Xbox.com has been hacked claim users - update: Microsoft response

Possible evidence that Xbox.com has been hacked has emerged in the US, suggesting that the Microsoft Points scandal really does have more to it than just phishing scams.

Despite hundreds of users - including many writing into the Inbox - reporting that their accounts have been illegally accessed, Microsoft has claimed that the problem is due to phishing scams, malware and other indirect methods.

Most Xbox Live users are convinced that it’s more serious than that, and that Xbox Live has been hacked, but up until now there’s been no evidence of that – from either Microsoft or independent investigators.

But now website AnalogHype is claiming that the problem is with Xbox.com and that accounts are being hacked. A network infrastructure manager called Jason Coutee contacted the website after 8,000 Microsoft Points were purchased on his account by persons unknown.
Microsoft support didn’t prove much help and so he investigated the problems on his own, concluding that website Xbox.com is the root of the problem. According to him hackers have been googling gamertags mentioned on Facebook, Twitter and the like to uncover valid Windows Live IDs.

Once they find a valid one they then use an automated script to discover the password, via what sounds like a pretty sloppy bit of security on Microsoft’s part.

Whether any of this is true we’ve no idea, we’re certainly not network infrastructure managers, but we’ve put a call into Microsoft to see if they’ve got any update. Coutee’s investigation makes no mention of EA or FIFA 12, which are commonly reported as being somehow involved, so whether this is the whole story or not is also unclear.

UPDATE: The following response is the current official line from Microsoft:

'Microsoft can confirm that there has been no breach to the security of our Xbox Live service.The online safety of Xbox Live members remains of the utmost importance, which is why we consistently take measures to protect Xbox Live against ever-changing threats. Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it.

We continue to evolve our security features and processes to ensure Xbox Live customers information is secure. Online fraud and identity theft are industry-wide problems, and as such people using any online services should set strong passwords, not share those passwords across multiple services and refrain from sharing any personal details that could leave them vulnerable.

As always, we highly recommend our members follow the Xbox Live Account Security guidance provided at http://xbox.com/security to protect your account.'

Additional Q&A

Q: Why did Microsoft not listen to Jason Coutee when he called to talk about this issue?

A: For security reasons, we do not publicly discuss the architecture of the Xbox Live system or account security. We direct concerned customers to the forums where we monitor for topics such as security concerns. Security in the technology industry is an ever-changing process. With each new form of technology designed to deter attacks, the attackers find new ways to subvert it. We continue to evolve our security features and processes to ensure Xbox Live customers information is secure.

Q: Any comment from Microsoft on the loophole identified on Xbox.com?

A: This is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue.

Q: Is this indicative of an increase in Microsoft’s security risk?

A: No. We place great importance on the privacy of our customers’ information and the safety of their experience online. We investigate all reported cases and resolve issues as quickly as possible.

Q: How can people avoid this type of thing from happening?

A: We take great measures to improve the security of customer information and as with any online service we recommend customers set strong passwords and refrain from sharing any personal details that could leave them vulnerable. You can find more information on improving the security of your information at http://support.xbox.com/en-us/pages/xbox-live/how-to/account-security.aspx.

Q: It seems like Microsoft has known about account hijackings for years, but is unwilling or unable to build in steps to prevent it from happening. What is taking you so long to fix this issue?

A: Security in the technology industry is an ever-changing process. With each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. Over time account security features have been added to help protect our customers' accounts (such as Trusted PC and Strong Secondary Proofs available from Live.com) and we will continue to add features and processes that help protect our problems. People attempting to hack someone’s account need to be aware that engaging in identity theft, trading in stolen accounts, and committing credit card fraud is all illegal, and those involved in this activity risk criminal prosecution.




By GameCentral - 13th January, 2012
http://www.metro.co.uk/tech/games/887330-xbox-com-has-been-hacked-claim-users-update-microsoft-response

Category: Gaming News