what kind of computer can brute force crack a 11-16 digit password though? I just don't think the above articles are really getting to the bottom of this...

There has to be more to the FIFA aspect than "it's just a really popular game." To my knowledge, everyone who has had this happen so far has reported the FIFA angle. It has happened to 2 people on my friends list now (that I'm aware of, could be more).

This is what happened with me. They bought family packs and I assume tried to drain the original account to the new family account they made, then disassociate the new account from the family pack and sell it. Again what I find humorous is that after using the points to buy the family pack, all that was left was enough points for two FIFA packs. Dumbass.

I don't have any idea how they got the password. It was relatively simple so they probably just did bruteforce it. I have a much longer complex password now.

Again my advice to all is make sure there is not credit card or paypal account tied to your xboxlive account and buy everything with prepaid cards. That would have been a HUGE headache. In fact I wouldn't enter the prepaid points cards until you are ready to use them so there isn't 8000 points sitting on your account.

Wow. I guess I'm going to go with point cards too. I only spend points on Zune Movie rentals but still....

There are people that have never played FIFA and still were hacked.

So yeah, the problem is with Xbox.

I have the family gold plan...and it would not let me take off my paypal account because of it...I turned off auto-renew but it still would not let me take away my paypal account...

So I went into paypal and turned off microsoft as an authorized merchant...it was the only thing I could think to do...

I did get this email though after turning off auto-renew...I hope I don't have interruption to my subscription!!!



Dear FOXDVD,

Your subscription to Gold Family – 12 Month will expire on Friday, November 15, 2013. To avoid a possible interruption of your subscription service, please renew your subscription by Friday, November 15, 2013.

To extend your Xbox LIVE Gold Family Pack membership, just use a credit card online at this site: http://www.xbox.com/extendmembership

To check pricing details or confirm your account information and payment options, go to: https://billing.microsoft.com

If you have already renewed your subscription, please accept our thanks.

Thank you for using Microsoft Online Services.

Xbox LIVE Team

To be fair, the article I linked to revealed a possible attack vector. I don't think it's been confirmed by anyone that the method shown had been actually used, although it's a strong possibility.

However, this xkcd comic shows that hacking an 11 character password could take as little as 3 days:
http://xkcd.com/936/

Also keep in mind that its only one of many possible ways someone's account could've been hacked.

In regards to FIFA, it could be that Xbox is being targeted by a specific hacking group, one that has found a specific exploit and is using it to capitalize on a specific product: FIFA. It may be something about the FIFA DLC that lends it particularly appealing to auction off on hacked accounts. The ability to purchase multiple packs on one account is appealing, and it looks like the items in the pack can be traded in-game with other players:
http://en.wikipedia.org/wiki/FIFA_11#Ultimate_Team
http://arstechnica.com/civis/viewtop...bdaa#p22202437
http://www.neoseeker.com/news/17597-...dlc-purchases/

that is really good....and true..

I always thought that having us put in numbers/upper lower case and so forth does shit...that if you really want to hurt them just make a really long password...

http://howsecureismypassword.net/

not sure how accurate the above link is...or even if the above link is safe...lol...but it seems to disagree with the comics time frame...

Damn it! Hacked.

Did you own a family plan? Play FIFA?

Yeah, more details. Joystiq had something the other day that said one of the only links between all the people reporting being hacked was that they used gmail or hotmail as their Live ID address.

Does that fit your profile glassdragon?

That site claims the password check is all done in javascript, so none of the passwords are sent back to the server.

However, that site and the xkcd are using different methodologies. The site is just assuming a brute-force attack (it calculated the same length of time for a 9 letter word as it did for a password of 9 random letters). xkcd is assuming the hacker would start with a dictionary attack, then try Caps, common letter->number substitutions, the use of a number and/or punctuation mark at the end, etc...


As for FIFA, I think the answer has a lot to do with those gaming packs, where users basically get players in the game like trading cards. EA even advertises the trading/auction feature:
http://www.ea.com/au/football/fifa-ultimate-team
I'm betting the hackers are using the hacked accounts to buy these gaming packs, then taking the choice cards from the packs and "trading" them to a master account, where they then trade them to other FIFA players for real money.

BTW, looking up the auction site mentioned in the feature story at hackedonxbox shows that there are people auctioning off Xbox Live accounts with MSP, and only warrantying them for as little as 2 hours.

I got hacked in mid November with no Family Plan, FIFA, or gmail/hotmail so it still seems somewhat random. It took M$ a month to do their research and refund my CC and then they tacked on an extra 1900 points for my troubles. It was well handled from start to finish so I'm pleased with their customer service but no way in heck am I ever putting a CC on my account again.

Basically, the way The way Microsoft shows the error message, when you enter a wrong password, is not the right way. Not according to current security standards. You should never say username incorrect or password is wrong. Your error message should just say that there's something wrong, try again. And of course links if your forgot your username and/or password.

About FIFA, it may be hacked some other way, but not related to this Xbox hack. I play FIFA, and FUT (FIFA Ultimate Team), so I'm pretty familiar with the setup. I think Madden has something similar to FUT.

FUT has also a web interface, a web page where you can do the same of auctioning and trading of your cards like you do in the console, but you use your EA account to acces the site, since it's in EA servers. So yeah, I think it's just that the game is popular, and specially FUT, and that's why always shows in these hacks.

After reading some more tonight, and being a little paranoid, I created an entire new email with my ISP. I'm sure my regular email(tied to Live/WindowsID) can be tracked down with my GT to someone who is determined. I also changed my password to something entirely new (not the usual/variations). Also dropped automatic renewal while I was at it.

Now MS is the ONLY site/entity that knows or is associated with this new email. I'm still wondering if I should go ahead and spend what points I do have in my account and only add them as needed.

If anything in the above article is correct, that should be enough to sleep easy.

Read the name again, glasschicken was hacked, not me :P

I am willing to bet that most of these are phishing attempts and not brute force. Now mind you, some people in this thread from what I can tell know enough to not get phished, but there are some people that would fall for it. If they know your email it is simple to phish someone. Just send them an authentic email that looks like it's from MS about something with the password and they have to go to a link to verify it. The link looks authentic enough but it all goes to another server. I don't see them brute forcing that many, probably a small percentage of them that aren't phished or the person didn't fall for it.

I thought I was odd that we'd been debating back and forth all day and then, boom, hacked.

who would win in a fight...a glassdragon or THE glasschicken? I just know we would all be winners if that happened!

I was hacked a few months ago by the FIFA people. No hotmail/gmail accounts and I have not played a FIFA game in 3-4 years. I DID play Madden though, and my guess is that my info was stolen from EA servers. There was definitely no phishing email sent to me.

did you happen to use the same email and password on your ea account as you did xbox?

In fact, anyone who was hacked...have you ever played ANY EA game...and if so did you ever take the time to create an EA account...if you are not sure try logging into EA and see if you username/email and password is the same as your xbox...or old xbox password..

I think when they finally get to the bottom of it...they are going to find some service/website that has been compromised...a LOT of people use the same password for multiple websites...if it happens to be cheapassgamer or neogaf that was compromised...it could be as simple as them checking if the same password works on an xbox account.

Makes you wonder. A lot of people on CAG seem to be getting hit.

Thanks for the heads up on EA. I hadn't considered that I would have an account there. Looks like it was tied to EA Sports Active 2. And yeah, I had a uniform password there that I've used many places. Not anymore!

I use the same login on CAG as my XBL profile, but they're different passwords.