vacancies advertise contact news tip The Vault
facebook rss twitter

Microsoft dismisses claims of Xbox Live hacking

by Steven Williamson on 16 January 2012, 17:17

Tags: Microsoft (NASDAQ:MSFT)

Quick Link:

Add to My Vault: x

Responding to claims that Xbox Live accounts have been illegally accessed, as well as allegations that hackers can easily obtain user details from, Microsoft has issued a statement.

Last week, Microsoft was forced to issue a very brief statement after claims that Xbox Live accounts were compromised. Microsoft has previously insisted that any person affected by an account breach must be a victim of a phishing attack as hackers had not breached Xbox Live security.

Microsoft can confirm that there has been no breach to the security of our Xbox Live service,” it wrote following the claims.

This week, US gamer Jason Coutee has hit the headlines claiming that a workaround exists allowing hackers to obtain user information from Though Microsoft hasn’t responded directly to Coutee’s claims, it has issued a more comprehensive statement to allay the fears of worried gamers.

"Microsoft can confirm that there has been no breach to the security of our Xbox Live service,” reads the statement. “The online safety of Xbox Live members remains of the utmost importance, which is why we consistently take measures to protect Xbox Live against ever-changing threats.

“Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. We continue to evolve our security features and processes to ensure Xbox Live customers information is secure.

Online fraud and identity theft are industry-wide problems, and as such people using any online services should set strong passwords, not share those passwords across multiple services and refrain from sharing any personal details that could leave them vulnerable.

Xbox Live users should be wary of any emails sent to their Xbox Live or registered account claiming to be from Microsoft. If an email arrives asking you to submit your username and password, chances are it’s fraudulent. If you suspect that an email isn’t legit, you should report it immediately to the Xbox Live Support team.

HEXUS Forums :: 9 Comments

Login with Forum Account

Don't have an account? Register today!
While it may not have been “hacked”, it does have a serious security flaw and its frankly disgusting they arent doing anything about it.

Here is how the accounts are being broken into:

The first step was to gather the Windows Live ID’s of gamertags. So after a round of Halo Reach, he gathered a list of gamertags and enter them individually on Google. Thanks to Facebook, Twitter, or any other links that have their email advertised, hackers now have a potential list of Windows Live ID’s. Now the hackers check to see if the email is a valid Windows Live ID. To do this, hackers headed to Typing in the email and a random password like blah.

If the hacker got the error message “account is invalid” they move on to another email.

When the hacker comes across the error message “password is wrong” then that account is in trouble.

Now with a simple script, hackers can brute force their way into your Xbox Live account. The script would batch run a list of potential password, which anybody can find online with a simple Google search. The script will attempt to enter these potential passwords until it gets in. Xbox allows you to enter your password incorrectly 8 times on the website, then it asks for a CAPTCHA code. When hackers get to that CAPTCHA code, there is a link for “try with another Live ID”. Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again. This process can easily be automated by a skilled hacker. Once a hacker is in your account, nothing is safe. Hackers will take your credit card info, Netflix, Hulu Plus, the works.

Credit to
While it may not have been “hacked”, it does have a serious security flaw and its frankly disgusting they arent doing anything about it.

Here is how the accounts are being broken into:
Many thanks for posting the explanation. :thumbsup: Actually I was going to suggest that the argument between Jason Coutee and Microsoft could easily be settled - if JC can break in then XBL has been compromised, if not then maybe MS is correct.

Problem I've got with the attack as detailed is that surely, with the “requirement” to circumvent the Captcha input, the number of guesses that a scripted attack can perform is going to be throttled. Being worried about this I fed my XBL password into GRC's password haystacks evaluator and it's coming back with breakage times into ten's of centuries - and that's assuming that the script kiddie can generate a 1000 hits/second. And unless told otherwise, I'm going to assume that el hacker isn't going to be able to generate this kind of throughput.

So I think I'm not too concerned at the moment, but I'm a bit dismayed that MS don't appear to be taking it seriously - some statement that they've actually checked out the suggested attack method would go a long way to reassuring me. Oh, and some modification to XBL/Live so that it tracked the number of failed login attempts on an account and locked after a set number of consecutive failures - say 20 perhaps - with a successful login resetting this counter. Yes, I know this leaves folks open to a DoS attack against their accounts - we just can't win can we? :(
MS need to know the difference between noticing and not.

Having not seen it, does not mean it has happened.
i never hook up my card details to xbl as i buy codes online on a website much cheaper. and i dont really use the other services, got a pc hooked up to the pc, but yeah ms needs to secure it better, cause there are so many ways that ppl take ur windows id and because of xbl it has greatly been increased
but that is using brute force… brute force isnt a security ‘issue’ on MS end, its people failing to keep their ID secure, the whole point of an ID is for your login and then your user name is used for everything else… If they're finding your logins through your facebook/twitter accounts then you clearly dont try and keep your account secure and its your own fault!.

Brute force is a very basic method so im not sure why it mentions skilled hackers as it doesnt require any skill todo it in a reasonable time. However i will say this, Microsoft should be introducing tighter attempt methods, it should be 3 - 5 at most and then BLOCK logins for x amount of minutes as captchas aren't that effective anymore :(.

But again, MS are right in their statement, users should be using a decent length password with capitals, punctuation, numbers. Simple stuff that everyone should be educated in, it would help you in avoiding this alot!.

Looking at it though its similar to most systems, look at facebook you just merely login and failed attempts require captcha but thats it! Facebook is even worse when you think about it as alot of people have their email on their profile info so straight away theres the id…