Illicit XBL access via “industry-wide issue”

Saturday, 14th January 2012 15:00 GMT By Stephany Nunneley

Microsoft has responded to yesterday’s report which claimed the rash of compromised Xbox Live accounts lately were due to “brute force” unauthorized access through legitimate channels. In a statement provided to IGN, the firm said there wasn’t any “loophole” allowing the invasions, as the method of attack is “an industry-wide issue.” Microsoft also noted, once again, many accounts are compromised due to malware and phishing scams used to glean user passwords. “Online fraud and identity theft are industry-wide problems, and as such people using any online services should set strong passwords, not share those passwords across multiple services and refrain from sharing any personal details that could leave them vulnerable,” read the statement. “As always, we highly recommend our members follow the Xbox Live Account Security guidance provided [here] to protect your account.”

The firm contends there hasn’t been a security breach within the XBL service.



  1. Psychotext

    For fucks sake Microsoft. If you really give a shit about the security of your users then it’s about time you got off your penny pinching arse and implemented two step security, at least for password resets if nothing else. Though personally I’d be happy to turn on two step for any login given how rarely I actually have to log in.

    Also, if it’s an industry wide problem, why aren’t we hearing about exactly the same thing on the PS3. You can buy exactly the same FIFA packs there, and yet… miraculously, hundreds of people aren’t reporting that they’re having their money / credit stolen.

    #1 3 years ago
  2. Razor

    It’s pretty amazing how MS are getting away with this…

    #2 3 years ago
  3. DSB

    I don’t think the embarrassment of Microsoft being bypassed by scriptkiddies is lost on anyone.

    #3 3 years ago
  4. Ireland Michael

    You should know better DSB.

    These are basic, run of the mill phishing technique that happen every single day in thousands of websites across the internet. Its rather basic and arbitrary password guessing and keylogging.

    There is no big conspiracy here. There is no MSN-Gate. This is just a conveniently sensationalist spin on an everyday thing that has been around almost as long as internet access has.

    #4 3 years ago
  5. DSB

    @4 Well, if your website is open to brute force attacks, that’s a pretty serious issue, if a succesful attempt allows people to have their way with peoples accounts. That’s not commonplace.

    Phishing is universal, and also happens to PSN users every day.

    #5 3 years ago
  6. Christopher Jack

    There’s also 8 attempts before Captcha reacts, oddly enough it’ll give you the option to log in as someone else but you can use that to try the same person again & have another 8 attempts, writing a script exploit that wouldn’t be too hard but I’d imagine even Microsoft would be able to prevent brute force attacks like these- can’t say for certain though as I am no security expert.
    XBL maybe secure but it doesn’t mean that every bodies accounts are, fact is XBL users are being hacked, regardless of the strength of their passwords.

    #6 3 years ago
  7. deathgaze

    8 attempts is pretty tight. A single user’s brute force attack wouldn’t really do much with 8 attempts. However, if the attempts were made through a botnet then it would change the situation. A cracker would be able to rifle through thousands of iterations on an account without hitting the 8 attempt limit. Even still, actual throughput would be abysmal, rendering only a handful of account logins per day.

    There are systemic ways to solve this issue. Instead of putting an attempt limit on the target login page, Microsoft should be logging the attempts on the account. That way, regardless of what browser or IP the attempts are logged from, the account remains with an 8 attempt limit before engaging CAPTCHA. After a certain number of total attempts (say, 30 attempts) are made within a certain time frame (say, 30 minutes) the account should be put on ‘cooldown’, disallowing any further login attempts for a set amount of time. These are just examples, of course. There are many more ways to deter brute force attacks.

    Of course, no conceivable safeguards you might imagine are truly hacker proof. No system is, really. Even with these safeguards in place, given enough time, a hacker would still be able to breach any account on the Internet. That’s what Microsoft meant when it said that this is an ‘industry-wide problem’. No one can really stop a determined brute force attacker. You can, however, slow them down to the point where the attack is no longer practical.

    #7 3 years ago
  8. Psychotext

    It’s not just 8 attempts deathgaze. All you have to do after 8 attempts is click another button and then start again.

    That said, with an automated attack with proxies it wouldn’t be hard to get around the lock out even if it did exist.

    @4: So please do explain how my missus’s account got hacked. She doesn’t even know the password, which was randomly generated and I only ever entered directly into a stock 360 (until the day she got hacked, and then I tried to enter it online to see what was going on).

    Plus, as previously stated, if this was bog standard phishing then why the hell isn’t it happening to the PSN? All the same factors are in place to allow it. Or are PSN users so much more internet savvy that they don’t get phished or use obvious passwords? Yes, that seems likely.

    #8 3 years ago
  9. deathgaze

    @8: Very true. Which is why it’s all the more important to log the attempts to the account instead of the login page’s script.

    #9 3 years ago
  10. Psychotext

    Absolutely. Plus ironically that sort of thing is written very specifically into Microsoft’s best practice documents for security.

    Though of course, in reality a mass scale attack could just cycle through accounts as they get locked, but it would certainly reduce the number of accounts which ended up being vulnerable.

    #10 3 years ago
  11. deathgaze

    @10: As I said in 8, it would only slow them down. Given enough time, any account can be breached using brute force techniques.

    #11 3 years ago
  12. Ireland Michael

    @8 “Plus, as previously stated, if this was bog standard phishing then why the hell isn’t it happening to the PSN?”

    This sort of thing happens every single day on every major website on the internet. It *is* happening on PSN, constantly, as itdoes on every other website, but this is simply the story that the gaming media, in its blind, sensationalist ignorance, is choosing to obsess over, because they know it’s nice and controversial.

    VG247 should know better.

    #12 3 years ago
  13. ShiroGamer

    what razor said

    #13 3 years ago
  14. Psychotext

    @12: Absolute rubbish. I found out about this via forums where a number of people were complaining that someone had accessed their account and bought a bunch of FIFA packs. Specifically people with 360 accounts. I then got a taste of it via my missus’s account being taken over. I’ve not once seen someone with a PS3 account talking about it (I looked around quite a bit at the time too)… which initially made me think that you simply couldn’t buy / transfer the FIFA packs on the PS3, but no, that’s not the case.

    VG247 and the like took months to report on the situation, only really getting interested when the volume level got high enough (and specifically when they could report on the more interesting incidents like the single mother and the games journalist). Microsoft’s mantra of “phishing, fraud and identity theft” sounds quite reminiscent of “the Xbox 360 failure rate is well within standard industry failure rates of 3 – 5 percent” and “Sony deny the PSN has been breached”.

    As I’ve stated many times, my main concern is that they actually believe this shit, and that there’s nothing they can do about it. Because frankly, even if it really is down to phishing or theft of email accounts, there’s still plenty they can do about it. They might want to go and speak to Valve or Blizzard at the very least… maybe they might get a clue.

    #14 3 years ago
  15. OlderGamer

    Blizzard? I wouldn’t ask advice from Blizzard. I stoped playing wow due to their lack of security.

    Here is the basic principle. Simply really. So long as a value is placed on digital information, someone will convet that information and attempts to steal/hijack/and crack it will be made. It is and always has been a constant cat and mouse back and forth between thieves and those in charge of protection.

    There is nothing new here at all. This has been going on for years. That doesn’t make it right, just makes it true.

    Security is one of the first casulities of internet commerce.

    #15 3 years ago
  16. Joe Musashi

    The Microsoft shrug isn’t very comforting. It amounts to “Hey, it’s not just us!” which still doesn’t convince me they’re taking things seriously – or as seriously as they should be. Additionally, I don’t see how allowing transactions to continue on a known compromised account is ‘an industry wide issue’ rather than one of service to a particular company’s users. There’s still a lot of questions and perspectives not addressed by Microsoft. I think we’ve all heard them do the ‘deny, deny, deny’ thing before and we all know how that turned out.

    A fact of life is shit happens. It would be nice that it didn’t but it does. The real mark is how you deal with things when shit happens. This isn’t being dealt with very well.

    Or rather, I think Microsoft’s PR teams are working much harder on this than their customer service or security teams.


    #16 3 years ago
  17. mojo

    2: Soyn always gets bashed to death, MS is always the good shepard.
    MS is pretty good in selling poo as gold.

    #17 3 years ago
  18. ManuOtaku

    Iam not that tech savy here, but if it is a wide common issue, and if they know how it happens and how it is done?, why they are not taking any counter messures to tighten the security?, the thing that worries me the most is they are not taking this seriously, or at least say you are working to solve this issue, dont leave all the responsability to the consumers only with an statement that indicates “user just elevate the security of your passwords”, because sooner rather than later, it will be bypassed, especially if you do not take any countermessures to tight up the security, or if you dont take any actions at all, just becuase is a common issue, thats the thing that concern me the most, the indifference or apathy in this situation, is like PSN all over again.

    #18 3 years ago
  19. Hcw87

    My Account has just been hacked. I’ve never been hacked in my life, and i use often. They purchased lots of microsoft points, so i advise everyone to change your password asap.

    #19 3 years ago
  20. Ireland Michael

    @18, Its brute force password guessing using cheap and easily obtained PC software. No matter how many layers of security you put on a system, there’s always going to a few successes.

    Its a handful of people, and they have been reimbursed.

    Maybe not within the millisecond they would like, but as someone who has worked in network security, I can tell you that a lot of time is spent ensuring claims are legit in the first place.

    It would be very easy for someone to, as an example, buy tonnes of MS Points, buy lots of stuff, rip the content from the HDD (this can be done) then ring up and say their account was hacked.

    Microsoft are not going to automatically assume that you are a honest aand pure snowflake, and tracking this stuff takes time. They’re not going to lock your account unless they be assured the breach is legit first.

    #20 3 years ago
  21. ManuOtaku

    #20 i agree, and like i said iam not tech savy in this things, but the thing iam concern is the attitude torwards the issue, instead of saying is a common thing, and it will be solve as soon as consumers put difficult passwords, etc., i like to hear saying we are working on a possible solution for this, but thats my wishfull thinking here talking, at least this way microsoft will be treating good all the consumers, not just the affected ones, which has been good in my book.

    #21 3 years ago
  22. fearmonkey

    @Ireland Michael – I had a friend who had his account compromised, they unlocked 2 Fifa achievements, spent all his points, bought more, spent them, and played some more Fifa. My friend called MS, who said they locked his account, but they didnt, the account was still accessible a week after supposedly being locked……..

    This friend works in IT, is extremely tech savy, isn’t malware infected, wasn’t phished, his email address wasn’t searchable by his gamertag, etc.
    Yet his account got compromised……

    As someone who is also in IT, MS’s attitude towards this leaves alot to be desired. I don’t care if it does happen everyday, MS needs to kill the 8 tries before cap kicks in, and give us other methods of security.
    Google for instance gives me the option that sends a text to my cell phone with a code if I try to login from a computer or device that I havent used before. Why can’t MS give us that, give us a secureID equivalent, have the Xbox live pass code for the Live account online instead of just the console. MS can and simply must do more, it’s completely stupid that they keep the “we arent hacked, users are phished, and are stupid, and its not our fault crap”. We pay for their service and they simply must do better.

    #22 3 years ago
  23. Ireland Michael

    @22 Man, I love this FIFA conspiracy theory.

    If they were some sort of leak the game’s coding allowing account passwords to be stolen, someone would have been figured out how by now, and the information would be public knowledge already.

    People are getting phished, and people’s accounts are being compromised, but only in the matter of account security compromising that is standard to every website on the internet.

    #23 3 years ago
  24. Hcw87

    I never played any Fifa games on my xbox console, in fact i haven’t played a Fifa game in around 10 years, yet somehow someone got access to my account. I’ve also never been phished, i played World of Warcraft for years, and i know how the phishing schemes works. The only reason they could get access to my account is through

    #24 3 years ago
  25. Ireland Michael

    @24 Then you either have a keylogger on your computer or your password was easily figured out by whatever software they used to force their way into your account.

    I understand, the possibility that the responsibility is entirely your own might be one that’s hard to accept.

    #25 3 years ago
  26. fearmonkey

    @23 – Never said the fifa achievements were due to a conspiracy. The fact that Fifa is mentioned so much when these accounts get compromised is interesting though.
    Man, you are starting to sound like officer Barbrady on South Park..
    “Move along, nothing to see here”……

    “but only in the matter of account security compromising that is standard to every website on the internet.” – Well MS can and should do more.
    You ever play rift? You can create a authentication code for security, why can’t MS do that as an option? With WOW, you can get a secureID.
    If MS would just implement the Live Pass code to online rather than just console, that would be nice. MS SHOULD give us some other security measures that we can CHOOSE to use or not.

    #26 3 years ago
  27. Hcw87

    My computer(s) are completely clean, i scan them regularly. I’m also a paranoid guy when it comes to using shady websites etc, so if i get affected by this, everyone can.

    My password was 8 characters long, numbers and characters. To brute force that you’d need years.

    #27 3 years ago
  28. Ireland Michael

    @27 “To brute force that you’d need years.”

    Not if you’re a computer.

    #28 3 years ago

Comments are now closed on this article.