Mr London had his Xbox Live account hacked last night. He didn't fall for any phishing scams, and hadn't given out his password anywhere. The first he knew of it was when he received an email from Xbox Live (which he didn't even open) in chinese characters, saying he'd added another email to his account, and another email saying that his attempted purchase (well, not actually his attempted purchase) of 6000 MS points had failed.
Luckily, the credit card attached to his account had expired and he'd never linked his Paypal to it. He did lose 2000 MS points he had on the account though, and an internet search of this problem reveals it is anyone's guess when he might get this back - he's reported it to Xbox, who have frozen his profile pending investigation. The hack happened just before their support phone line closed for the evening, so the points have probably already been spent.
A quick google revealed that this appears to be caused by a brute force hack of the XBox Live login, which is set up in a way that allows this exploitation:
- It gives a different error message if you enter an incorrect password as opposed to an invalid email (which tells the hackers there is an account attached to a particular email).
- It allows unlimited attempts to login, without freezing the account (which allows brute force hacks - a computer programme entering many thousands of different passwords until the programme hits the right one).
- An additional email account can be added without requiring verification from the main email account on the account.
Microsoft continues to maintain their security hasn't been compromised, despite lots of complaints about this happening to different users. If you have an account, or know someone else who has, make sure you have a strong password on it - preferably not a real word, and a combo of alpha and numeric characters. Most importantly, remove your paypal and credit card details from your account, and don't leave unused points on it.
You can also set up your account so that you need a passcode every time you go on Xbox Live, separate from the password. Hackers could probably brute force that too, but it just makes it a bit more difficult for them.