Xbox Live user traces account hacker

An Xbox Live user whose account was compromised and used to purchase thousands of Microsoft Points has identified the hacker involved, and discovered websites where accounts are up for sale.

In a lengthy post on Tumblr, the user explains that her account was compromised not once, but twice, despite Microsoft having insisted the account had been locked. When she queried this with Microsoft she was told: "The fraud department was unable to block your account."

Microsoft issued a 30-day Xbox Live Gold code to use on a separate account while the compromised account was investigated, which the company explained would take between three and six weeks. When the user switched on her Xbox 360 to set up the new account she found she was automatically signed in to her existing account; despite it having been compromised twice, Microsoft was still yet to block it.

There was a new user on her friends list, and over a series of messages she ascertained that her account had been sold on a website called Tradetang. At the time of writing the site has 1,916 listings in the "Wholesale Virtual Products" category, the vast majority of which are Xbox Live accounts with large numbers of points attached. One such account comes with 6000 MSP and costs just $20.43; most come with a warranty of just two hours, presumably due to the risk that Microsoft is notified of the breach and promptly locks down the account.

There's no way of knowing for sure if this is the root cause of the recent FIFA hacks – which has seen swathes of Xbox Live users having their accounts compromised, with large amounts of Microsoft Points added using stored credit card data and subsequently spent on virtual goods in FIFA Ultimate Team – and we're still no closer to finding out how accounts are compromised in the first place. It does, however, shed a little light on the hackers' methodology once an account has been stolen.

The first order of business is to recover the stolen account and use stored credit card data to buy an Xbox Live Family Pack, which allows for several accounts to be linked between which Microsoft Points balances can be transferred. Then large amounts of Microsoft Points are purchased and transferred to the thief's normal account; the thief then creates several free Xbox Live accounts, divides the stolen points between them, and sells them on individually.

We're getting closer to understanding why hackers are targeting Xbox Live accounts, but no closer to working out how they're doing it. Microsoft has continually denied that it is a problem with Xbox Live security, and instead implied that users are being hoodwinked into giving up their details through phishing or social engineering. That hasn't rung true from the start, and still doesn't. EA, too, has flatly denied that the problem is caused by a weakness at their end.