1. Credit Cards - Perhaps most importantly is to not ever use a credit card on your Xbox Live account. It is the first piece of advice I give new Xbox 360 owners and it is the first thing I'll say here. If you don't have a credit card on the account, even if someone gets access to the account they won't have any way to buy anything and will generally leave you alone. At worst they might change your password so you'll have to jump through some hoops with Microsoft to get the account back, but at least they didn't spend any of your money.
On this note, it is also recommended you don't leave a large amount of MS Points on your account. Hackers might not be able to spend any "real" money if there isn't a CC on the account, but they will spend your MS Points. Try to only buy and redeem enough MS Points cards - from legit retailers and not the surprisingly cheap sales on eBay (more on that below) - for the items you actually want to buy at the moment.
2. Passwords - Use unique usernames and passwords wherever possible. At the very least, use a different password everywhere. One way people are able to "hack" Xbox Live accounts is because people use the same password everywhere, so the hackers only need your info from one site - maybe a online store or forum or other site (kind of a dirty secret that sites get hacked all the time, but they do) - and the information from that site can be used to access everything else you do online if you use the same password. Using unique passwords and actually changing them every once in a while will go a long way towards making you safer online.
3. Phishing - Phishing, as any veteran of the Internet should know, is when you get a suspicious e-mail from out of the blue from your bank, or credit card company, or eBay, or Microsoft, etc. that asks you for your password or other account information. Companies will never, ever ask for this information via e-mail, so it is almost assured it is some nefarious person trying to take advantage of people. Aside from asking for sensitive information, these fake e-mails are also usually easy to spot because they'll have typos, inaccurate information, odd looking logos or fonts, or other telltale signs that it isn't legit.
If you get an e-mail like this, definitely don't reply to it, but also don't click on any links contained in the message either. Those links can lead to viruses or spyware or other nasty things. Companies take phishing and fake spam with their name on it very seriously and usually have some sort of e-mail you can forward the fake message to (you'll have to look it up for the companies on your own) so they can investigate it and try to stop the people doing it.
4. If it sounds too good to be true, it probably is. - You've probably seen eBay auctions for cheap Microsoft Points or Xbox Live accounts full of already downloaded games before. These MS Points are almost always stolen retail cards, created by random number generators, or flat out stolen from other people by using a stolen credit card to buy the points. There is a reason why they are cheap - they were stolen in the first place. As for Xbox Live accounts for sale, more than likely these were hacked and stolen from someone else as well. Is getting something for cheap for yourself really worth, most likely, screwing over someone else who had their account hacked or credit card info stolen? You could be the next one to get ripped off. We actually warned people about this in July 2009 but some folks never seem to learn.
5. Don't Share Your Account Info - Similar to #4, but if you see a deal on eBay or some shady website that will sell you MS Points but requires you to let the seller migrate your Xbox Live profile to their system, it is almost certainly a scam. Really, this should be obvious.
Likewise, if you buy points and are given login information for a new account with the points already on that account (with the idea being you buy items with the points in that account, and then those items are also available to the other profiles on your system) it is, again, likely that someone along the line is getting scammed. A common tactic is to hack someone's account, use their credit card to buy a ton of MS Points, and then create a "Family Account" while allows family members to share MS Points between them. Then they move the MS Points from the hacked account to a connected Family Account and then sell the login info for the Family Account.
6. The FIFA Hack - In 2011 and continuing into 2012, a common tactic of hackers involves using FIFA 12 to essentially launder money through the title's in-game marketplace (hack someone's account, buy FIFA Ultimate Team cards with a stolen credit card, sell the Ultimate Team Cards to other users on eBay). We have a full article on the FIFA Hack here - Xbox Live FIFA Hack Explained.
7. Xbox Live Itself Hasn't Been Hacked - It is also important to note that these hacks and exploits aren't really Microsoft's fault. Unlike Sony's Spring 2011 PSN Hack, no information has actually been stolen from Microsoft. With that said, it is still Microsoft's responsibility to close up all of these existing loopholes, which it has been slow to do. So, until Microsoft actually does something, users have to protect themselves.
