Microsoft responds to Xbox.com password claim

Earlier this week, a person who found that his Xbox Live account was taken over by hackers claimed to have discovered a way to use a scripted brute force technique to acquired Xbox Live passwords on Microsoft's Xbox.com web site. Now IGN.com reports that Microsoft has offered a response to that claim.

Microsoft's specific response is, "This is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue."  The response also included Microsoft's standard response for cases of people who have had their Xbox Live account highjacked, saying, "Microsoft can confirm that there has been no breach to the security of our Xbox Live service."

The fact remains that there are quite a few people who have gone public with their issues with Xbox Live accounts being taken over by outsiders. Microsoft continues to insists that those accounts might have been stolen via phishing scams or some kind of malware. The account holders also insist that they have not encountered any sort of phishing schemes nor have they detected any kind of malware programs.

Clearly there remains a disconnect between these two viewpoints and it seems like Microsoft is doing little to try to bridge this gap other than to say it is not the company's fault. However, the problem appears to be getting worse and worse. It's not clear if there will be any sort of breakthrough with this issue in the future.

Report a problem with article
Previous Story

Microsoft web sites could be blocked in India

Next Story

More web sites and games going dark to protest SOPA [Update]

14 Comments

Commenting is disabled on this article.

would this effect people who dont have there credit cards linked up to there account like they had them removed or not?

I don't think it's got much to do with phishing as it does just Brute forcing. My little brother had his account hacked, and he checks his e-mail maybe once a month, maybe. His XBL password is mainly just used to log into XBL, and he never even knew it was hacked until I started getting spam e-mails from him, because they never bothered to change the password, so his ability to log into XBL with his XBox was not affected.

This is sadly something that won't be remedied, ever. For as long as there have been locks, there have been skeleton keys, flimsy ID cards to slip into the door facing, etc., and the same applies online. The only thing you can do is be vigilant and don't use "password" as your password.

Unless the password is incredible easy it would take forever to brute force a website login. The connection to the site would prevent millions of attempts a second.

Brute forcing is only really efficient and useful on a local machine.

They are correct in saying that brute forcing is an industry wide issue, but they are making it easier for them to brute force it as username enumeration can be performed on Windows Live ID login pages. The fact that you can learn whether or not a username is valid or invalid from an improper login attempt is a serious problem.

"continues to insists that those accounts might have been stolen via phishing scams .... The account holders also insist that they have not encountered any sort of phishing schemes"

When this was happening a few months ago and mainly with EA games such as FIFA someone posted on the official EA site saying that he had got access to lots of accounts and told everyone how to do it. The post was quickly closed obviously but the details in it were of a phishing scheme, but in all cases it's not against the users - it's a confidence trick against EA support.

I don't know if the recent method is exactly the same, but I just thought it would be good to mention that when people say it can't possible be a phising scam because they wouldn't fall for it, in some cases it's not them who need to be tricked, it's EA.

Well, different error messages depending on if the password is wrong or the account doesn't exist is bad practice, and certainly a security hole.

This is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue.

Sorry but not locking an account is defintely not an industry wide issue.

Brute Force =/= Hacking. "password" is not a secure password, choosing a nice secure passwords (mix of number, characters, and different cases and well as having some length to it) will make your account much harder to brute force into.

tsupersonic said,
Seriously, have people never heard of brute force attacks?

Usually a brute force attack is not possible because the account will be locked way before the "hacker" can do enough login attemps.

In this case it seems the "hacker" can fail as many attemps as he wants which can lead to weaker passwords getting discovered. Doesn't help either that the error messages tell the "hacker" if the username exist or not.

Most people here blame the users. I blame the web service who let the "hacker" fail as many attemps as needed cause this is security 123 students learn in school. It's not realistic to expect random Joe to have a really secure password. Most people use well known dictionary words and replace some o by 0 and e by 3. You need to secure the account server side too and have more than one layer of security.

It's laughable that a capcha is used to prevent more than 8 bad login attemps. Capchas are not meant for that kind of security. You need to lock the account and send an email to the user.

Now before some people say hey it's not possible to brute force an account via a web server. I kinda agree witht that. You would need to be really well organised with lot of bots.

But from what i can see from the outside the security of Live web site looks to be deficient a little bit so i would definately not assume all those stolen accounts are from phishing. There might be more going on.

Hacking passwords is incorrect, is cracking passwords.

I would only believe that people lost their passwords via phishing emails.