Microsoft's Xbox Entertainment Awards website hit with security breach

On Monday, we reported that Microsoft has launched a website just for UK residents to vote in the Xbox Entertainment Awards. Now the site has been shut down following reports that a page on the site could be accessed that showed quite a bit of information from the people who chose to vote on the site.

MCV reports they were alerted to the security breach by a reader who sent them a link where the private information was available for anyone else to see. The data on the page included the real names of the people who voted in the awards, along with their email addresses, birthdays and their Xbox Gamertags. The reader claims that about 2,892 names were shown on the site. It is not yet known how long the page was available to the public.

While truly private information, such as passwords, were not exposed as part of this breach, it stands to reason that hackers could gain a lot from the data that was exposed from this issue. The site has now been shut down and in a statement Microsoft admitted to "currently experiencing technical difficulties" with the Xbox Entertainment Awards site. The statement did not mention anything about the voter's data being exposed to the public.

Source: MCV | Image via MCV

Report a problem with article
Previous Story

Samsung is making a smartwatch

Next Story

'When Lumia 920 kiss Surface, who win?'

13 Comments

Commenting is disabled on this article.

Hardly surprising as Microsoft doesn't take security seriously (16 character password limits ...even with their 'new' mail service they still limit users passwords to only 16 characters!)

Tigurinn said,
Hardly surprising as Microsoft doesn't take security seriously (16 character password limits ...even with their 'new' mail service they still limit users passwords to only 16 characters!)

Please do not comment on security if you don't know what you're talking about. After about 7 character password hashes (of course depends on algorithm) become unfeasible to crack and that's provided you are able to obtain the hash and then obtain the salt which is the hardest part. So basically it wouldn't matter if your password was 3 or 344 characters it wouldn't be able to be cracked from one of MS' online DBs. Allowing passwords longer than 16 characters can in some cases actually open up new security holes like SQL exploits, server error data leakage and RAM cache overflow leading to plain text exposition of data.

So yes they do take security seriously but maybe you don't know what is secure and what isn't...

Tigurinn said,
Hardly surprising as Microsoft doesn't take security seriously (16 character password limits ...even with their 'new' mail service they still limit users passwords to only 16 characters!)
Seriously? Lets say you get past their captcha defense so you can brute force their passwords. You really think a max of 16 is making a difference?

ingramator said,

Please do not comment on security if you don't know what you're talking about. After about 7 character password hashes (of course depends on algorithm) become unfeasible to crack and that's provided you are able to obtain the hash and then obtain the salt which is the hardest part. So basically it wouldn't matter if your password was 3 or 344 characters it wouldn't be able to be cracked from one of MS' online DBs. Allowing passwords longer than 16 characters can in some cases actually open up new security holes like SQL exploits, server error data leakage and RAM cache overflow leading to plain text exposition of data.

So yes they do take security seriously but maybe you don't know what is secure and what isn't...

Actually I think with today's hardware it is becoming more feasible that an 8 character password is crackable. After that though you are absolutely right. Although I wonder if they use salts? I would assume, but the Windows OS doesn't, which makes me wonder.

Tigurinn said,
Hardly surprising as Microsoft doesn't take security seriously (16 character password limits ...even with their 'new' mail service they still limit users passwords to only 16 characters!)

Like others have said you don't know what you're talking about. With today's hardware, after 8 characters, passwords take longer than the universe has been in existence to crack. I'm not even kidding. It would literally take billions and billions of years to crack a password longer than 8 characters.

Now granted with each new generation of hardware and super computers, cracking 9 character passwords becomes more feasible, but that won't happen for at least another 5-10 years if not more.

mnl1121 said,
Actually I think with today's hardware it is becoming more feasible that an 8 character password is crackable. After that though you are absolutely right. Although I wonder if they use salts? I would assume, but the Windows OS doesn't, which makes me wonder.
To a degree, but that requires access to the hash for offline cracking, not pounding a website with brute force. At best you're getting a couple dozen attempts a second assuming you're a) not blocked as a DOS and b) Captcha doesn't stop you. At that point you're talking hundreds of thousands of years for the trillions of combinations possible.

Even then, with salting and w/o access to the salt and the way it is employed you're still up **** creek.