It looks as though the Xbox.com website may be the source of the recent wave of compromised Xbox Live accounts, according to a report on Eurogamer.
Speaking with a source by the name of Jason and looking over the website AnalogHype, Eurogamer found the Xbox website allows for eight password attempts when logging into a Windows Live ID before CAPTCHA kicks in. This allows someone other than the account holder to run a password-generating script to gain access to the account before CAPTCHA recognizes the failed log-in attempts.
The person trying to gain access to the XBL account can simply find out the Windows Live ID by doing a Google search or by looking over a list of Gamertags which have played Xbox 360 games online.
Once a user name is chosen, a search for the account holder’s email addresses is conducted, and then the culprit goes through a trial and error process trying to log into the account using the Windows Live ID system until successful, or giving up and moving on to the next account.
In other words, it’s not an actually hack, like with last year’s PSN debacle, but more along the lines of “brute force” unauthorized access with legitimate channels being used to gain entry into an account.
AnalogHype said this particular method of accessing accounts was discovered by a network infrastructure manager, who had his own XBL account broken into and 8000 Microsoft Points charged to his card.
Eurogamer contacted Microsoft, which said it is aware of the issue, but Eurogamer is still waiting for a formal response on the matter.