The first sign of trouble appeared in Cory Rogers’ Xbox Live Friends list — it suddenly showed a bunch of new names he didn’t recognize. He deleted them and didn’t give it much thought. Then one of Cory’s friends asked when he’d gotten Halo 2. “I didn’t,” Cory said.

“That’s strange,” his friend replied. “I saw your Gamertag playing Halo 2 last night.”

Travis Connor’s problems started when he was suddenly logged off of Xbox Live and couldn’t log back in. According to the error message, his password — the one he’d always used — was now incorrect.

When Brandon Myers’ Xbox Live account was compromised, he reluctantly allowed a Microsoft rep to lock his account. In the end, he lost his 25,000-plus Gamerscore, 4,000 Microsoft Points, his full Friends list, and more than 30 game titles he had bought via Marketplace. After three years of constant gaming, he was forced to start over from scratch.

It’s a gamer’s worst nightmare: an unknown scam artist has assumed your online identity, using it to play games in your place, plus spending your Microsoft Points with reckless abandon and posting messages (possibly offensive ones) while posing as you. Hackers with a sadistic streak may even enjoy driving your rep right into the toilet by deliberately allowing you to die or be defeated online.

Worse, you are forced to watch helplessly while it happens, and there’s nothing you can do to stop it.

The Company Line

Understandably, most gamers turn to Microsoft for help and defense. “Occasionally, isolated incidents occur where malicious users have used social engineering to gain access to Live accounts,” says David Dennis, Xbox 360 Group PR Manager, Corporate. “Xbox Live members should never give out any of their personal information. It’s important for users to call 1-800-4MYXBOX and discuss the situation with one of our customer-support representatives as soon as they believe there is an issue with their console. Microsoft investigates each incident to implement practices with our support staff and partners to prevent this type of social-engineering attack.”

Some hacking victims have complained about this process being frustrating and time-consuming. Worse, the end result is usually that their account gets locked, at least temporarily — meaning nobody can use it, including the legitimate account holder. The ensuing investigation can take several weeks, during which time the account will probably remain locked. In the end, many accounts — and their associated Achievements — end up lost forever.

In Microsoft’s defense, it can often be nearly impossible to figure out who the account really belongs to. And the reps have reason to be skeptical of callers — it’s not unheard of for a scammer to call and claim they’re the rightful holder of an account in an attempt to get a Microsoft rep to grant them access to it.

Worse, these kinds of attacks may be becoming more frequent. ESET, a provider of security software, has recently noticed an increase in malicious attacks targeting online gamers. Jeff Debrosse, the director of ESET’s research department, says sometimes these scammers are just in it for kicks or bragging rights, but there’s often a monetary motivation as well. “There’s a healthy marketplace for trading virtual assets like game-related characters, weapons, points, and other items,” Debrosse tells us.

How It's Done

Microsoft’s Dennis brings up the phrase “social engineering,” which is really a fancy term for hackers getting you to willingly reveal personal info like your real name, your phone number, and your email address — all of which can be traced to your Live account. While Cory, Travis, and Brandon can’t figure out how scammers got their account information, Tristan O’Dell suspects he knows how his Gamertag was stolen. “I was playing Gears of War with a guy, and after our match I got a message from him that said: ‘Hey guys, I just found a website for Gears of War 2 beta codes. Just sign in and a code should be sent to your email address.’ Against my better judgment, I signed in. As soon as I did, my Gamertag was signed out of Xbox Live. When I tried to sign back in, I was told my personal info did not match.”

With PC games, thefts often involve Trojan programs that track log-in information, but Xbox hackers seem to prefer “phishing” — tricking people like Tristan into divulging their log-in info, often without even realizing it. Scammers generally lure in their victims with the promise of special codes or Microsoft Point “giveaways.” They’ll include a link that often appears to be a Microsoft/Xbox address — in reality, it leads to a site the scammer has set up (often on a free hosting service). It may even contain what appears to be an official Xbox/MSN log-in page. As soon as you enter your info, the hacker accesses your account and changes your password(s), thus locking you out of your own account.

The Reset Button

After a call to customer service to report the theft, there’s really little else you can do other than try to carry on and hope for the best. Tristan recovered his Gamertag, but he suspects the scammer is still lurking, as games he has never played keep appearing in his list of recently played games. Travis was also lucky enough to reclaim his stolen name — “I was totally crushed when I thought I’d lost the account forever,” he recalls, but admits he would have started over with a new Gamertag eventually. Others, like Brandon, are less fortunate. “This is a time of dismay and confusion,” he says. “I feel as if someone has ripped my gaming heart out.”