XBOX live serious security flaw - Unauthorized charges and Fifa 12 achievments

So, I get an e-mail today that someone tried to buy the $70 xbox live point pack. I don't leave an active card with my xbox live account, so I got an e-mail from xbox live saying they couldn't charge me. All of my current xbox live points were gone though.

I did some research and noticed that a LOT of users are experiencing this same issue, and all of them have Fifa 12 achievements showing up. I do not own, nor have played Fifa 12, but this seems to be a common link. It appears that something is going on with xbox live that is a serious flaw allowing others to access accounts. I will be opening a case to get my points refunded, but Microsoft needs to look into this.

For the record, my password is both unique and strong, nor do I share it. 

 

Question Info


Last updated July 5, 2018 Views 1 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Are you sure you were not phished?

Also change your password, make sure that on billing.microsoft.com the only computer that has autherization to make changes is one of your computers.

Never click on a link inside of an email, always go to xbox.com before entering your WLID information.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

i have seen this issue rising and im now going to do some research on this so called flaw and see i dont think there is this could be you  not addmiting to being phished but im not sure myself but this issue must be sorted out

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

i found nothing im sure if theres a flaw it will be noticied very soon

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I have also been hacked of points . I contacted Billing on the phone . to be told that in order to get an investigation started I cannot use my xbox live account for 25 days. And It is also been done by someone playing FIFA 12

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I was not phished. My password is also a 114 bit keepass generated password. I don't mean to come off as arrogant but my field is cyber security, so I am pretty anal about online security. This is a server side flaw, although the more research I do, it appears to be an issue with EA more than xbox. I am still looking into it.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I've found it happens with a few EA games (note if 1 global company can be compromised then so can others) but as it's a corporate problem and huge sums of money are being made, it's unlikely to instigate anti theft measures in accounts or to make console companies refusing to play or support any EA titles until the security is tightened. An embargo of EA games would quickly result in their security being enhanced.

What you must understand is regardless how painful it is for us victims, corporations are virtually unaffected, if they were there would be safeguards in accounts (That I keep pushing) and it's just business to them not personal as it is for us.

Our only safeguard is to remove payment card details then the accounts are safe from money theft. If you have to make a 10 minute call to turn off auto renewal and remove your card DO IT and ensure everyone you know does it. It's a shame but the thieves will win because their target (not us victims but MS) will either get bogged down in a tsunami of phone calls or will get to the point where they have to ask you to log in and enter your details.... knowing most people will assess the merits of a money decision they risk losing customers and that will prompt safeguards.

I don't want criminals, even cyber criminals to win and MS can stop them right now but it would mean being pro active and it's probably not of a significant level to acknowledge yet.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

i have posted to protect your accounts in the

connection to xbox live section feel free to browse through and post any questions there

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Strigoi, I'm familiar with jumping hacks through companies. As I said, I make my living in the IT industry, and my focus is  cyber security. I just think that Microsoft needs to step up to the plate and start releasing details of this, because it is a larger problem than people are currently aware, and appears to be a completely server side issue.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

I put it to you Strigol that if you and others hadn't used the same password for your EA account as you did for your XBL account your XBL account wouldn't have been commandeered. As such you being the subject of this fraud is solely down to your own stupidity. Hence why should you be entitled to any form of compensation and why do you insist on blaming MS for flaws in EA's security and your password selection?

EDIT: And the cyber security person who posted above me should know about not using the same password everywhere more than anyone.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Ya know I don't remember making a new password for my EA account, I thought it was just linked.

I do have an EA account, it is a different password then xbl but I don't use it really.

Thundercat, I checked out that Keepass, its is a cool program for storing passwords, but that does not change how the browser sends the data, or what is typed into the box from the program. So its only as good as what it controls, just storing passwords.

I will say its strange that all these hackers want to do is play Fifa 12...

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.