Something interesting happened to me late last night: someone attempted to gain control of my Xbox Live account.
I was in the middle of playing Minecraft with friends when I was signed out of Xbox Live, a pop-up appeared explaining that my profile had been signed-in on another console. At first I thought it was some sort of connection issue, so I signed-in again. After a minute, I was again signed out because my profile was on another console. It was at this point that I realized someone else was trying to access my profile at that very moment. I changed my Xbox Pass Code, signed-in a third time, and looked up Microsoft's Xbox 360 security page, which confirmed my fears and recommended that I require my Windows Live ID to sign-in my profile. I had never done that before and didn't want to have to enter in a lengthy password every time I wanted to play on Xbox Live, so I did the stupidest thing I could have done and waited to see if the "hacker" would try again.
Ten minutes later, he did.
This time, I wasn't fast enough. He signed-in my account on his console, so I finally hit the button to require my Windows Live ID password at sign-in. I changed my ID password, re-downloaded my profile, and successfully signed-in again. But in the time it had taken me to do all of that, the "hacker" spent 560 of my MS Points on two weapon skin sets for Gears of War 3. Fortunately, I had regained my profile before anything else was lost and I didn't have a credit card assigned to it; at worst, I could have lost another $40 of MS Points and my profile. After requiring the password, if there were any further attacks on my account, they have not succeeded.
Since then, I've contacted Microsoft and they're on the case. The investigation should take between 3-25 days, during which time all of my Windows Live-associated stuff is on lockdown. Hopefully at the end of it I get my lost Points back and something's done about the perpetrator.
More than anything, this incident has told me that account takeovers can happen to anyone. I thought I was safe, that sheer numbers would protect me and hackers would never take notice of my profile because there are so many others. I was wrong, but I got off easy. You may not. So if you haven't already, I strongly recommend you make sure that your Xbox Live profile requires your Windows Live ID at sign-in (instructions here). My worries about having to re-enter the password every time I sign-in were unnecessary, there is an option to allow the particular console that you're using to remember the password.
Let my misfortune be a lesson to you.
- Update - May 17, 2012
Good news! Microsoft has concluded their investigation into the attack on my account. I was refunded the 560 MS Points that the "hacker" stole (the email indicates that in the event I had a credit card on my account and he purchased something with that, I would also have been refunded that money). What's more, the Gears 3 weapon skins he purchased are still listed in my download history, so it looks like I can download them and use them myself. I essentially got free stuff out of this ordeal. I would have liked some news about any action Microsoft is taking against the "hacker", but overall I'm satisfied with how my problem was resolved. What's important is I came out of this potentially disastrous situation more or less unscathed. Microsoft can definitely help you if you become a victim of account theft.