I Watched In Real Time As ID Thieves Spent My Money On Xbox Live

It’s bad enough to find out you’ve been the victim of identity theft. It’s even worse to sit and watch as the thieves spend the money they acquired with your credit card information.

That’s what happened today to Consumerist reader Brian, who could do little but sit and watch as someone else had a good time at his expense.

From Brian:

I received 2 emails from billing@microsoft.com. 1 was for 4000 Microsoft XBOX Live Points ($49.99) and the other for 6000 Points ($74.99). I am sitting at work so I know I didn’t make these purchases. Maybe my cat did at home. He is pretty smart.

Thinking this was a scam, I typed in microsoft.com and navigated to their billing page (NEVER CLICK ON LINK IN AN EMAIL THAT LEADS TO LOGGING IN OR GIVING PERSONAL INFO LIKE THIS) and verified that both charges were made to my XBOX Live account and thus charged to my credit card I had on file.

I immediately called XBOX Live Support/Billing and told them about what was happening and the gentleman was very helpful. He immediately locked my account so now more purchases (cash purchases) could be made. However the thief could still spend all the MS Points that were on my account. Also, he said that he put a ticket in and their systems would start tracking the IP address of the thief while he was making the purchases.

This last point doesn’t really mean all that much. I am a very knowledgeable computer security individual and know that for someone to do this as quickly as they are, I am sure they are in a hotel under a false name and credit card so it can’t be traced back to them.

I was informed that I would need to call Microsoft back when I get home with the Serial # and ID # of all my XBOX’s (I have 3) so they can verify that the purchases were not made on my systems… I just hope someone didn’t break in to my condo and steal them. Once I give Microsoft that information, they will review it and within 25 days they will refund my money.

I watched from my computer as the account went from 10,680 MS Points down to 70. There is nothing on XBOX Live Market Place that is under 120 points ($.99) so I am sure they left it at that and are moving on to the next victim.

On the not-so-bad side, Brian spoke to his bank about the illegal transaction, which were still listed as “pending.” The bank put a hold on them while it investigated and told Brian that, since the card was not swiped and no PIN was entered, the transaction was considered a credit card purchase, meaning that, rather than have to go through the hassle of disputing a debit card charge, he’d be covered by the much more consumer-friendly rules for credit card fraud.


Edit Your Comment

  1. kompeitou says:

    “He immediately locked my account so now more purchases (cash purchases) could be made.”

    Is that “no more purchases”?

    • midwestkel says:

      They could enter a Xbox Live point card and it would add the points. They just can’t get anymore points charged to his card.

  2. Cat says:


    Yes, I am blaming the OP.

    • mauispiderweb says:

      Where did it say he bought stuff online with a debit card?

      • Cat says:

        “The bank put a hold on them while it investigated and told Brian that, since the card was not swiped and no PIN was entered, the transaction was considered a credit card purchase…”

        • Cat says:

          “…rather than have to go through the hassle of disputing a debit card charge”

          • mauispiderweb says:

            His card info on file must be listed as credit, not debit, or else it would be the other way around and he >would

          • mauispiderweb says:

            that was strange getting cut off.

            I was saying that he would have to go through the hassle of debit fraud, otherwise.

        • mauispiderweb says:

          Apparently, he has a bank card that can be used as credit or debit. The thieves used it as a credit card to purchase the online points. So, where does it say Brian used his debit card to make an online purchase? ;)

    • samonela says:

      He could have used his debit card at a local business that skimmed it without him noticing or had a skimmer installed on an otherwise legitimate-looking device and he inadvertently swiped it himself.

      • ellmar says:

        Yes! I had the same problem about six months ago when my Wells Fargo debit card was used to buy something on XBox Live. I don’t even own an XBox, so there was no doubt it was fraud. I have never used my debit card to buy anything online. No one stole (or borrowed) the card so who the hell knows. Wells Fargo gave me a temporary credit for the amount I was disputing and then took about six weeks to investigate. Of course they wouldn’t tell me who the culprit was and eventually turned the temporary credit into a permanent one.

    • Bernardo says:

      That didnt say that. Please stop trolling.

    • You Are All Wrong says:

      Oh shut the fuck up some people don’t have/want/need credit cards you whiny asshole.

      • eldergias says:

        Please quote the part of Cat’s post where he says that anyone should have/want/need credit cards. Or even any part of his post where he mentions “credit cards”.

        You can’t? You lose, now stop trolling.

        • Supernautus says:

          How about the line right at the bottom ” And no credit cards? Bad consumer.”

          • eldergias says:

            What you quoted was in TasteyCat’s post not Cat’s. The reply was to Cat’s post, not TasteyCat’s post.

        • coren says:

          Well without a credit card, you’re either using paypal or a debit card to use the service, so it’s a safe assumption

          • eldergias says:

            You could also not do transactions online, use a secured collateral credit card, or use a preloaded balance card.

            The point is that Cat’s post essentially said “Don’t use a debit card online.” Anyone reading that as, “You should use a credit card,” is injecting that meaning into his statement themselves. Screaming hysterically and using profanity because you decided to inject your own meaning into someone’s statements is pretty stupid.

            By the way, look at “You Are All Wrong”s comments on other articles, they are universally insulting and attacking people. It is clear that “You Are All Wrong” is merely a low brow troll.

    • midwestkel says:

      Maybe because he: a) is buying from a reputable company, b) doesn’t have a credit card, c) was hoping for this just so you can blame him.

      • TasteyCat says:

        I’m not giving any company access to randomly withdraw funds from my checking account, no matter how reputable. And no credit cards? Bad consumer.

    • QrazyQat says:

      I must agree. He should definitely have used his valet’s card, or at last resort, the chauffeur’s.

    • Difdi says:

      Because the XBox lacks a coin slot?

    • eldergias says:

      I totally agree with you, don’t listen to the naysayers here. He should not have had his debit card linked to his xbox account. No one should ever have a debit card linked to any account ever. EVER. It is NEVER a good idea to give a company engaged in making profits unfettered access to your bank account. If someone disagrees with that, I would love to hear the rationale. (And no, convenience is not more important than not having your bank account drained.)

      If you don’t have a credit card, it really is not hard to get one. It really isn’t, they will give them to almost anybody, including children and dead people. So the comments expressing the thought that credit cards are for rich people is simply ridiculous. Use appropriate analogies people. If your credit is just so terrible that the credit card companies want nothing to do with you, there is always a secured debit credit card (yes, this is different from a debit card). The only legitimate reason not to have a credit card is because you are incapable of managing your spending when you have one. In that case, you still should not be linking a debit card to any accounts or using a debit card to make purchases online. It is never a good idea. If you think it is, please send me an email with your bank account info if you are so willing to give it out.

  3. AlteredBeast (blaming the OP one article at a time.) says:

    “There is nothing on XBOX Live Market Place that is under 120 points ($.99)”

    80 MS Points = $1.00 US

    • Shadowfire says:

      Pretty sure there are some indie games that are 120 points.

      • AlteredBeast (blaming the OP one article at a time.) says:

        There are many that are 80 MS points.

        • HazyCloud says:

          There’s also avatar items for 40 Points. On the plus side, now the OP owns all the content they bought since they will be tied to his Gamertag.

          • AlteredBeast (blaming the OP one article at a time.) says:

            Good point, I forgot about the avatar items.

            Not to pick on the OP further, but, I can’t help but think that someone who has 3 Xbox 360s would be more familiar with how much $1 equals in MS points, and how much things tend to cost.

  4. Kung Foo says:

    Whether or not the IP traces to somewhere like a hotel, if Microsoft can pinpoint the point-spending to the Xbox it was used on (hopefully not the OP’s) and the location is within reach of the owner of said console, it’s just more proof that they did it.

    Fortunately the OP was able to catch the thieves in action as soon as he did to limit the spending, and I hope it all turns out for the best in the end.

  5. PlumeNoir - Thank you? No problem! says:

    “This last point doesn’t really mean all that much. I am a very knowledgeable computer security individual and know that for someone to do this as quickly as they are, I am sure they are in a hotel under a false name and credit card so it can’t be traced back to them.”

    …is there a step missing in there? As an IT Security person myself, there is an odd leap of reasoning to the “hotel under false name and credit card” bit.

    Not saying OP’s wrong, per se; I just wonder how he immediately jumped to that conclusion.

    • Tunnen says:

      I would just assume the thief was using an unsecured or public access wireless network. Or even a wireless network with easy to bypass security like WEP. I would still try to track the IP anyways though, because it might trace back to the “stupid criminal”‘s house and you may just catch the thief eating pizza. =P

      • coren says:

        The person who stole his account and the person spending the points may very well not be the same person.

    • kobresia says:

      I think it’s the way the thief was (a) buying more points with the card on file and (b) using an XBox to spend them almost immediately. I think that implies that the thief was somewhere where s/he could plug-in and use an XBox, assuming you can’t spend MS points by logging into your account via a web interface from any computer.

      All in all, though, that seems like an utterly pointless crime.

      • coren says:

        You can spend them anywhere, but it won’t do any good without an xbox to then download that content, so that person does have to have an xbox.

    • coren says:

      No, you’re not missing anything, and the OP is probably wrong. What has probably happened is the person using his gamertag to DL stuff is someone who paid maybe half the retail value of those points (something like 50-70 bucks) and is downloading that stuff to their xbox, while a middleman who gave them the gamertag collects some quick profits and goes on to hack someone else’s account.

  6. BrownEyes says:

    I get so sick of some people blaming the OP for everything that happens. It must be awesome to be so superior to everyone else.

  7. BRG9000 says:

    I’m confused, what does the fraudster get out of this. Can you buy things on xbox live other than media that is then tied to that account? It sounds like the money was spent too fast for the thief to actually be watching movies.

    • ballistic90 says:

      “Some people just want to watch the world burn.”

      All I can think of is that either

      A) They just wanted to waste people’s money

      B) They’re not very smart and didn’t think far enough ahead. Not everyone that tries to ‘hack’ something is very smart. Tools and account info are available all over the place.

      • MrEvil says:

        If they were smart they wouldn’t need to steal shit from others.

        • Evil_Otto would rather pay taxes than make someone else rich says:

          Being smart is no guarantee of success. You can be the smartest guy in the world, if you don’t have the right set of circumstances you’ll be just as screwed as the dumbest guy in the world.

          Besides, one might argue that stealing is easier than working, so a smart person might do it to save time and effort.

    • g051051 says:

      I had something similar happen on the PS3. I got up one morning and found 3 purchases of games for a PSP, and I don’t own one. I contacted Sony support, and they were great…they reversed the charges, removed the purchases, and banned the devices used in the purchases. I don’t know how a deliberate thief could make use of this, so I assumed my account info was sold to a 3rd party that didn’t know it was a compromised account.

    • coren says:

      The way Xbox live DLC (downloadable content) works is that yes, that content is always tied to the gamertag (account) it was purchased with, but it’s also tied to the first xbox it’s downloaded on. So the person is probably downloading the stuff to their Xbox immediately, and when it’s all there, they don’t need that gamertag to access it again.

  8. SScorpio says:

    This has been reportly going on for over a month. People are using leaked account information from other sites to logging into Xbox live. This happens because people use the same email and password with a site that has been hacked.

    While Sony’s PSN hack also wasn’t great, at least Sony requires that you enter in information from your credit/debit card when you sign into a new console for that account. If you don’t provide the information it remove your card from your account so even if someone was able to get into your account your card can’t be charged like it can on Xbox Live.

    • coren says:

      Yep, I’m betting some of this is gawker fallout (still).

      But what you describe wouldn’t work for xbox as you can buy the points at xbox.com and then make the purchases there and just download what you bought, no credit card required on the console.

    • DataShade says:

      The email address I used on Gawker isn’t the email I use on Xbox live; the password I used on Gawker, for the email address associated, for Xbox Live, for the email address associated to Xbox live *are all different,* but my Gawker account was in the list of compromised ones and my XBox Live account just got hacked.

  9. ender says:

    I don’t get it. What is the point of using up all of the points? Wouldn’t the purchases still be linked to his xbox live account? Even if you had the credit card on file doesn’t it require you to still enter the security code on the back of the card? Wouldn’t you be worried they actually have your credit card info and call the credit card company first?

    • ballistic90 says:

      You don’t need the 3 digits to buy something with the card on file on the Xbox 360, and your full credit card information is never revealed as long as it has been verified once. I’d say their credit card info is pretty safe.

    • coren says:

      When you purchase content, yes it is tied to that gamertag – that gamertag can use it anywhere. BUT, not so widely known is that the content is also on the first console it was downloaded to. So two copies of the content can exist for every purchase.

      • therosiandoom says:

        And while there will be a license on that console, you’ll be able to transfer those licenses by logging into your account online. There’s no real way for a thief to retain access to these things after an account’s been flagged.

        • coren says:

          This is true, but many people don’t know that. And before they started using actual accounts for this crap, the scam was to use a new account with a stolen card. Meaning the only people who would know what account to use to transfer the content would be the thief and the person he sold it to (or just the thief if they just stole a card to get themselves points).

          I’m working off the assumption that this is running the way these xbox point scams typically do

  10. BRG9000 says:

    To one of your questions: No, XBLA does not prompt you for the security code on each purchase. I don’t get what the fraudster gains from this either though.

    • bwcbwc says:

      Maybe they are able to crack the game copies they downloaded? Maybe they sell the box they downloaded to by demonstrating how many games it comes with (scam)?

  11. Andrew says:

    My guess as to what the fraudster got was the satisfaction of F*cking over the OP.

  12. pop top says:

    OK, I feel bad for Brian, I really do but this:

    “I am sure they are in a hotel under a false name and credit card so it can’t be traced back to them.”

    Just makes me laugh. Like, someone has enacted this HUGE plan wherein they check into a hotel under a false name with a stolen credit card and then proceed to buy Microsoft points! It’s completely ridiculous.

    • PlumeNoir - Thank you? No problem! says:

      Thank you! EXACTLY what I was thinking…but was trying to give him the benefit of doubt.

    • StarKillerX says:

      …….and when they were done they flew off in their black helicopters.

    • eigenvector says:

      My sarcasm detector went off when I read that statement. Maybe it needs re-calibrated. Or maybe it is just fine.

    • coren says:

      He’s way off. What probably happened is someone figured out his password somehow, sold “10,000 microsoft points” online, then sent this buyer Brian’s account info while buying about 140 dollars worth of points with Brian’s card.

  13. GarretN says:

    This happened to me recently (couple days ago) as well, the thief spent $125 dollars on my credit card buying microsoft points from the Zune site (I’ve never had nor used anything related to zune, mind), and purchased “GOLD PACKS” which upon googling actually appear to be FIFA12 DLC, despite the naming confusion. You’ll also see that you have a new friend on your friends list that, surprise surprise, has FIFA12.

    It was certainly related to my live account, as I noticed it happening about 20 minutes after the first purchase, and found a second email address on my live account that was owned by the ne’er-do-well.

    When I called in (immediately), Microsoft noted that my account was already automatically locked, and that the last transaction was already automatically refunded, which was the $25 dollar one. They have me a case ID and let me know it was going to take 30 days or so for the investigation. I’m still waiting on the refund for the other two $50 dollar ($100) transactions. :/

    • coren says:

      Yep, it’s FIFA stuff that seems to be the problem on mine too, although I didn’t add anyone new, and no one new was added to my account. Honestly, doing that makes you MUCH easier to get caught, and I can’t understand why someone would.

  14. harlekin says:

    I had this same thing happen on my Xbox live account. I was sitting at work and noticed an email. 4000 points were purchased. I called my wife to make sure it wasn’t her doing. Moments later another charge for 6000 points. I immediately called Microsoft.

    I find it curious that the number of points purchased were the same as the OP. Kudos to Microsoft support though. The guy on the phone was very helpful. He quoted a month for the investigation, but it was completed within two weeks. They gave me codes good for two months of live gold for the trouble. Oddly enough, the larger charge was refunded almost immediately, but the smaller one wasn’t refunded until after the investigation.

    • Bakkster says:

      I had the exact same thing happen on mine. The purchases were reversed within a few days without me needing to do anything, though the

  15. StarKillerX says:

    So if MS can block the account from making anymore charges wouldn’t you think they would block it from spending points as well? If nothing else it would make it much easier to clean up the mess afterwards.

    • coren says:

      MS doesn’t know what MS can do. They probably didn’t block it from spending more money either, but 10k points is usually the max they’ll hit any one account with, so the scammer was likely done.

  16. C. Ogle says:

    As somebody who has had his own ATM/Debit card skimmed and used for fraudulent purposes 3 times in the last year, I can sympathize. Fortunately my credit union’s fraud department is very responsive about freezing my card and issuing a new one/refunding fraudulent purchases. It’s still a hassle though, especially when it happened this past holiday weekend and I had to wait until the Tuesday after the holiday to be able to buy groceries and gas.

  17. NickJames says:

    Oh you got a quick response for MS? That’s great, I have been waiting almost 10 weeks for them to finish my investigation and get my account back after mine was stolen and the primary email changed. Isn’t that great?

  18. May contain snark says:

    Why do you have 3 X-BOX’s?

    • The_IT_Crone says:

      Because sometimes people play together under the same roof?

    • JennQPublic says:

      I have two, one for the living room and one for the den. I stream Netflix through both of them as well as gaming online. The Kinect is a lot of fun (especially with drunken guests), and for the price, it’s a great entertainment center, especially considering it’s the only equipment I need.

  19. pinkbunnyslippers says:

    Maybe this is because I’m just a girl but…why does one need 3 xboxes? 3 total, 2 unhooked because they’re old models, I understand…but 3 connected? He doesn’t say, so I’m just curious.

    • Kuri says:

      It’s quite possible they’re family owned systems, or at least more than one person in the household uses them.

    • Misha says:

      It has nothing to do with your being a girl. I’m female and in my two-person household I could definitely make a case for owning two Xboxes, and have in the past made the case for owning multiple PS2s.

    • Knyte says:

      One could be his, one for his kids, and a spare?

      One legit, and two modded?

      I know a few people who have multiple game systems of the same type.

      You would be surprised.

  20. TheBigWhiteWolf says:

    So is identity theft the same as having one credit card compromised?

    • StarKillerX says:

      I’ve seen them use very broad strokes when defining identify theft before, I’ve seen people charged with it in hacking cases. I have to assume they are looking at is as if you hack my account you are fooling that system to believe that you are me, thus assuming my identity on that system.

      Not sure if this holds up in court or not, but it has happened more and more frequently.

  21. rstark says:

    Exact thing that happened to me. I noticed the email confirming points purchase (10,000) while I was at work. They had used my PayPal account since none of the other credit cards were valid anymore. (expired ect)….I immediately called them, and while calling them I changed my email password as well as my xbox live password. They then warned me that they could still make point purchases as long as they were still logged in. I went home early from work and recovered my gamertag so it would log them out.

    What I don’t understand is now it will take 25-40 days for them to complete the investigation and release the account. If it’s secured, what is the difference? I want my gamertag back for the release of MWF3, but I don’t see it happening.

  22. rhys1882 says:

    Wow, this is exact same thing happened to me a couple weeks ago. Two purchases for points, $50 and $75, which were then used to buy a couple of games on some remote location. It took about 2.5 weeks but they finished the investigation, unfroze the account and refunded me my points. So I thought it was handled pretty well. Some of the customer service people seemed a little confused as to what the proper procedures were so it might have been handled quicker. Actually, once I finally spoke to the rep actually assigned to monitor the case, and gave him in my Serial # and Console ID #, it only took a few days for it to finish – but I am not sure if they were investigating that whole time.

    • NickJames says:


    • coren says:

      Sounds right. I’ve talked to 3 agents who said 3 things, gave me 3 time frames, told me 3 stories about how the account would be effected. How did you eventually get in touch with the right agent?

  23. framitz says:

    “I am a very knowledgeable computer security individual “

    Sorry I really don’t believe this statement from the OP.

    I’ll leave at that.

  24. dush says:

    Oh no, he did not put his debit card number into xbox live…why would anyone do that?

    • coren says:

      Speaking as someone who has only a debit card and paypal, and who has to have it on there for my specific membership plan – lesser of two evils. I trust my credit union or visa to have my back much more than I do paypal.

  25. Panzer1963 says:

    Same thing happened to me two weeks ago tomorrow (10/14). Microsoft has still not resolved nor restored my account. Forunately my credit card company refused the charges.
    Now I’d like to get my gamertag and my accomplishments back, not to mention that points that I liegitimately had in my account.

    Seems like Microsoft has a pretty big security whole with the number of folks reporting on this issue….

  26. coren says:

    Let me guess, they bought a fuckton of FIFA 12 shit?

    Someone did this to me last week too. I’ll post my story in a separate comment, but here are some valuable details for those not familiar, and about how this scam works.

    I’ve seen this scam running on ebay and other sites. The seller will have 6000 or 10000 – some off number of points that Microsoft doesn’t sell (unless you buy them directly). Not the 4000/1600 points cards, or the 400 point promo cards (or whatever point value other countries use, I’ve seen 2100 and 3200 for non-US areas). Then when you buy them, or in the fine print, they’ll disclose that what you’re *actually* buying is not the points, but an account with the points preloaded.

    For those not familiar, the ONLY way to transfer points between accounts is for you and the account you want points from to be part of a “family plan”, which would cost 100 bucks to set up – not likely in this case. So those points you just bought can only be used via that account you just “bought” (and yes, Microsoft does forbid their selling, which will get you an ebay refund if you get screwed over in this manner). However, the first time you download something to an xbox, that content is always available on that xbox (unless you transfer the content licenses, in which case it’s on the new xbox), and that gamertag (account) can have the content anywhere it is signed in. So yes, you can (and people do) use this to split downloadable content costs – one person downloads it to their xbox with your gamertag (account) and you then use your gamertag and you have it too.

    In the past, this was done with stolen cards and new accounts set up on the spot with the points purchased – the seller will always warn you that you only have a day, or a few hours to use these. That’s cuz when someone figures it out, Microsoft could cut you off at any moment. They don’t normally but the possibility exists.

    Lately, though, they’ve been giving people active Microsoft accounts. I guess it’s easier for them to steal gamertags than it is cards these days. The “upside” to that is you just got a ton of free DLC when MS decides in your favor. It’s still an annoying process.

  27. coren says:

    As I mentioned in my other (long) comment, this happened to me. Last Wednesday (the 5th of October) I logged onto my email around 9 pacific, saw confirmation for two charges for points, and immediately logged into xbox, changed the password and called support. Yes, my debit card is on file – my membership plan requires some payment method and I have no credit card, so it’s that or paypal. I use paypal as little as possible.

    Agent I spoke to at the time gathered the details, I made sure to point out they used the card when I always used points cards as they were a better value. She said that I could request that my account be locked for purchases and point use, but still able to go online – and I did (I’m the head of an Xbox “family” so all my friends can’t play if my account is suspended from all online use). (turns out that didn’t happen, as I got some dlc later that week).

    I followed up last friday (7th) to see if I should report the charges as fraudulent at my bank (don’t want to do that and find out you get banned for doing that) and was told the timetable for investigations was UP TO 25 business days, but usually it was much faster and that they just say 25 days to cover themselves if it takes the max.

    Tuesday (11th) my friend on the family plan calls up and they can’t go online, there’s a problem with the payment method. I go on try to fix my card, it’s “invalid”. Try to swap to paypal, “unavailable”. I call in, and yep, even though they promised they wouldn’t, they have my account suspended from online use. Why that makes my card invalid for an update, I don’t know. Why they can’t give clear messages, I don’t know. She says the case will be done being investigated in between 25 and 30 days, period. No sooner. WTF mate. Get your stories straight.

    And yeah, the scammer bought fifa crap, but they only spent about half of the 10k points they got. Not sure how that’s gonna play out, or if I’ll get my own 3k points back. =/

  28. TakingItSeriously is a Technopile says:

    This EXACT same thing happened to me at 7:41 AM.

    I immediatly went to the MS website and changed my MS Live Password and this changed my XBox Live password preventing them from spending over 5800 of the 10,000 points they had acquired. This is NOT a credit card breach. This was a breach of the Xbox account.

    I am sure it will get straigtened out – and if not I will take it as a lesson learned to NEVER deal with XBox Live ever again and cut all ties with the service.

    • coren says:

      You’ve called the 4myxbox number to report it right? You may get locked out of your live account while this happens, just so you know (speaking from experience). BTW, did they buy a bunch of FIFA crap?

      • TakingItSeriously is a Technopile says:

        Sorry, yes I should have mentioned.

        Immediatly after I changed my PW I went ahead and called MS on this. They froze my account and opened an investigation. It will be “within the next 25 days” to get it settled. I was very nice to the lady when I explained if this doesn’t get reversed XBox Live will never see another penny from me ever.

  29. guroth says:

    I dont have an xbox or use xbox live, so I might be missing something here, BUT…

    It sounds like he didn’t get his CC# stolen, it sounds like his xbox live account password got figured out, and he had a CC stored on his xbox account. The points were purchased on his xbox account (he got a billing notification sent to his email address, and he was able to watch the points get spent).

  30. Kuri says:

    So, um, how much safer is XBL compared to PSN again?

    Oh wait, neither is safer than the other.

    • kttmrt says:

      Lets see. PSN had ALL their accounts compromised, while this is just an isolated incident probably stemming from ID thieft of the user’s Xbox login credentials.

      Which one is more secure? I’d take XBL any day.

    • coren says:

      Based on…some individuals get hacked on Microsoft, due to their OWN lax security. PS3’s whole network gets hacked on multiple occasions. But yeah, Microsoft is totally unsafe.

  31. Killj0y says:

    Fifa and the rest of the EA line are the weak link here. In general you can’t transfer content from one account to another because of the licesnse restrictions but because the EA sports titles allow people to buy Packs of players and then trade them inside the game the scammers are able to take a hacked account, buy about 10k points and then spend them on the packs.

    They then transfer the resulting Gold pack players and kit to their mule account and from there i’m at a loss. Either they sell them, trade them or use them. I’m betting some kind of player grey market where people pay real money for rare players and the scammer can convert the loot into cash.

  32. kttmrt says:

    I had this exact scenario happen to me in July, except my account was also transferred to Russia.

    I’ve been waiting for a refund and my account to be recovered for over 3 months.

    Prepare to be disappointed.

  33. Impromptu says:

    This is something occurring uncommonly in the XBL community lately. MS has said nothing official and the evidence is quite anecdotal, but take a look at these examples:



    There’s more out there, but these are just two examples. (We’ve been discussing this over at EscapistMagazine, where I first heard about it)

    Now, the news post here does not mention exactly what the points were spent on, but I’m willing to bet, like other victims, he also had achievements for FIFA 12 after this happened.

    It seems more like this is a loophole in Xbox Live that hackers are taking advantage of (not unlike the one we saw with PSN) User

    Due to the sporadic nature of the attacks, I recommend removing all credit cards attached to your Xbox Live account. Only took a few minutes for me to remove everything, including the primary card, by phone.

  34. stimpyb27 says:

    This Happened to me too. I was playing online when suddenly my account was stolen. I tried logging back in but got the same msg over and over again. I went to the xbox support forum and discovered that the only way that msg pops up is when my account is transferred to some other Xbox. I immediately change my password and recover my gamer tag and discover that I have 4000 plus microsoft points. I check my purchases and find that I have paid for 10000 microsoft points. I call microsoft and tell them about it. They to told me about locking my account and submitting a ticket. I have to wait up to 25 days to get my account reactivated. They caught the second purchase as a fraudulent purchase so I spared $75 but the $50 went through. I called my bank and canceled my card that was linked to the Xbox account.

  35. rgf207 says:

    I have only 1 question: Why does he have 3 xboxes?

  36. Darkneuro says:

    This is currently happening with my partner right now. He tried to login to his Xbox Sunday and it told him his gamertag was invalid. He hopped on the phone with MS and was basically told the same thing. Called the bank right after that. He now vows to only use points cards and admits he was a little stupid.

  37. DeeJayQueue says:

    This EXACT same thing happened to me… same denominations and everything.

    I had to call Microsoft, get them to freeze my XBL account (I let it lapse from gold to silver).
    They were able to do that, they could see that it wasn’t me who bought the points since they had my console on file, and they could also tell me what games were bought with the points. They were shitty games, and I told the CSR as much. I also told her that I hadn’t even powered the unit on in over a month, a fact that again, they verified.
    Alas, even with all this verification happening, Microsoft could not give me my money back.
    I had to call my bank and put a fraud claim in, which meant canceling my card, having a new one sent, starting an investigation, etc.

    In the end all was well, but for like 3 days while the charges went from “pending” to “actual” and then got reimbursed by the bank, I was really on pins and needles.

    Lesson: Don’t buy anything on XBox Live. They’re totally hacked up and they’ll steal your digits, yo.

  38. DataShade says:

    Interestingly, HSBC told me mroe or less the complete opposite. Even tho’ there was no swipe, no PIN use, etc, since it was a debit card, it was going to be submitted to their security team as a debit transaction dispute.

    In the case of my hacking, what I found interesting was that *I DIDN’T GET ANY EMAILS ABOUT THE PURCHASES,* and when I checked, my Xbox Gamertag no longer existed, my Windows Live/Microsoft Billing page showed all my points had been transferred, but nothing on the page said to where.

    One of the 3 MS CSRs I spoke to mentioned that it looked like my gamertag had been transferred to a new WindowsLive profile before the purchases were made – which is terrifying, as it implies MS will move your credit card information to a new account without needing you to confirm it.

    • coren says:

      Push harder, there isn’t supposed to be any mechanism to do what you described. SOmething is fishy about what you’re being told.

  39. Rob says:

    To the OP.

    Make sure you follow up your call to the bank with something in writing. Calling is good to prevent further charges. Sending a written dispute preserves your rights when trying to get your money back.

  40. The Mushroom Queendom says:

    Exact same thing happened to me. :( This morning I discovered two erroneous charges on my bank statement (for $49.99 and $74.99) followed up by a series of micro-transactions to my Xbox Live account. Apparently, someone *really* loves FIFA Premium Gold Packs and they were nice enough to steal my account to buy 88 of them.
    And it seems we’re not alone:

  41. masterage says:

    I had the exact same thing happen, except I had the lock in place, and the pass changed, about six minutes after I got the first email.

    And I do mean exact, but mine didn’t have a happy ending: I was forced to keep the points. Bank denied a chargeback, microsoft didn’t see anything wrong (and it took them five weeks to state so). I was just lucky I was able to eat the cost.

    And no, my case wasn’t the first. This looks to be the 15th documented case of this in about seven months. Microsoft won’t have my card details again, and if I get anything, it’s pre-paid cards >_

    Across everything.

    • masterage says:

      By documented, I meant actually posted, dissected, and placed elsewhere. The commenters here provide many, many more.

      Mine happened in July, and the posts starting showing up around May… so yeah, security weakness probably finally spread around, instead of being limited to a certain group.

      • rstark says:

        sorry but you’re full of crap. This is why they ask for the Serial number and console ID. Obviously they saw nothing out of the ordinary and that the purchases were made from your console.

    • coren says:

      As stupid ad this sounds, you would have been better off letting them spend the points.

      If you haven’t spent them, I’d go back to Microsoft and try again, in the light of all the new people getting their money stolen.

  42. sairaag says:

    Hi I am new to this site I had this same exact issue with the same charges. I was watching a movie and I went offline. I looked at my iPhone and had 2 new e-mails with Microsoft point charges to my paypal account. I called paypal and disputed my charges and my money was refunded, I also spoke with Microsoft and they suspended my account until further investigation and they said it can take up to 25 days. It’s been 10 days and I decided to call and received no status and demanded to have my account re-enabled, I can’t play online or offline and it’s not fair I have to suffer due to lack of security on Microsoft end (I do network security and my password was pretty complex and I never gave my pw to anyone or any site). I called xbox live and they pretty much told me it’s out of there hands and I asked for a number to the department who is doing the investigation and they said they don’t have any information and could not help me. I find it hard to believe they cannot re-enabled my account of give me more information after speaking to 3 managers I ended my call. I am very upset on how Microsoft treats there customers and by no means I should not be put to wait over 25 days to play my saved files. My friend is on the same situation and it’s been 60 days for him now. If this is how Microsoft reacts then why bother to have a gold live and pay 60 dollars a year? how many other users are in the same situation as I am? I just spent 60 on a live account and I cannot enjoy my new games or prior games. I also don’t feel like starting over on many games I owned that I have well over 20 hours of game play.

    • rstark says:

      You can still play offline. cancel your Live account, that allows for you to go in and remove your credit card which will take care of the “there’s a problem with your payment” issue.