Useful Xbox Live Security Links:
What Is The Problem?
A string of hacked Xbox 360 accounts over the last several months has raised questions about Xbox Live security. What is happening is that hackers are getting login information from somewhere, logging into other people's Xbox Live accounts, and using the stolen account to buy Microsoft Points and then buy items (usually FIFA 12 Ultimate Team card packs).. Then they can log out of the stolen account, sign into their own account, and that content they bought with the stolen account will be available for their own account.
This works because of Microsoft's form of DRM (Digital Rights Management). Xbox Live downloads are tied to the account (Gamertag) that downloaded them, but also the system they are first downloaded on. Any account can use content tied to that system. If the system breaks, however, only the account that downloaded it originally will be able to use it later, so it is a bit of a risk. Not as much of a risk as it used to be, since new Xbox 360 systems are much more reliable than older models, but still a risk. Of course, hackers likely don't care if the stuff they stole and got for free stops working if their system breaks.
This Isn't A Hack
An important thing to note is that unlike Sony's infamous PSN security breach in Spring 2011 where its servers actually were hacked into and information taken, what is going on with Xbox Live accounts currently does not seem to be a breach in Microsoft's security. Microsoft has come out on the record as saying that there have been no breaches on its end. In other words, people are not hacking into Microsoft and stealing the usernames and passwords.
What Exactly Is Happening?
So what is happening? As near as we can tell, it is a combination of social engineering (the bad guys know some of your information and then try to call Microsoft to get the rest), along with poor password management on the part of the people that are getting their accounts borrowed. Videogame companies are not the only places that ever get hacked. Retailer websites, blog sites, banks, and many many more get hacked all the time. The hackers don't necessarily want your account numbers and credit card info, though. All they really need is usernames and passwords - I.E. login info. They can then take that login info to other websites - e-mail, banks, retailers, Xbox Live, etc. - and use those usernames and passwords to try to get in.
Most of the time, if the owners of those usernames and passwords have any sort of basic online security experience at least, this won't work and at least the password will be wrong so the hacker can't get in. Some people, however, are lazy and use the same password and username / e-mail across multiple sites. When this happens, the hackers that get your info from "Site A" can then go use it at "Site B, C, D, E, etc." because it is all the same.
That seems to be what is happening specifically with these FIFA 12 hacks. Usernames and passwords are taken from one site, and then are used to try to log into other sites. In this case, they are trying dozens or hundreds of username/password combinations for Xbox Live accounts until they find one that works. Then they sign in and buy a ton of Microsoft Points with the stolen account's credit card. How do we know this is connected to FIFA 12? Because pretty much all of these recent hacked accounts were used to buy FIFA 12 Ultimate Team card packs. Sometimes the hackers even PLAY FIFA 12 on the stolen account, which the account owner can easily see by checking Xbox.com. Electronic Arts hasn't said anything officially on the matter. Frankly, it doesn't appear to be their fault, just an unfortunate coincidence that one of their games is the catalyst for this happening.
How Can You Protect Yourself?
What can you do about it? First, always use a different password for every site. I know it is a pain to have to remember a different password for 15-20 different logins, but it will save you a lot of trouble later on. Also, change your passwords every few months. Secondly, and I have said this in the past, but we do not recommend you ever use a credit card on your Xbox 360. They are a pain to actually remove from your account once they are on there, and accounts are set up to auto-renew your Xbox Live Gold subscriptions unless you jump through hoops to specifically turn that option off. It is just better to not have a credit card attached to your account. Use Xbox Live Gold subscription cards or MS Points cards purchased at retailers instead. It will save you a lot of trouble down the line. And, even if your account is logged into by someone else, you won't have a credit card there for them to use and they'll move on, likely without doing anything bad to you.
What Happens if Your Account is Stolen?
When you report a stolen account, it is locked up while an investigation occurs. It will be locked for anywhere from 10 days to possibly 90 (in rare cases depending on the complexity of the account). Your account is only locked off of Xbox Live, you will still be able to play games, earn achievements, and save games as normal, you just can't sign in to Xbox Live. When your account is restored, you'll be able to sign in to Live and everything (achievements, saves) will be synched.