On TechRepublic: Five super-secret features in Windows 7
BNET Business Network:
BNET
TechRepublic
ZDNet

March 20th, 2007

Xbox Live hacked, accounts stolen

Posted by Ryan Naraine @ 2:01 pm

Categories: Browsers, Data theft, Exploit code, Hackers, Microsoft, Piracy, Privacy, Vulnerability research

Tags: Xbox Live, Microsoft Windows Live, Microsoft Windows, Microsoft Corp., Microsoft Xbox, Ryan Naraine

Online gaming forums are buzzing with reports that Xbox Live accounts linked to Microsoft's Windows Live ID service are being hijacked by malicious hackers.

Kevin Finisterre, a security researcher at Digital Munition, raised the issue on the Full Disclosure mailing list over the weekend, calling attention to rumors that Microsoft's Bungie.net was the victim of a breach that exposed a portion of Xbox Live.

"Some folks are having their Microsoft points stolen and or points purchased via their stolen gamer tag," Finisterre said.

A quick search of user forums at xbox.com and other gaming sites turned up multiple messages from Xbox Live users complaining about hijacked accounts, which typically link gamer tags to Windows Live ID (formerly .NET Passport).

xbox live hijacks

According to Finisterre, there is a group online called "Infamous Clan" brazenly offering to "jack" Xbox Live accounts and boasting about successful account theft.

Several Xbox Live users contacted me to confirm the rumors and make it clear that the stolen accounts are being used for nefarious purposes.

One reader writes:

"I have been involved with Microsoft Support for days on this exact issue and have spent many hours on the phone trying to prove to them that, first, my Windows Live ID was stolen and, second, the ID and password associated with my ID were changed; two actions that Microsoft swears can NEVER happen; and third that the thief was able then use my credit card information associated with one of my Windows Live ID accounts to purchase over $800 of Microsoft products.

Thank goodness for other websites that still contained my old Windows Live ID information and also the fact that, in order to gain access to those other websites, you NEED a Windows Live ID. After spending over 20+ hours on the phone with support and finally getting them to realize that I did indeed have a Windows Live ID, after pointing them to the other websites, I was told by a supervisor that "Yes, in fact, we have heard of some instances where a user's Windows Live ID had been compromized!"

After finally getting this confirmation and having a case number assigned and forwarded to Microsoft Security Investigations, they, also, confirmed it as a breach, issued me another Windows Live ID and then reinitialized the stolen Microsoft Products that were associated with the old ID over to the new ID."

Another gamer wrote in with an identical complaint, warning that Microsoft's product support staff have been unhelpful. "They admit this is an issue but say there's nothing they can do about it," he added. Digital Munition's Finisterre also made a note about the lack of support from Microsoft:

I just got off the phone with a Microsoft Tech for Xbox live that has confirmed this to with me and they have stated that accounts are being stolen and that "Hackers have control of Xbox live and there is nothing we can do about it."

Microsoft did not respond to a request for comment.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 63 Talkback(s)
go here
we did the validation for windows live and got the password reset and recovered my gamer tag so you all should try it

(Read the rest)
Posted by: strungvirus Posted on: 09/22/09 You are currently: a Guest | | Terms of Use
You've got to be kidding . NOT  Intellihence | 03/20/07
Yeah, like this is the first site anyone has ever hacked  Confused by religion | 03/20/07
Yes, but the difference here...  bportlock | 03/20/07
I agree  TripleII | 03/20/07
more then that...  jjarman | 03/20/07
"without walls and fences"???  KTLA | 03/20/07
He hates to admit he has it wrong  John Zern | 03/20/07
I admit , I have it right John ,,,  Intellihence | 03/20/07
The masses need Windows and Gates  osreinstall | 03/21/07
no knowledge of history!!  sj_z | 03/21/07
Shhhh you're only confusing them  maldain | 03/21/07
More than you think, Bubba.  osreinstall | 03/21/07
You're As Idiotic As No_Axe  itanalyst | 03/21/07
Hmmm...  bchesmer | 03/20/07
Well said ,,,  Intellihence | 03/20/07
George, You are coming to a sad realization  LittleGuy | 03/21/07
Actually  dragosani | 03/21/07
Well you have to remember, he is a Microsoft employee.  I am Gorby | 03/21/07
"...nothing we can do about it"  TripleII | 03/20/07
I'm sure they said that  John Zern | 03/20/07
We Agree?  TripleII | 03/20/07
Recent exposure to Microsoft policy  LeeC | 03/21/07
Humm.. credit cards and online !  not of this world | 03/21/07
Microsoft "Truth"  whisperycat | 03/21/07
Spare me...  Mike Cox | 03/21/07
i rate this a 9  Been_Done_Before | 03/21/07
You should do more research before you believe a MCSE  richfa | 03/22/07
I've hacked your account...  reclaim25 | 03/23/07
Where is your Facts??  rohan.aarons@... | 03/21/07
Hmmm, you could play the recording at the link in the article  maldain | 03/21/07
Where is your Facts??  SO.CAL Guy | 03/24/07
I bet they found a flaw in the password recovery  Been_Done_Before | 03/21/07
I just looked at their site.. wow  Been_Done_Before | 03/21/07
4 characters...  Kansan | 12/20/07
Security  mkalo | 03/21/07
here here  seannj427 | 03/21/07
THE NEXT ATTACK IS VIRUS IN YOUR XBOX ITSELF  BALTHOR | 03/21/07
Windows Live ID found on phone  seannj427 | 03/21/07
Yes It Is  itanalyst | 03/21/07
Its not their fault..  reclaim25 | 03/23/07
that may be so...  Kansan | 12/20/07
Not Really ...  richfa | 03/22/07
Microsoft denies Xbox Live Security Breach  xSCORPx | 03/23/07
...  Kansan | 12/20/07
HALO IS MY GAME!!!!!!!!!!!!!!!!  DARKxSTARxBOYx360 | 04/08/07
I HATE PEOPLE THAT STEEL ACOUNTS JUST NOT RIGHT GET SERCURITY  DARKxSTARxBOYx360 | 04/08/07
XBOX 360 is indeed compromized  jdurban@... | 07/03/07
are you gonna give back my money?  lov2play | 07/18/07
Time for action...class action  jdurban@... | 08/09/07
Your lame  xessan | 11/09/07
RE: Xbox Live hacked, accounts stolen  Jeffsters | 01/17/08
Hacked or Jacked  kage_uk@... | 02/12/08
RE: Xbox Live hacked, accounts stolen  Dsmith73 | 08/09/08
Xbox Live hacked, accounts stolen  thereallakerj360 | 08/21/08
My xboxlive got hacked  I got Hacked | 07/27/09
go here  strungvirus | 09/22/09
RE: Xbox Live hacked, accounts stolen  TGparent | 08/21/08
yeah i know  james490 | 12/12/08
TIPS in avoiding hacked accounts  x Heintz x | 07/05/09
RE: Xbox Live hacked, accounts stolen  I got Hacked | 07/27/09
RE: Xbox Live hacked, accounts stolen  I got Hacked | 07/27/09
RE: Xbox Live hacked, accounts stolen  chrisduf | 09/18/09
RE: Xbox Live hacked, accounts stolen  strungvirus | 09/22/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here