Kotaku

Microsoft said it has intervened to restore the Xbox Live account of a customer hit by an overseas phishing scam, and refunded all unauthorized charges the scammers were able to make as her complaint got lost in customer support and was never properly locked down.

Further, a Microsoft spokesman tells Kotaku that the company is reviewing its procedures in light of this incident, another embarrassing manifestation of a phishing crime wave that has snagged ordinary users and even journalists.

"The online safety of Xbox Live members remains of the utmost importance, which is why we consistently take measures to protect Xbox Live against ever-changing threats," the company said in a statement. "However, we are aware that a handful of customers have experienced problems getting their accounts restored once they've reported an issue. We are working directly with those customers to restore their accounts as soon as possible and are reviewing our processes to ensure a positive customer support experience."

Microsoft went on to say that "While we do not ordinarily comment on specific cases, Microsoft can confirm that the account in question has been reinstated to its rightful owner and all unauthorized charges are being refunded in full." The victim in question said she had lost $300 from her PayPal account to the thieves as her complaint was being mishandled.

The company repeated its assurances "that there has been no breach to the security of our Xbox LIVE service," which is fine to hear but it misses the larger point that customers really care about: there still is a way whereby someone's account gets broken into and plundered for Microsoft points or downloadable content, which is then sold on auction sites.

It's a delicate message, but in order to be phished, the information used to break into the account typically comes from a third party, like a compromised web site where the victim uses the same login and password. Microsoft doesn't want to blame the victim, and neither do we. But it would be as good a time as any to remind folks to change their passwords, and perhaps use something that is unique to Xbox Live, so that a phisher who uncovers your email address and password because of another site's bad security can't use the same login and password on Xbox Live. Really, it's a good policy to have a unique password for any site that stores your credit card information. It's a pain in the ass, but it's the only way to be sure.

http://kotaku.com/5873877/microsoft-refunds-money-lost-in-phishing-scam-promises-better-customer-service

Lol, this is kinda funny in a way how in the US this has little to no news coverage. I love the bias US journalism has for their beloved American product, but for outsiders they mention any hack right away.

So let me get this straight. Some idiot fell of a scam and Microsoft is cleaning up the mess for her? It's nice to know Microsoft has the same policy about fraud as Capital One. They fix it, you get your money back, and all is safe and right in the world.

If I was Microsoft I'd ban her for being stupid and warn people not to fall for phishing scams. Yeah, it was nice of Microsoft and all, but I have little sympathy for the "victim", who probably gave up her login info thinking she'd get something for free.

It doesn't make the news as thousands of people get scammed all the time, the only reason it shows up at all is because her complaint got mishandled by MS. Really she is lucky to get anything refunded as She was not hacked, she fell victim to a phishing scam. i.e. she gave her account details to someone and they used them to make purchases.

I think he just isn't aware of what he is discussing. He thought Microsoft supported the SOPA bill and couldn't fathom why Anonymous only targeted Sony.

Too be fair, this was happening to a large number of people over a period of several months, and it was taking Microsoft some time before it started taking the issue seriously.  For the first few months, people that were reporting their accounts had been stolen were having trouble getting their accounts locked and their money refunded through Microsoft.

And it's not clear that it's a phishing attempt.  There's been much speculation that the passwords were obtained via other means (for awhile EA accounts were the primary suspects, but I think that's since been ruled out) and then matched with Xbox Live accounts that used the same username/password.  The number of cases on a forum like neogaf alone implies this is no simple phishing scam.  Here are four threads full of people that had their accounts stolen:

http://www.neogaf.com/forum/showthread.php?t=442986
http://www.neogaf.com/forum/showthread.php?t=449608
http://www.neogaf.com/forum/showthread.php?t=451055
http://www.neogaf.com/forum/showthread.php?t=457942 - This thread specifically discusses the sale of stolen accounts on foreign websites.

Even the first link in the Kotaku article discusses the potential gravity of the scam:

http://kotaku.com/5873604/is-microsofts-xbox-live-hacking-problem-worse-than-microsoft-realises
http://kotaku.com/5850126/fifa+loving-hackers-strike-xbox-live-accounts

Its either paypal or the credit card company that is refunding, not Microsoft. That being said, Microsoft cant be blame. The only one to blame is the individual who gave her informations through a phishing attempt.

Umm this is no hack... This was a Phising scandal.

PS: Ofcource you would say what you you just said. Why am I not suprised? Is it because its directed towards MS? 

Well, that is not a lot of people when there are millions of people on Xbox Live. It may not be a phishing attempt, but more than likely, some of them are. There are also many other ways to get people's account information. A lot of people, unfortunately. use the same information for all their accounts, visit sites that are unsafe, install third party programs that contain keyloggers and such, etc... Various sites that are usually safe to visit may have been unknowning compromised as well. I know this site has issues.  I've gotten some suspicious pop-ups come up when visiting VgChartz. I have various malware and anti-virus programs that I run regularly, just to be safe. There could also be more instances, or this could also be blown out of proportion due to speculation.

Reading a few of those threads, some of their accounts were blocked due to suspicious activity pretty quickly. The fraudulent charges should have been reported to their banks/credit card companies right away. They would handle it. The user is responsible for doing this, and they would have gotten all their money returned to them.

Why they'd go and do that is beyond me, rewarding stupidity has always baffled me.

Ah the poor customer service, $50 gift voucher on xbox live - ie about 7k MS points would have been enough for that.