Xbox Live Security Compromised, Accounts Commandeered? (Updated)

Over the last several days, large numbers of Xbox Live users have claimed that they have been locked out of their Xbox Live accounts, in many cases with the credit cards tied to the accounts being used to purchase Xbox Live Marketplace's currency of Microsoft Points. Following online reports of Halo 2 developer Bungie's player network being compromised, Digital Munition security researcher Kevin Finisterre posted to the security-centric mailing list Full Disclosure that his account too had been stolen. After accounts are stolen, thieves appear to have a window of time with which to misuse the account before it is detected and banned, but even after the accounts have been banned there appears to be no real recourse for the accounts' original owners. Finisterre claimed that a Microsoft technical support representative admitted, "Hackers have control of Xbox live and there is nothing we can do about it." (The veracity of this claim seems dubious.)

Digital Munition has now posted an audio log of one of Finisterre's many calls to Microsoft support, which seems to indicate that the representatives are aware of the issue but unable to take any meaningful action. Based on comments made by the support techs, the partial reason for this appears to be that some of Bungie's online community features are independent from Microsoft's broader Xbox Live systems, and Microsoft support cannot reverse account changes made by Bungie's system. Finisterre was assured that an account hacker would not have access to his credit card information, though that does not prevent somebody in control of an account from using the saved--but private--credit card information to buy any number of Microsoft Points before the account is banned.

Finisterre appears to have been targeted specifically. He recounts being told by his opponents during a game of Halo 2 that his account would be stolen--and the next day he discovered that it had. Other Xbox Live users tell stories of their credit cards limits being maxed out by purchases of thousands of dollars' worth of Microsoft Points, and their home addresses and phone numbers being acquired and abused.

The incidents seem to be the work of clans dedicated to account theft not by technical means but by simply misleading Microsoft support personnel--though this would not explain the apparent sudden sharp rise in the number of cases. One of these clans identifies itself very publicly as -INFAMOUS-, and has no reservations in describing how its members call Xbox Live support with convincing stories, pretending to be account holders unfairly locked out of their accounts. The success of the clan's system again seems to stem in part from the discrepancy between the available support responses between Microsoft and Bungie personnel. -INFAMOUS- claims to steal "10 accounts a day depending on there [sic] levels." The site further warns, "If you talk shit we will mod on your account until it is banned. If the levels on it are good we will use the Credit Card on your account to then change the gamer tag."

Microsoft's official response to the matter appears to be scattered. In a statement given to CNET, the company said simply, "Recently, there have been reports of fraudulent activity and account theft taking place on the Xbox Live network. Security is a top priority for Xbox Live, and we are actively investigating all reports of fraudulent behavior and theft." Shacknews has contacted Microsoft for further comment. At the moment, the company's current line is that affected users should call Xbox support at 1-800-4MY-XBOX.

Update: Microsoft employee Larry "Major Nelson" Hryb has commented on the current situation, stating that, as was suspected, these incidents are the result of malicious users obtaining the account information of others through various means, and using that information to take control of accounts. In a blog post, Hryb recommends Xbox Live users peruse a Microsoft document on preventing identify theft.

From The Chatty
Hello, Meet Lola