Not through MS, but through using the same login / password across multiple services,
http://www.tomsguide.com/us/Eric-Doerr-M...news-15898.html

I kinda figured that out the hard way, when my XBL was hacked less than 2 days after syncing my XBL Friends List with EA Origin.
EA Origin was using the same email-login and password as XBL at the time, but that wasn’t the cause.


My Findings since being hacked a few months back, are conclusive, I’m a sneaky #%&*$#, and I have enough know how in the Computer Forensics area to investigate some things on my own. I dont like it when I something like this happens to me, and I dont take it lying down, so I went off on my own and conducted a covert op.

My XBL/Passport.net login/password was the same for 11 years before I got my account hacked.
So for it to get hacked after using the "Add Xbox Friends" feature in Origin,
It's just too easy to point the finger at EA Origin storing my XBL Password as text only on Origin's server or something.

Refusing to believe I was phished (Support for EA says I was, MS Support knows me well enough to not say it.)

After setting up a Burn Account on Gmail, Origin and a Burn Silver Account on XBL w/ random passwords not like anything I already use, I Synced My Account and Friends list on EA Origin,
The Silver Account was HiJacked in less than 5 hours after syncing to EA,
The person that hijacked this account figured out it was a burn account, and that he was in deep #%&*$# and tried to actually email me, as the account was created on Xbox.com and never used on a console, so when I emailed MS they immediately traced his console and IP address he connected from, don’t know or care about what happens to him afterwards.

Then, I decided to try it a different way, on a newly created silver account, booted a fresh copy of NHL 12, and agreed to sync with EA’s servers, and signed into the same EA burn account.
Less than a day later, the account was hi-jacked, and the entire account info was changed (name, location, bio, etc etc),

emailed MS and EA the findings, EA still insists I was phished, yet the accounts were setup purposely as burn accounts with random passwords that I do no use anywhere and hacked within hours of setting them up.
I never entered the login info anywhere.

My brother’s silver account is going on 7 years old, and its never been targeted/hijacked, as he doesn’t use it to play games online, so he hasn’t sync’d any games with EA and vise versa.

I confirmed this with 2 other friends, who conducted the same "Burn Account" trials and we Emailed Findings to a friend of mine that works for Xbox Live, which was then forwarded up the chain for them to investigate further.

But like I’ve assumed all along, there is a leak somewhere between EA and XBL, as the accounts are hi-jacked after syncing to EA, Attempted Purchases/History also shows they tried to purchase points (on a silver account with no CC info), and tried to purchase FIFA items as well as the same Arcade titles both times.

My Personal account didnt get Hijacked until I started to use Origin, before that, 11 years no problems, NHL Demos Galore, Battlefield Games, and other EA Games, synced and signed into EA.com w/ the same login that My Origin uses.

Microsoft has tons of examples over the last 8-10 months of this stupid hack going on that XBL accounts are being compromised via the XBL->EA->XBL link, yet they choose to do nothing to stop it other than blame the customer for being stupid/phished etc.

The lame excuse that customers are stupid and use the same password on multiple sites is not a reasonable defense, everyone knows this happens, and they have had almost 1 year of this hack going on, yet they still allow not just the link to the compromised EA servers but also the methods that the hackers use to clean out the XBL account.

i.e. how hard would it be for MS to put in some anti fraud controls in XBL to prevent things like a XBL account that has a NA IP normally, all of a sudden one day have a hacker's XBOX console located in Russia newly log into the account, and start buying $500 of XBL EA points purchases via the credit card, deleting all the friends on the XBL account etc? Doesn't this type of behavior look suspicious?

This is basic anti-fraud anti-account takeover stuff that other credit card processing vendors that care about customer security (like Amazon, NewEgg etc) do on a daily basis, and the fact that Microsoft refuses to do this or remove the XBL link and just blame the stupid customers is ridiculous.

At what point does Microsoft XBL decide they want to keep their customer base safe from EA's obviously compromised servers or server link? or protect XBL users from fraud?

So far the profits of EA games points purchases via XBL are more important than the security of the XBL customers or the reputation of XBL security, much easier to just come out with comments that it's the customer's own fault for being stupid.

Oh well, I learned not to store a valid CC on XBL, I just buy points from Amazon now when needed.

PS. The ironic part was Sony got the bad security reputation yet none of the users compromised there ever lost any actual money and Sony took down the PSN immediately to stop any further hacks until they could be fixed, yet XBL has had this hack going on for almost a year and still does nothing.

technically, being asked to sync with EA is being phished, by EA. lol...

so I just keep my EA/MS Xbox Live stuff separate, as I've always done up until BF3.

the hack has been going around for more than 2 years now actually.

I'm just surprised, that they never changed my password or deleted my friends, they just simply hijacked it to buy fifa crap.

Yeah you got lucky I'm still finding people who think I didn't want to be friends anymore hehe.

i might have lost a few... but I should prolly clean my list, its been full since 2002, and people fight to get on the list, I have people that havent been on since the 360 launched.

Wow thanks for this Skate. VERY interesting, and actually not surprising at all. So going by what you wrote here, my account should be OK, since my EA.com account is a different email and password than my Xbox account? (I don't have Origin, just one of the original EA.com accounts from before Origin)

i think Origin would use your EA.com account. at least it did when i installed it.

"Microsoft fights back against Xbox Live account threats, begs you to update your security settings"

Yeah you dumb users, it's obviously your fault the hackers can intercept your XBL->EA server link and then use it to take over the XBL account and rack up hundreds of dollars of points purchases on your XBL credit card, from a new Xbox console in Fraudistan Russia, update your security settings already... duh! If you don't you have only yourself to blame...