Xbox and Microsoft Game Account Takeover Scam
Scammers target Microsoft and Xbox gaming accounts through phishing, credential stuffing, and fake prize notifications, hijacking accounts to steal in-game currency, game libraries, and stored payment methods.
Part of: Game Account Takeover Scams
Last reviewed: 8 June 2026
Microsoft gaming accounts combine two valuable targets in one: a Microsoft account that may be shared with Outlook, OneDrive, and Microsoft 365, and an Xbox profile that may contain years of purchased games, earned achievements, in-game currency, and a linked payment card.
Attackers pursue these accounts through multiple channels — phishing emails claiming the account was suspended, fake 'you won an Xbox Series X' notifications, and credential stuffing using email-password pairs from unrelated breaches. The dual value means even a gaming-focused attack can escalate into broader account compromise.
Once an attacker has access, they typically cash out immediately: redeeming Microsoft Store gift card balances, purchasing downloadable content on the linked payment card, and sometimes selling the account with its game library to other players.
How this scam works on the Microsoft brand
Microsoft communicates Xbox account security alerts through email from @microsoft.com addresses and through in-console notifications on the Xbox dashboard. Microsoft's real notifications never ask you to click an external link and enter your password to resolve a security issue.
The phishing variant typically arrives as an email claiming your Xbox account was flagged for cheating or unusual activity, or that you won a promotional prize. The link leads to a Microsoft-branded login page that harvests credentials in real time. Credential stuffing attacks are silent — the victim simply finds their account logged in on unknown devices when they next check.
Once access is obtained, attackers change the account's recovery email and phone number before the victim notices, completing the lockout. Gift card balances are drained first because they are immediately redeemable without triggering bank fraud controls.
Common red flags
- An email says your Xbox account violated rules and will be banned unless you verify immediately via a link.
- You receive an unexpected 'you won an Xbox gift card' notification from an address that is not @microsoft.com.
- The linked page asks for your Microsoft account password — Microsoft's real sign-in flow does not behave like this from an email prompt.
- You notice game purchases you did not make or a gift card balance that has disappeared.
- Your Xbox console shows a different gamertag or account is active when you sign in.
- Your Microsoft account recovery details have been changed without your knowledge.
How to protect yourself
- Enable Microsoft Account two-step verification at account.microsoft.com/security — use an authenticator app, not just SMS.
- Use a unique password for your Microsoft account, separate from your email login or any gaming site.
- Review devices signed into your Microsoft account at account.microsoft.com/devices and remove any you do not recognise.
- Check recent activity at account.microsoft.com/activity for any purchases or sign-ins you did not authorise.
- Enable spending limits on Microsoft Family Safety if minors are using the account.
- Never click account-security links in emails — go directly to account.microsoft.com instead.
How to report it
- Report the phishing email to Microsoft at [email protected].
- Report suspected account compromise at account.microsoft.com/security — use the 'Report a concern' option.
- Report to the FTC at ReportFraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK).
- If fraudulent purchases were made, contact Microsoft Support to dispute them at support.microsoft.com.
Frequently asked questions
Can I dispute fraudulent Xbox purchases made on my account?
Yes. Microsoft reviews unauthorised purchase claims submitted through Microsoft Support at support.microsoft.com. Act quickly — the sooner you report after noticing the charges, the stronger your case for a refund.
My Microsoft account was taken over and my recovery email was changed. Can I still recover it?
Yes, but you may need to go through Microsoft's account recovery process at account.live.com/acsr. You will need to provide information that verifies your identity as the original account owner.
Is my Microsoft 365 subscription at risk if my Xbox account is compromised?
Yes. If your Xbox uses the same Microsoft account as your Microsoft 365 subscription, a takeover compromises both. This is why using a unique, strong password and enabling two-step verification are critical.