Xbox live accounts being hacked?

[matt4pack]

Did you guys even read the article? Do you seriously think that being able to reset the CAPTCHA so you will have unlimited attempts to find the password isn't a security problem?

If Sony had something like this you all would be letting them have it. Also my password did contain uppercase, lowercase, and numbers in it so it's not just simple password being exploited.

[Yusuf M. Veteran]

I wonder if the same CAPTCHA loophole affects Hotmail.com as well. In any case, I hope Microsoft fixes it soon.

[AdamLC]

Brute forcing a password is not a 'hack'. If this is it, then it's just these guys using weak passwords.

I agree. Just because they have found a way to brute force it without a CAPCHA doesn't mean its been hacked!

I would hardly call it a serious security flaw.......

[threetonesun]

Hmm, I always thought the Xbox Live -> Windows Live connection was a bit, flimsy, considering you used an account name on one and an e-mail address on the other. I'm not surprised this is happening.

[+Audioboxer Subscriber²]

I agree. Just because they have found a way to brute force it without a CAPCHA doesn't mean its been hacked!

I would hardly call it a serious security flaw.......

And if your account had been taken over? Of course it's serious, it's not working as it should.

[ZakO]

Did you guys even read the article? Do you seriously think that being able to reset the CAPTCHA so you will have unlimited attempts to find the password isn't a security problem?

If Sony had something like this you all would be letting them have it. Also my password did contain uppercase, lowercase, and numbers in it so it's not just simple password being exploited.

Yes... being able to reset the CAPTCHA is a flaw Microsoft should fix asap. However, if your password contained uppercase/lowercase/numbers, wasn't a dictionary word, and wasn't short (<= 6 characters) it would have taken years to brute force your password so it's highly unlikely this flaw has anything to do with it.

Also, since you brought up Sony, does PSN even have any sort of brute force security? I just tried an invalid password 25 times for my PSN account and it didn't lock or display any captcha.

[shakey]

Yup, a security flaw with Live. Not EA. Some people have some back pedaling to do after the recent threads.

[Ryanjmchale]

3 failed attempts and the account should simply lock and email recovery is needed. Simple really, throw in a drop down on logon for x, x and x of another password adds another layer of security.

Doh..

[AbandonedTrolley]

The flaw here is in Microsofts allowance of the reset on captcha so yes this is a security flaw, captcha is a security method and it is being bypassed. It needs to get sorted and quickly.

[Simon.]

Is being able to avoid the CAPTCHA a security flaw? Yes

Is it the reason why your account is being hacked? No. A CAPTCHA is not a replacement for a secure password, if your password is being bruteforced over a network, it is FAR too simple.

[playXray]

As much as this isn't a real 'hack', it's very weak security on Microsoft's part. It's even worse that they're refusing to reimburse customers who've lost out financially due to Microsoft's poor security.

[Hedon]

This should be merged with this thread:

https://www.neowin.net/forum/topic/1036915-xbox-live-accounts-being-hacked/

No need for another one.

[Astra.Xtreme]

This is absolutely NOT the reason why the accounts are being hacked. As others have said, a brute force hack would take years to crack most passwords. Yes, the CAPTCHA method is a flaw on Microsoft's part, but hardly has anything to do with accounts being hacked.

[M_Lyons10]

Yup, a security flaw with Live. Not EA. Some people have some back pedaling to do after the recent threads.

Well, at this point this is a "private investigator's" opinion. As far as I'm concerned, it still has not been proven, and if it were that simple, I still think we would be seeing FAR more people getting their accounts "hacked". I still think this is more of a social engineering scam than anything.

3 failed attempts and the account should simply lock and email recovery is needed. Simple really, throw in a drop down on logon for x, x and x of another password adds another layer of security.

Doh..

Agreed. I think that would certainly be wise.

Also, since you brought up Sony, does PSN even have any sort of brute force security? I just tried an invalid password 25 times for my PSN account and it didn't lock or display any captcha.

Wow. THAT is really scary... I guess they haven't learned anything about security whatsoever...

[BajiRav]

Yup, a security flaw with Live. Not EA. Some people have some back pedaling to do after the recent threads.

The "security flaw" is limited to being able to bypass captcha and then continue brute force. As someone has said already, Sony doesn't even have a captcha. So all those PSN accounts where you "only lost your ID" but no money was lost? They are in equal danger. ;-) (I wouldn't know better, I am not going to play with my WLID and don't have a PSN account to verify one way or the other).

This also shows that all who got hacked had weak passwords and all "I have never used it anywhere but my xbox" were simply stupid. If your password could be brute-forced, then it's not a good password.

If this is really an issue with WLID, which I still doubt it - then MS has bigger things to worry about than Xbox.

This should be merged with this thread: https://www.neowin.net/forum/topic/1036915-xbox-live-accounts-being-hacked/ No need for another one.

This is audio and shakey's day. let them enjoy it. :-D Microsoft is now "hacked" same as Sony. Kind of morale booster, ain't it?

[LaP]

"the email address or password is incorrect" - or not - "That Windows Live ID doesn't exist."

Terrible. That's security 123 students learn in school. Never ever give too much information to hackers.

The message should always be something like "Account informations invalid".

[Ayepecks]

OK, this is absurd for a number of reasons.

First of all, it assumes that the passwords people use are so utterly stupid that they can be brute force hacked in a relatively fast fashion. That's patently stupid, for one. Secondly, most of the phishing or hacking victims have said they had strong passwords (including the couple of people on Neowin who were hacked). So unless they've been attempting to brute force crack someone's password since the original Xbox came out and they got incredibly lucky, then that's no dice. Third, I'm more than willing to bet that many of the hacking victims didn't have their e-mails searchable on Facebook or social networking sites.

It's not even a good theory. The CAPTCHA thing needs to be fixed, absolutely, but that's not even much of a security flaw in the grand scheme of things. You'd have to have good knowledge of what someone would use as a password (or have someone who has an insanely simple password) to have any value in that issue. I'm sure there's some way people are getting this information (and it's more likely they're not even finding out passwords, but using some sort of social engineering to get into someone's account -- like calling customer service and exploiting a flaw in the human system), but this doesn't seem even remotely likely.

Also: can we stop creating a billion topics about this? We only need one, just like all the posts when Sony was hacked were kept in the same place.

[LaP]

I wonder if the same CAPTCHA loophole affects Hotmail.com as well. In any case, I hope Microsoft fixes it soon.

CAPTCHAs are not that much secure.

I would hardly call it a serious security flaw.......

wow glad you are not working for my bank web site.

[oceanmotion]

OK, this is absurd for a number of reasons.

First of all, it assumes that the passwords people use are so utterly stupid that they can be brute force hacked in a relatively fast fashion. That's patently stupid, for one. Secondly, most of the phishing or hacking victims have said they had strong passwords (including the couple of people on Neowin who were hacked). So unless they've been attempting to brute force crack someone's password since the original Xbox came out and they got incredibly lucky, then that's no dice. Third, I'm more than willing to bet that many of the hacking victims didn't have their e-mails searchable on Facebook or social networking sites.

It's not even a good theory. The CAPTCHA thing needs to be fixed, absolutely, but that's not even much of a security flaw in the grand scheme of things. You'd have to have good knowledge of what someone would use as a password (or have someone who has an insanely simple password) to have any value in that issue. I'm sure there's some way people are getting this information (and it's more likely they're not even finding out passwords, but using some sort of social engineering to get into someone's account -- like calling customer service and exploiting a flaw in the human system), but this doesn't seem even remotely likely.

Also: can we stop creating a billion topics about this? We only need one, just like all the posts when Sony was hacked were kept in the same place.

Yeah, I don't believe this either. It just doesn't seem like it would be possible as people have said, their password wasn't an easy guess. It's a flaw that should be fixed though.

Is it possible Microsoft doesn't know how they are accessing accounts ?

Social engineering, inside job or something. Surely an actual hack will lead to something more than Xbox Live which seems small fish if you have someones details.

[cybertimber2008]

Even if this isn't the flaw that got hackers into the accounts, it's definitely a good way to learn what accounts exist, and at least attempt common passwords. Knowing the first is a good part of the battle, and of the second even if the success is low (1% maybe, depending how many passwords you try, but not bruteforce) it's still a chance.

[M_Lyons10]

Yeah, I don't believe this either. It just doesn't seem like it would be possible as people have said, their password wasn't an easy guess. It's a flaw that should be fixed though.

Is it possible Microsoft doesn't know how they are accessing accounts ?

Social engineering, inside job or something. Surely an actual hack will lead to something more than Xbox Live which seems small fish if you have someones details.

Absolutely. I agree 100%. If they "hacked" all of these people's details, they'd be out to do much more damage than buying a few things on XBox Live... I mean, come on... The fact that that is their focus, leads me to the conclusion that it is not Live, as that would give them access to their e-mail and as a result a TON of other stuff... So, I still chalk this up to social engineering.

[LaP]

hmm claiming this is like the PSN hack is kinda like how lighting candles is like forest fires...

yeah...

I'd bet MS and EA will find some way to stop this, since it's obviously hurting both of them. I'd still guess crappy passwords that are never changed have something to do with it, too. So many people are clueless when it comes to online security and just assume it won't be an issue...until it is.

And i guess some people like you are clueless about server side security. because from what i'm reading it's very weak for xbox live. You never ever say why a login failed. That's gold information for hackers. Live loging does.

You Freeze an account when too much login attempts failed and send a mail to the user to recover the account. Live doesn't not freeze the account but use a weak captcha protection.

Come one that's security 123 students learn in college. Seriously ...

[Hedon]

Interesting. A poster knows more about Microsoft security than Microsoft's multimillion dollar security team? Ok then. Um..no.

[LaP]

Funny that, im a web designer and have all sorts of I.T knowledge. Yet I still got hacked/phished. Sadly because you know something exists, doesnt mean you wont fall prey.

Don't lose your time. I went thru all this when my wow account got hacked (and i mean it). All people told me it was phishing and such. I am a web dev and knew i did not fall for a scam. I lost a complete night checking my email account log used for my wow account, checking my router log, scanning my HD and memory for a keylogger (even though i play games on my work computer while i surf the web on my secondary computer).

After this night i was 99.99% sure the account was not compromised from my side. Yet people was still telling me it was phishing.

You also always have this guy blaimg your PW strength too saying you need a 50 digits password with asian and russian caracters in (while in fact any good web service will freeze an account before it's even remotely possible to brute force a 8 digits random letters/numbers/symbols/caps PW).

It's a waste of time. They think they are better than anyone ... until the day they'll like me get hacked for the first time.

I don't play wow anymore but i can assure you my SWTOR account is protected using the authenticator app ;).

Interesting. A poster knows more about Microsoft security than Microsoft's multimillion dollar security team? Ok then. Um..no.

I don't. Everyone know about that. Seriously you can't be serious. I simply can't believe it. That's something you learn in the most basic class about security. Carefully word the error messages you show to the end users so you do not tell too much informations to hackers. What hackers get from error messages is gold to them.

Sorry but when you have 2 different error messages, one for when the account doesn't exist and one for when the account login information is wrong this is just bad.

As for the account not being frozen that's hilarious to see some people defending that.

[Astra.Xtreme]

I don't. Everyone know about that. Seriously you can't be serious. I simply can't believe it. That's something you learn in the most basic class about security. Carefully word the error messages you show to the end users so you do not tell too much informations to hackers. What hackers get from error messages is gold to them.

Sorry but when you have 2 different error messages, one for when the account doesn't exist and one for when the account login information is wrong this is just bad.

As for the account not being frozen that's hilarious to see some people defending that.

You still fail to realize that having a valid email or Gamertag really isn't that useful. Unless the password is guessable, then a password shouldn't ever be cracked. Every hacker out there knows that brute force is the worst way of cracking into an account. It's simply not plausible in a short amount of time.

Is it bad that Microsoft confirms if the username is valid? Yes. Is it allowing people to hack into accounts? Absolutely not.