Saturday, January 7, 2012

[RESOLVED!] 0 Microsoft Points: How My Xbox Account Was Hacked

We've seen the stories online about the hacking that's been going on with Xbox LIVE over the past few months, what with Kotaku picking it up from the Hacked on Xbox Tumblr account that's become the "poster child" of the issue, what with her getting invites to podcasts and interviews, this gives credence to what has happened to me in the past 6 hours.

It all started when I tried to get on my Xbox. I was greeted with a screen asking which account I wanted to log into. My brother recently downloaded his profile to my system, so I figured that may have tweaked with the auto-sign-in thing I had going on. Well, I kept getting an error that I couldn't sign on to Xbox LIVE. I Googled around, and it pointed to a password reset.

Sure, why not? I mean, my password had been around for a while, a change is good, right?

I got my password changed, but before I left my computer for my Xbox 5 feet away, a tiny glimmer in the top corner of my screen caught my eye:

Holy. Fucking. Christ.

0 Microsoft Points? Minuto? Cero? Nothing? How the fuck did this happen? (For a quick catch-up, I had 5400 Microsoft Points in my account. That's the equivalent of $67.50 USD. That's a lot of (digital) change laying around in my Xbox account that only I should have access to, right?)

I got on my Xbox for some reason, probably to see if I could check my purchase history, but I noticed a few Achievements that I didn't recognize. I plug through the pages, and discover that they're from FIFA 12.

Wait, what?

I hate fĂștbol with a fucking passion. Despise it. So why is it appearing in my Game History? Did someone here at home pop in a copy of FIFA 12? Did my sister's pathetic excuse of a boyfriend that's living here in the house decide to play my system while suffering from a staph infection? Oh. Fuck. No. Turns out, no one in the house played FIFA 12. Or the other two games that appeared in my Game History. That's right, two more games were played under my account. For the record, I haven't touched my Xbox in three days, and I had played the Metal Gear Solid HD Collection.

Yes, I have played L.A. Noire and Super Meat Boy, and I proudly admit that. However, look at my Achievement history for L.A. Noire, and you'll see the last Achievement was all the way back in May. Yes, I haven't touched that game since I sent it back to GameFly eight months ago. Super Meat Boy is another story, as it's been since October of 2010 (15 months) since I earned an Achivements with that amorphous blob of red meat. "What's going on here" is the only thing that is in my head that doesn't have a thousand cuss words peppered throughout it.

Digging around on got me to my Purchase History. Since all of this gaming activity happened today - January 6th - I looked for anything downloaded today, asides from the Underworld: Awakening GamerPic I downloaded for the registration for the contest. Here's what I found:

What the fuck is a "PREMIUM GOLD JUMBO" and "PREMIUM GOLD PACK"? I assumed it had something to do with the Family Gold Packs. Clicking them does nothing, as it brings to the error page they've crafted when URLs don't go where they're supposed to. You know, this page.

Regardless, I remembered back to an article I saw on Kotaku about the Xbox hack I skimmed over in my RSS feeds earlier in the day, I scurried back to this post (the one I linked to way up top):

"Is the Xbox Live "Hacking" Problem Worse Than Microsoft Realises?"

Yes, "realises", not "realizes", but cracking down on grammar is not what I want to do right now.

After reading the paltry article, I soon discovered that the method involves everything I've seen happen to my account. FIFA 12, disappearing Microsoft Points, Family Gold Pack's all adding up. They used the game - and even earned two Achievements in the process; go you! - to somehow get into my account, they dumped the already existing 5400 Microsoft Points into a dummy account they created with the Family Pack (or used the Points to buy the Family Pack itself; it's unclear where they went to, exactly) and left me on the side of the road like a used hooker in Liberty City.

I kid, I kid.

Getting back to the Points, notice how in almost all accounts you read about, 10,000 Microsoft Points ($125 USD) was purchased using stored credit cards on the account. Well, I did have two cards stored (one active, one inactive; the active one has since been removed), but there has been no fraudulent activity on my account.

::runs off to check bank account::

Yes, no fraudulent activity. However, my Xbox LIVE account was a treasure chest for them, as my account contained half of what they were charging to other accounts, so rather than deal with credit card tomfoolery, they just fucked me without bothering to wine and dine me. That's my theory, at least.

So, let's quickly recap: no Microsoft Points in my account, odd Game History, and interesting Purchase History on Cool? Alright, let's move on.

My first phone call to Xbox Support was at 10:47 pm. That didn't last long, as I remember you can have them call you! ::insert bad Russia joke here:: So, at 11 pm on the dot, Microsoft calls. That lasted for 13 minutes while I discus to the Man on the Phone what had happened (read the above paragraph if you failed to catch the recap, and that's what I told him, but dragged out into 5 minutes). While I did keep my composure, the Man on the Phone didn't seem at all...intrigued by my dilemma. We got so far as him saying my account would be locked down for up to 25 days (yes, the same amount as others have been saying), but that I would be sent a complimentary 1 Month Xbox LIVE Gold token for the time spent away from my betrothed.

During this, the call is disconnected.

I felt like this poor, pissed-off possum.

I got through the main points of the issue, and at first, unbeknownst to me, I felt that I had done all I could. Then the possum bit me in the taint. I had Microsoft call me back again. They called again at 11:32 pm (mind you, waiting for these calls to come through took less than 10 minutes each time, so kudos), and I got another gentleman on the phone. I told him I had been disconnected, and he asked about the problem, starting with the Console ID and Serial Number. "I'm not sure what that has to do with anything, so let me explain to you my problem" is a good paraphrase of what I said to him.

Suprisingly (unsurprisingly?), he sounded generally concerned, more so than Unfufu did 45 minutes prior. We go back and forth, I share my findings, and he recommends the usual: change password and change password hint. Cool, I'll go ahead and change it again; after all, I only added a number to the end of the previous password just so I could be the camera inside of Daniel Craig's noodle for a while. I got my hint changed as well, while I was at it. Afterwards, he tells me the same about my account being sent up to the big boys for an investigation, but here's where it differs greatly:

He said it usually doesn't take the full 25 days, but (hold onto your panties, boys, it's going to get wild in here) my account won't be locked down until 10-15 days into the investigation, and that I will be notified by email when the lock happens.

Thank you, dear sweet baby Odin!

Sadly, there is a fine line here between "lock down" and "full-on, hog-in-hand investigation mode" is that since the lockdown won't be for a fortnight, this free month of Xbox LIVE may not come to my digital doorstep (read: email) for the issues that have happened. Sure, throw some blame at me for not securing my account, but if these Polish fools can get into my account by fandangling FIFA 12's in-game purchases, kidnapping my Microsoft Points and using them to buy Gold memberships, then there is some serious fucking problems here.

Nearing the end of my 14 minute conversation with my new bestest friend, he reaffirms that, pending the investigation's end, all 5400 Microsoft Points (that's $67.50 for those who's short-term memory fails them) will be recredited, and that, depending on the length of my account being locked, I may receive compensation in the form of Xbox LIVE Gold.



Well, shit:

Here's "that email" that we've become accustomed to, what with Microsoft saying my account has been locked. But, wait a second:

"He said it usually doesn't take the full 25 days, account won't be locked down until 10-15 days into the investigation, and that I will be notified by email when the lock happens." - Me, two days ago

"10-15 days" doesn't equal 2 days, now does it? I received this email yesterday afternoon (at least that part was right), with the naughty bits highlighted. The investigation period is 3-6 weeks (that's 21-42 days). They also say that if they can verify the purchases were made outside of my control, it can take up to 10 days for that refund to appear, but it can take 1 to 2 billing cycles to show up on a credit card statement.

Just to see if this is actually true, let's go look at my Xbox...

...yup, I can still log into my XBL account, see my friends list, access the Marketplace, all that jazz. Even if I were to take a picture of it and post it, there's no way that it would "prove" that I'm logged in today, after the email. It's been just under 24 hours (email was received at 2:01 pm EST), but it's still the fact that they say it's locked, but it's not. The spring semester just started today, so I don't feel like wigging out on Microsoft; others have already done that for me.


Well, my account has been locked down, but not for the reason you'd think:

Yes, as it shows, Microsoft is more worried about them getting their money than protecting their customer's information. Here's the funny thing:

My membership's auto-renewal is set to "Off", but I can't remove that option because, and I'm taking this directly from my Xbox, "a subscription that is automatically renewed is associated with it."

Let's look back up at the image we see above. Notice what I underlined? Yes, the Prepaid card. I'm using prepaid XBL Gold cards to use the Gold service (and I have been for several years), yet somehow, this card is still tagged to it and won't come off like a fanatic Justin Bieber fan that has managed to get her grip on that disgusting Canadian.

I mentioned this problem to the last chap I talked to on Microsoft's end, and he said he couldn't remove it due to some weird glitch on his end. The only option that I could do was have them terminate the existing Gold membership, remove the card then, and have them credit me with a code for the time left over on my existing membership.

But why now, of all times, is the credit card - after all these years of being tagged to my account - just now raise a warning with Microsoft? And why is it that my account was not locked down - after the email said it was - but now there's an issue with my credit card, Microsoft flips their shit and throws down an iron gate in front of me with Gandalf in front shouting at me, demanding moar monies?


So here we are, calling Microsoft about what happened last night. I started off with trying to get Microsoft to call me via their "Contact Us" section, but as soon as the call comes through, there is nothing to be heard, and 15 seconds into the call, it abruptly ends.

Cue possum picture.

I try to fill out the form again, but gives me another error: "Invalid request. To many attempts have been made. Please try again later."

Bull. Shit.

So finally, another call comes through (?) and a gentleman by the name of Chris appears on the other end of the phone. I explain the billing issue, and he says it's about my account being locked down.

But hang on a second, let's take another look at this image:

An issue with my "payment option". I'm pretty sure that if my account was locked down due to an investigation, that window would look very different. 

During this (I've been typing this in real-time while it's happening, as opposed to a recap of past events), I get a notification on my Xbox (get ready for this shit):

"FINAL FANTASY XIII-2 Demo Downloaded"

Who wha?

Yes, my Xbox was able to successfully download the new demo that was in my cue from a day prior without faults, yet this Chris character is telling me it's due to the account investigation. If my account is truly locked down, why is it that my Xbox is still able to talk to their servers, access my download cue and continue to download this demo? OH! And the Asura's Wrath demo was able to download to, but that was sitting on my Xbox from last night's romp with Goldeneye.

Microsoft. Seriously. What the fuck are you kids doing over there in Redmond?


Hallelujah! Microsoft sent me this email about 3 hours ago, letting me know the investigation is done. They also threw in this little nugget as well:

Just below that portion of the email, they give me two redemption codes for Microsoft Points, one for 4000, the other for 1400 (which have already been redeemed, thank you very much). Below that, they gave me yet another code for a 1-month membership for Xbox Live Gold. Since I don't do a whole lot of Gold-worthy stuff, I went ahead and gave the code to my little brother.

In just short of a week, my account was compromised, $70 worth of Microsoft Points used up, my account was locked down (and reopened within 4 days) and everything refunded with $20 worth of Xbox Live Gold codes sent my way as compensation. To be honest, as long as I got my points back, I'm fucking hysterical.

And this... all I really cared about in the first place.

I would like to thank Microsoft for having this issue resolved in such a quick amount of time (unfortunately, this cannot be said about others who have suffered far greater than I). I would love to have these other members of the community have their issues resolved soon, if not instantly, due to the same severity: our accounts were hacked, money lost (in one form or another), and it needs to be rectified. It took Microsoft 4 days for me. I've seen stories of others who have been on that waiting list for longer than twenty times this amount.

My biggest thanks goes out to Susan T., who's story shed light on my situation within moments of it happening. If it weren't for her story being picked up by Kotaku (which no other publication did), I may have been wandering in the dark like Alan Wake, with only a flashlight, left stranded on the hillside of a bumfuck mountain town with dementia in tow.

It bears repeating, but Gabe and Tycho have the best image I can use to express such aforementioned hysteria:

Again, thank you to Microsoft, Susan T. and Kotaku. I pray to Thor that other's cases will be resolved soon, and that whatever measures need to be taken, Microsoft (and hopefully EA, as it has to do with their servers, too) has done so.