Xbox Live users having their accounts hacked and used for FIFA purchases

October 18, 2011

A slew of Xbox Live users are reporting that their accounts have been hacked and used to purchase content for either FIFA Soccer 11 or FIFA Soccer 12. Microsoft has responded, rather slowly, to these reports by locking down affected Live accounts for as many as 25 days to investigate the fraudulent activity.

One gamer blogged his story of his hacked account and his interactions with Microsoft trying to revolve the issue.

"Sure enough, all of the Microsoft points that were stored in my XBL account had been spent on in game items for FIFA 11(I don’t own that game… hell, I don’t even like soccer video games) and whoever spent my MS points had then tried to purchase more. Presumably, when that purchase failed, they abandoned my account and went on to steal from some other unsuspecting gamer."

A Reddit thread was also started by another gamer to voice his frustration with Microsoft's slowness to respond to accounts of hacking.

In all of these accounts the story is largely the same. A Xbox Live user will find a bunch of fraudulent FIFA 11 or FIFA 12 purchases on their account via email confirmations of purchases, missing Microsoft Points, or charges to their credit card. When those users contact Microsoft about the issue their account is locked down so Microsoft can investigate. Microsoft claims it takes 25 days to investigate a claim like this and they need the credit card information on file with the account to remain there for the duration of the investigation.

Neither Microsoft nor FIFA publisher EA is taking responsibility for a security breach. Microsoft responded to Ars Technica's request for comment by issuing the following statement,

“We do not have any evidence the Xbox LIVE service has been compromised. We take the security of our service seriously and work on an ongoing basis to improve it against evolving threats. However, a limited number of members have contacted us regarding unauthorized access to their accounts by outside individuals. We are working with our impacted members directly to resolve any unauthorized changes to their accounts. As always, we highly recommend our members follow the Xbox LIVE Account Security guidance provided at www.xbox.com/security to protect your account.”

While it is possible that Microsoft or EA isn't having a security issue, the account information is coming from somewhere. It's possible the hackers are reusing login information obtained from another database. The real issue isn't how the hackers are getting login information but instead how Microsoft is handling it. Taking 25 days to investigate a claim like this when a large number of users are reporting the same problem is excessive. Even more annoying is the fact that getting a credit card off your Xbox Live account requires a call to Microsoft instead of a few simple clicks on the account management web page.

There needs to be an easier way to get credit card information off your Xbox Live account and a faster process for investigating claims like this. Waiting nearly a month to get resolution on fraudulent charges is insane. Was your account hacked for FIFA downloads? If it was tell us your story in the comments including how your interactions with Microsoft went down.