »

Which is why I was referring to EA throughout that paragraph.

Hmm the way you have it written seems like your referring to how much money it makes MS

DemoniK

Just adding my 2c worth..

I have separate passwords for both XBOX Live and EA.
email is the same - but unless I want a billion email addresses I can't see any way around this.

My passwords are typically the first or second letter of each word of a phrase from a number of books that I've read over the years that I enjoy a lot, mixed with random capitalisation, numbers and punctuation (e.g. hhHHiotwig15; (btw that's not one I use )). I don't store these anywhere except my head!

I'm also very savy about phishing attempts and will always on seeing requests for paypal, xbox, EA or others never click on the link in the email, instead I will open a new browser instance and type in what I know is the correct URL and start from there..

Despite all this my account was hacked. My only mistake was the linking of my xbox account to my paypal account so they got my 2000 MS Points and got another e96 worth and drained just as I spotted the paypal notifications. In fact - it was the paypal notifications that alerted me to the issue, I went online removed my paypal info and changed my password and then contacted support who locked out the account.

I've now got back my money, and waiting to get my account unlocked.
EDIT: just checked and my account is restored and my previous MS points re-instated..

Anyways - Something is clearly wrong somewhere. It's easy to find info to associate a gamertag with my email address, but it would have been difficult to brute force attack my password - something else had to have been done.