re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

so my question is how did they get your password? What are they using? Did you happen to have a shorter password?

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

That's because PSN being out for weeks, and the potential for CC theft affected millions upon millions of users. Hackers stealing CC info on Live is a much smaller pool of people affected. Hundreds? Thousands?

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

I am reading a bunch of articles about how they are exploiting xbox.com...and using brute force to get passwords...makes sense but then I read of people who have 16 digit long passwords...and I just don't see how anyone can brute force a password of that length...

Unless the people are lying about how long their password is just to mess with everyone...there is a major flaw we don't know about yet...

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

My password is 11 characters. Combination of letters and numbers. I'm not worried. The worst that happens is a false charge shows up on my credit card. I call Capitol One and they take it off. No worries.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

This article shows a possible avenue of attack the hackers may be using:
http://www.analoghype.com/video-game...red-the-truth/

Basically, it involves the website login process for an xbox ID. It has two flaws:
1) The login page actually states whether an email address has an account or not if you attempt to login with it.
2) The CAPTCHA that pops up after 8 login attempts (intended to stop automated hacking attempts) has an easy workaround.

Part of this hinges on knowing your email address, which people could potentially look up via your gamertag, either because your gamertag is the same as your email address username on a popular service, or some webpage out there links your gamertag and email address. Once they know your email address, they can check to see if you have a Windows Live ID tied to it, and start brute forcing the password.


Also, not mentioned in the article, but it seems like a lot of the reported hacks involve the hackers exploiting the Xbox Live Family Pack, where they can associate another gamertag and drain your account. I'm guessing that hacking Xbox accounts has picked up steam since the Family Pack was launched last year.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

I haven't heard of anyone from that attack actually having their CC stolen. This one here is happening every day and actually costing people money. It shouldn't be about the amount of people it happens to. If even 1 person is having it happen then it could be an issue somewhere, in this case xbox.com and it should be fixed. I've been hearing about this going on for months and it has yet to be fixed. That should be news.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

BTW, I should mention that I've had the reverse happen to me recently: Microsoft locked out purchases on my account after I tried to purchase points with my credit card.

I just got my Xbox 360 shortly before Christmas. I bought 1600 points 12/28 by attaching my MC to the account, then on 1/3 I wanted to buy about 2400 more. So I bought another 1600 points, and tried to buy 800 points right after, and Xbox said there was a problem with my card. I tried to add another card, a Visa, and it said my number was incorrect, although it was correct and I tried multiple times (my Visa card company actually called me to let me know that MS had put in charge attempts, even though the site was telling me the number was wrong). I attached Paypal successfully, but then it gave the same payment error.

I started online chat with MS, which wasn't helpful; they couldn't see anything wrong with my account and told me the problem was with my payment methods (all 3 of them?). Later I called and the CSR rep mentioned that trying to purchase too many point packages in a short timespan may have triggered their fraud alert, and that I should wait 24 hours before trying to purchase anymore points. Too bad nothing on the site indicated this to me.

So MS does attempt to stop fraud, but users can end up getting screwed by that as well. ;)

I've since removed all my payment methods.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Hindsight. At the time though, millions upon millions of people were at risk. Sure it's happening on Live, but it's a user here, a user there, oh another one here. It's not frequent enough to warrant major headlines, yet.

I was merely pointing out that comparing this to PSN isn't apples-to-apples. It's not like someone at MS fell asleep at the wheel, allowing hackers access to the entire user base like PSN which lead to the entire service being down for a month. They are targeting specific accounts one at a time.

I do agree that something should be done before this does hit RROD proportions. Personally, I say fuck soccer and just render the Fifa disc inoperable when it's put into a console. Offer replacements with the security issue fixed or discounts on next year's iteration.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

From what I've read, FIFA isn't the source of the hacks. It looks like the hackers are using the compromised accounts to buy FIFA content simply because FIFA is extremely popular worldwide.

http://kotaku.com/5858538/xbox-lives...says-microsoft

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Good read in that link.

I'm still scared.

My windows live id is an email address that doesn't exist anymore.
My gamertag is not related or similar to that email address.
My credit card on file was canceled last year.
I try to have 1000 or less points and only add more points when needed.

Still scared.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

what kind of computer can brute force crack a 11-16 digit password though? I just don't think the above articles are really getting to the bottom of this...

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

There has to be more to the FIFA aspect than "it's just a really popular game." To my knowledge, everyone who has had this happen so far has reported the FIFA angle. It has happened to 2 people on my friends list now (that I'm aware of, could be more).

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

This is what happened with me. They bought family packs and I assume tried to drain the original account to the new family account they made, then disassociate the new account from the family pack and sell it. Again what I find humorous is that after using the points to buy the family pack, all that was left was enough points for two FIFA packs. Dumbass.

I don't have any idea how they got the password. It was relatively simple so they probably just did bruteforce it. I have a much longer complex password now.

Again my advice to all is make sure there is not credit card or paypal account tied to your xboxlive account and buy everything with prepaid cards. That would have been a HUGE headache. In fact I wouldn't enter the prepaid points cards until you are ready to use them so there isn't 8000 points sitting on your account.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Wow. I guess I'm going to go with point cards too. I only spend points on Zune Movie rentals but still....

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

There are people that have never played FIFA and still were hacked.

So yeah, the problem is with Xbox.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

I have the family gold plan...and it would not let me take off my paypal account because of it...I turned off auto-renew but it still would not let me take away my paypal account...

So I went into paypal and turned off microsoft as an authorized merchant...it was the only thing I could think to do...

I did get this email though after turning off auto-renew...I hope I don't have interruption to my subscription!!!



Dear FOXDVD,

Your subscription to Gold Family – 12 Month will expire on Friday, November 15, 2013. To avoid a possible interruption of your subscription service, please renew your subscription by Friday, November 15, 2013.

To extend your Xbox LIVE Gold Family Pack membership, just use a credit card online at this site: http://www.xbox.com/extendmembership

To check pricing details or confirm your account information and payment options, go to: https://billing.microsoft.com

If you have already renewed your subscription, please accept our thanks.

Thank you for using Microsoft Online Services.

Xbox LIVE Team

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

To be fair, the article I linked to revealed a possible attack vector. I don't think it's been confirmed by anyone that the method shown had been actually used, although it's a strong possibility.

However, this xkcd comic shows that hacking an 11 character password could take as little as 3 days:
http://xkcd.com/936/

Also keep in mind that its only one of many possible ways someone's account could've been hacked.

In regards to FIFA, it could be that Xbox is being targeted by a specific hacking group, one that has found a specific exploit and is using it to capitalize on a specific product: FIFA. It may be something about the FIFA DLC that lends it particularly appealing to auction off on hacked accounts. The ability to purchase multiple packs on one account is appealing, and it looks like the items in the pack can be traded in-game with other players:
http://en.wikipedia.org/wiki/FIFA_11#Ultimate_Team
http://arstechnica.com/civis/viewtop...bdaa#p22202437
http://www.neoseeker.com/news/17597-...dlc-purchases/

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

that is really good....and true..

I always thought that having us put in numbers/upper lower case and so forth does shit...that if you really want to hurt them just make a really long password...

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

http://howsecureismypassword.net/

not sure how accurate the above link is...or even if the above link is safe...lol...but it seems to disagree with the comics time frame...

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Damn it! Hacked. :(

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Did you own a family plan? Play FIFA?

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Yeah, more details. Joystiq had something the other day that said one of the only links between all the people reporting being hacked was that they used gmail or hotmail as their Live ID address.

Does that fit your profile glassdragon?

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

That site claims the password check is all done in javascript, so none of the passwords are sent back to the server.

However, that site and the xkcd are using different methodologies. The site is just assuming a brute-force attack (it calculated the same length of time for a 9 letter word as it did for a password of 9 random letters). xkcd is assuming the hacker would start with a dictionary attack, then try Caps, common letter->number substitutions, the use of a number and/or punctuation mark at the end, etc...


As for FIFA, I think the answer has a lot to do with those gaming packs, where users basically get players in the game like trading cards. EA even advertises the trading/auction feature:
http://www.ea.com/au/football/fifa-ultimate-team
I'm betting the hackers are using the hacked accounts to buy these gaming packs, then taking the choice cards from the packs and "trading" them to a master account, where they then trade them to other FIFA players for real money.

BTW, looking up the auction site mentioned in the feature story at hackedonxbox shows that there are people auctioning off Xbox Live accounts with MSP, and only warrantying them for as little as 2 hours.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

I got hacked in mid November with no Family Plan, FIFA, or gmail/hotmail so it still seems somewhat random. It took M$ a month to do their research and refund my CC and then they tacked on an extra 1900 points for my troubles. It was well handled from start to finish so I'm pleased with their customer service but no way in heck am I ever putting a CC on my account again.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Basically, the way The way Microsoft shows the error message, when you enter a wrong password, is not the right way. Not according to current security standards. You should never say username incorrect or password is wrong. Your error message should just say that there's something wrong, try again. And of course links if your forgot your username and/or password.

About FIFA, it may be hacked some other way, but not related to this Xbox hack. I play FIFA, and FUT (FIFA Ultimate Team), so I'm pretty familiar with the setup. I think Madden has something similar to FUT.

FUT has also a web interface, a web page where you can do the same of auctioning and trading of your cards like you do in the console, but you use your EA account to acces the site, since it's in EA servers. So yeah, I think it's just that the game is popular, and specially FUT, and that's why always shows in these hacks.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

After reading some more tonight, and being a little paranoid, I created an entire new email with my ISP. I'm sure my regular email(tied to Live/WindowsID) can be tracked down with my GT to someone who is determined. I also changed my password to something entirely new (not the usual/variations). Also dropped automatic renewal while I was at it.

Now MS is the ONLY site/entity that knows or is associated with this new email. I'm still wondering if I should go ahead and spend what points I do have in my account and only add them as needed.

If anything in the above article is correct, that should be enough to sleep easy.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Read the name again, glasschicken was hacked, not me :P

I am willing to bet that most of these are phishing attempts and not brute force. Now mind you, some people in this thread from what I can tell know enough to not get phished, but there are some people that would fall for it. If they know your email it is simple to phish someone. Just send them an authentic email that looks like it's from MS about something with the password and they have to go to a link to verify it. The link looks authentic enough but it all goes to another server. I don't see them brute forcing that many, probably a small percentage of them that aren't phished or the person didn't fall for it.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

:lol: I thought I was odd that we'd been debating back and forth all day and then, boom, hacked.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

who would win in a fight...a glassdragon or THE glasschicken? I just know we would all be winners if that happened!

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

I was hacked a few months ago by the FIFA people. No hotmail/gmail accounts and I have not played a FIFA game in 3-4 years. I DID play Madden though, and my guess is that my info was stolen from EA servers. There was definitely no phishing email sent to me.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

did you happen to use the same email and password on your ea account as you did xbox?

In fact, anyone who was hacked...have you ever played ANY EA game...and if so did you ever take the time to create an EA account...if you are not sure try logging into EA and see if you username/email and password is the same as your xbox...or old xbox password..

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

I think when they finally get to the bottom of it...they are going to find some service/website that has been compromised...a LOT of people use the same password for multiple websites...if it happens to be cheapassgamer or neogaf that was compromised...it could be as simple as them checking if the same password works on an xbox account.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Makes you wonder. A lot of people on CAG seem to be getting hit.

Thanks for the heads up on EA. I hadn't considered that I would have an account there. Looks like it was tied to EA Sports Active 2. And yeah, I had a uniform password there that I've used many places. Not anymore! :lol:

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

I use the same login on CAG as my XBL profile, but they're different passwords.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Yeah, i know it's probably not ALL phishing. I agree though that it is probably some kind of compromised server somewhere and either the company hosting this server that has been compromised either doesn't know about it or they just aren't telling anyone. I would not put it past EA on this one either.

However, I don't think FIFA being an ea game really has anything to do with it. Someone posted earlier that accounts with those packs on them are selling for real money so it's just another way for them to make money, just appears that FIFA is the easiest one to do that in. They are getting the info from somewhere and I'm quite sure it's for the most part NOT from brute forcing.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Don't own a family plan or fifa, but it looks like the last thing "I've" played is Fifa 12. That and about 3300 points gone. Wooo!

EDIT: Had a gmail login.

And a dragon beats a chicken any day. No contest. I'd sure as hell be pecking at his throat on the way down though.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Hah

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

Basically, we are at the same stage we were with Windows. It was the most popular OS, so it was the most attacked by hackers.
In the last six months or so I've read about all kind of attacks to Xbox Live, some mentioned here already. It seems the Xbox servers are secure though. I wonder what else they can do to avoid these problems.

re: The official Xbox 360 thread - the console of choice on nuclear submarines
 

I can tell you that I do not use gmail or hotmail email address. I have never played FIFA (although FIFA DLC was what was purchased on my account AFTER it was hacked).

I have a CAG account with same email, slightly different password.