On September 6th, just after 9 AM, I received an email informing me that my purchase of 1600 Microsoft points had been unsuccessful. This was something of a surprise, as I had not attempted to buy any Microsoft points that day, so I logged into my Xbox Live account to find out what was going on.
Sure enough, all of the Microsoft points that were stored in my XBL account had been spent on in game items for FIFA 11 (I don’t own that game… hell, I don’t even like soccer video games) and whoever spent my MS points had then tried to purchase more. Presumably, when that purchase failed, they abandoned my account and went on to steal from some other unsuspecting gamer.
Upon making this discovery, I promptly called Xbox customer support. An apathetic young man who’s name escapes me at the moment answered, and after asking me a long series of questions designed to verify my identity, he told me that my account would be locked for “up to 25 days” while the issue was investigated. He ended the call by reminding me to check out Xbox.com for more information on all the cool services I wouldn’t be using for the next month, adding insult to injury.
After about two weeks had passed, I decided to call in just to see if there was any news on the investigation. After navigating through the series of prompts 1-800-4-MY-XBOX had to offer, a woman with a thick Indian accent informed me that it would actually take 21 business days, not 25 calendar days, and she said I’d probably hear back sometime in October.
Finally on Monday October 3rd my Xbox Live account was reinstated, and Microsoft provided a code for a free month of XBL without my having to ask for it. Unfortunately, after following the instructions provided by Microsoft’s customer service department via email, I was unable to redeem that code. It turns out that by recovering my gamertag to my console I actually flagged the account to be locked again. Fortunately, this issue was corrected by a five minute phone call to customer service.
Once my account was back in order, I replied to the email I received with several questions I wanted answered. Below is an excerpt from that email.
First, how was my account breached? I don’t do anything with my windows live ID other than visit Xbox.com, and log into my Xbox 360, and I don’t give out passwords. For my protection, I’d like to know how the breach happened so I can take any necessary actions to prevent it in the future.
Second, which parts of my account were accessed by the hacker? If they accessed my credit card information in any way, I need to know about it so that I can contact any of the cards that may have been affected in order to prevent fraudulent charges.
Third, how do I go about removing all of my credit cards from my account? I will use cards purchased from stores to up my XBL subscription, and to purchase MS points – I no longer need, nor want any credit cards associated with this account, as it has proven to be insecure. email.
All of those points seemed like reasonable requests to me. Connecticut Senator Richard Blumenthal would most likely agree with me, given that he had some choice words for Sony earlier this year when the Playstation Network was hacked, and millions of customers had their personal information stolen. In a letter to Jack Tretton, president and CEO of SCEA, Senator Blumenthal said the following:
When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.
Microsoft doesn’t quite see eye to eye with me, or Senator Blumenthal, as evidenced by their response to my request.
Dear Xbox LIVE Customer:
We apologize, but we are not at liberty to explain our investigation process. However $ 16.03 has been refunded to your account. Refunds could take up to 5-10 business days prior to displaying in your billing activity. It may take 30 days or longer to appear on your statement, depending on your financial institution’s policies.
If you have any concerns regarding this notice, you may either reply to this message or contact Xbox Customer Support directly using the information available at http://www.xbox.com/support/contact and reference the Service Request number above.
The Xbox LIVE Escalations Team
I emailed them back to let them know that I did appreciate the refund, but that I’d still need to know how my personal information was accessed in order to take any necessary precautions, and as of this writing, I haven’t received a response (though I’ll update this post if I do).
It’s also worth noting that they completely dodged the bit about removing credit cards from my XBL account. That’s because you have to have at least one payment method associated with your Xbox Live account. If you want to remove the credit card associated with Xbox Live autobilling, you’ll first have to associate a different card, or your Paypal account with XBL.
So, after a month long investigation, Microsoft will only acknowledge what I knew on September 6th – that someone other than myself accessed my Xbox Live account. They are either unable, or unwilling to give me any information about how my account was accessed, or about which (if any) pieces of my personal information were taken by the hacker. In other words, someone gained access to my account, may or may not have accessed my personal information, and spent my Microsoft points, and Microsoft does not intend to help to protect me from any of the potential hazards associated with having my personal information accessed.
At least when Sony gave out my personal information they offered identity theft protection to make up for it.
I reached out to Xbox Live’s Director of Policy and Enforcement Stephen Toulouse prior to writing this article for information on Microsoft’s end of the investigation process, but unfortunately, he did not return my email.
With no word from Microsoft on what information the hacker may have accessed, and no concrete information from Toulouse on Microsoft’s hacked account investigation process, I’m left feeling like my Xbox Live account may wind up being a security liability.
UPDATE: Both Ars Technica and Gizmodo have received the following response from Microsoft after inquiring about the recent rash of XBL hacking:
We do not have any evidence the Xbox LIVE service has been compromised. We take the security of our service seriously and work on an ongoing basis to improve it against evolving threats. However, a limited number of members have contacted us regarding unauthorized access to their accounts by outside individuals. We are working with our impacted members directly to resolve any unauthorized changes to their accounts. As always, we highly recommend our members follow the Xbox LIVE Account Security guidance provided at www.xbox.com/security to protect your account
Well, at least the entirety of Xbox Live wasn’t hacked – that’s good news, right? This is still a fairly widespread issue if the comments and forums across the internet are any indication, and Microsoft would do well to consider additional security measures to prevent future hacking attempts from being successful.