Microsoft to invalidate MS Points 'stolen' via exploit

Microsoft seeks to invalidate MS Point codes generated using an exploit while investigating the situation.

7

A couple of days ago, a forum user on the website The Tech Game posted instructions about how to use an exploit that allowed users to generate codes for Microsoft Points on Xbox Live.

Microsoft has since released a statement indicating that it is investigating the situation, intends to invalidate the illegitimately-generated codes, and is looking into punishing those who participated in the exploit.

"Our Policy and Enforcement team is evaluating whether or not certain individuals have violated the Terms of Use for Xbox Live and will take the appropriate enforcement on an individual basis," reads the official statement. "Codes obtained legitimately by users will not be impacted."

Though Microsoft discovered the exploit within hours, many news sites initially estimated that around $1.2 million worth of codes were 'stolen.' According to a report on Gamasutra, Microsoft asserts that the $1.2M figure is far too high. "We can't share specific numbers, but the figure is nowhere near the amount that has been reported," they insisted.

It's not entirely clear how Microsoft intends to penalize those who've obtained MS Points via the exploit, exactly - though we suspect there might be some clues within Xbox Live's 'Terms of Use' and 'Code of Conduct' documentation.

Filed Under
From The Chatty
  • reply
    March 10, 2011 7:00 PM

    Comment on Microsoft to invalidate MS Points 'stolen' via exploit, by Jeff Mattas.

    • reply
      March 10, 2011 7:21 PM

      [deleted]

      • reply
        March 10, 2011 7:37 PM

        Microsoft logs nearly everything.

        If you see the same code being nearly redeemed then actually redeemed within a few minutes of each other from an IP, it can easily be flagged for review.

        If you see dozens of invalid codes being entered along with a real one within a few moments from an IP, it can easily be flagged for review.

        The brute force methods behind this make it easier to detect.

        • reply
          March 10, 2011 7:41 PM

          [deleted]

          • reply
            March 10, 2011 7:42 PM

            [deleted]

            • reply
              March 10, 2011 7:52 PM

              [deleted]

              • reply
                March 10, 2011 7:53 PM

                [deleted]

              • reply
                March 10, 2011 7:55 PM

                For the redeemables, certainly. Unfortunately the key generator is the same as what is used for their other software and that stuff takes into account things like offline activation and validation of keys.

              • reply
                March 11, 2011 9:03 AM

                these are the same thing, unless you have a real/non-pseudorandom number generator

          • reply
            March 10, 2011 7:54 PM

            The original algorithm for keys assumed at most a few million units sold per product SKU and had a lot of cross-checking within the keys.

            With 10 million Kinect's sold through, I can only imaging the sellthrough on these cards. They may have eliminated some of the tamper-proofing and error checking to increase their keyspace.

    • reply
      March 10, 2011 7:25 PM

      haha i dont know why people would try this and think that they wouldnt get banned

    • reply
      March 10, 2011 8:05 PM

      [deleted]

    • reply
      March 10, 2011 9:52 PM

      You've been banned. Now you can get your own glass of chocolate milk.

    • reply
      March 11, 2011 12:11 AM

      I hope they ban these fuckers hard.

Hello, Meet Lola