Sharing accounts

The simplest form of account theft can occur when you share your account information such as Windows Live ID and password with someone else. This could be a friend, relative or roommate.

If you see unexpected charges on your bill, check with family or anyone else who has access to your profile and console. Your kids might be using your card for Xbox LIVE purchasing. Compare your purchase history with content stored on your console, it may be from content being purchased on your own console by someone in your home.

Solution: Don’t share your Xbox LIVE account with other users. Set a passcode on your account.

Phishing emails or websites

Phishing is an Internet scam designed to trick you into revealing information about your accounts. This information includes your Windows Live ID and password, and details about you or your accounts that can be used to gain access to your accounts.

The majority of phishing scams are websites offering deals that are too good to be true such as free Microsoft Points. Don't believe them!

Other phishing methods include:

  • Email messages that appear to be from a coworker or friend with links to a website or asking for information about you or your account.
  • An instant message that appears to come from someone in your friends list with a link to a website
  • An email appearing to come from Xbox or Microsoft.
  • In-game messages claiming to be from Xbox Support.
  • A "spoof" website, pretending to be an Xbox LIVE website with a Windows Live ID login page.
  • Gamerscore-boosting websites.

Regardless of the phishing method, the single most important thing to remember is: Do not reveal your login credentials or other information about yourself or your accounts.

Solution: Microsoft will never ask for your Windows LIVE ID password within email or over the phone. Enter your Windows Live ID password only at known Microsoft trusted sites or through the Xbox 360 console. 

If you suspect that someone is trying to Phish you, you can use the following tools to report it as a potential scam. By doing so, this helps build our partnership in keeping everybody else safe.

  • Xbox 360: Bring up the player profile, select File Complaint, select File Complaint again, select Text and Voice Communication and then select Text message to file a complaint where it will be reviewed by our enforcement team
  • Internet Explorer: While you are on a suspicious site, click the gear icon and then point to Safety. Then click Report Unsafe Website and use the web page that is displayed to report the website
  • Hotmail: If you receive a suspicious email message that asks for personal information, click the check box next to the message in your Hotmail inbox. Click Mark as and then point to Phishing scam
  • Email: Attach the suspicious email message to a new email message and forward it to

Leveling and achievement boosts

This type of theft occurs when other users promise you that they can unlock specific achievements for you or level you up within a game to receive new features. These people will often send messages to your Xbox LIVE Message Center or post on forums advertising their fake services.

This involves providing the thief with your username and password. Once they have this, then it's safe to assume your account has been compromised. As a bonus for the thief, if there is a credit card or MS points on your account, they can go on a shopping spree.

Solution: Do not provide your Xbox LIVE or Windows Live ID username and password to anyone.  

Social Engineering

Social engineering is the process someone uses, through seemingly meaningless conversation or other means, to manipulate you into revealing personal information about yourself or your accounts. Once the person has enough information about you, they can pose as you and attempt to obtain access or make changes to your account.

Solution: Do not reveal personal information about yourself or your accounts. Do not share personal information no matter how trivial it seems.

Third party security breaches

If you use the same username and password for all web sites that you use, you are putting yourself at great risk. If you are notified or hear that a website has been compromised, go to, sign in and change your password immediately!

Solution: Don’t use the same username and password for all of your sites. If you do then if a thief compromises one website, then he can easily get into all your secure websites.