Microsoft Is Not Doing Enough To Help Xbox Live "Hack" Victims

Microsoft Is Not Doing Enough To Help Xbox Live "Hack" Victims

So there’s been some kind of security problem with Xbox Live accounts for a while now. Microsoft denies there’s been any compromise of its own data, yet still, for months now users have complained of having their accounts hijacked by people making unauthorised transaction.

A theory emerged last week that the cause of the issue was Microsoft’s website, whose login structure was allowing people to run “password-generating scripts” in order to get hold of a user’s account information.

In response to this, Microsoft has issued a new statement, which while admitting that is indeed the cause of the problem, says it’s no fault of Microsoft’s.

“This is not a loophole in,” Microsoft told Eurogamer. “The hacking technique outlined is an example of brute force attacks and is an industry-wide issue.”

Which is interesting, since the man who first brokered the theory, IT consultant Jason Coutee, claims that Microsoft very quietly went in over the weekend and changed the website.

“Before, it would just let you try over and over” Coutee says. “But now it seems that, even though I’m still able to use the link to get past the CAPTCHA, they handle the sign-in request on the server in a way that it will stop replying after about 20 attempts.

To me, this seems like they tightened security but didn’t make any noticeable changes on the front-end so they could discredit me.”

Whether this is indeed the case, I have no idea. I’m no IT expert. But I do know Microsoft still has a lot to answer for here.

To be clear, the problem is not that Microsoft’s security has somehow been breached. In this regard, it is entirely unlike Sony’s PSN attacks of 2011, in which user data was literally broken into and stolen from Sony servers. Nor is the breach itself entirely Microsoft’s fault. As the company states, it’s a common approach used by unscrupulous internet types, and relies on the user having a common, duplicate or relatively simple password. This is one reason why only some accounts have been compromised, and not all of them.

That’s the “good” news for Microsoft. The bad news is that it’s handling the whole affair terribly.

Let’s say you’re one of the unlucky ones whose account is hijacked. Once the breach is detected, it’s standard Microsoft practice to lock down your account. But accounts are being locked down for months at a time, often a minimum of 2-3, and in return for this users are being compensated with…a single month’s free Xbox Live. In effect meaning they’ve lost 1-2 months (minimum!) of a paid service for something they had no part in.

If you’ve ever wondered why those “no sue” clauses are a bad idea, this is why. Those users should be entitled to a refund of all time lost while the account is locked down and “investigated”, not just Microsoft’s standard one month refund.

And what of users who have not been affected? As soon as Microsoft knew this was happening, and on such a scale as to warrant this continued public prodding (and our almost daily emails from affected readers), it should have acted. Publicly investigated the cause and told everyone about it, instead of just denying it was a hack on Xbox Live itself and sending notices to enthusiast gaming press. It should have sent out bulletins to users, maybe even taken advantage of the Xbox 360 dashbord to say, hey, maybe now is a good time to change your password, make sure it’s a tough one.

Instead, it has crept along issuing constant denials and “not a problem” statements while more and more people lose their accounts, for months at a time, over something that could have been easily prevented.

The whole affair brings back painful memories of the RROD problem plaguing early model Xbox 360 consoles, which Microsoft continually denied and ignored for years until it was finally forced, very publicly, to act.

Microsoft’s internal security may not have been compromised in these “attacks”, as the company has been so keen to point out. It’s just a shame it’s not as well-equipped to deal with those paying customers affected by the compromise.


    • Whole-heartedly agree. What happens when someone generates a script that can decrypt CAPTCHA is that also Microsofts fault?

      When did it get to the point where someone else needs to be blamed for your own idiocy. If you’ve got a simple password, its your own fault. You don’t go and sue your bank because you set the pin code on your card to 12345.

      If its compensation you’re after, maybe Microsoft might be so kind as to send you a digital copy of “The idiots guide to the internet”

    • If attackers knew their targets’ passwords before hand and could log in successfully first go, then I agree that it wouldn’t be Microsoft’s fault. But the article says that attackers were using brute force attacks, and there are many well known ways to mitigate this sort of threat.

      The simplest methods are to limit how quickly you can attempt to log in to a particular account, or perform logins from a particular IP address.

      More complex strategies include things like key stretching: instead of having the client send the password to the server as is, require it to repeatedly pass the password through a hashing algorithm a large number of times and send the result. This adds a computational overhead to the login process on the client side, which can limit how quickly new passwords can be tested.

      • they’re trying passwords gathered from other sources like the sony et all breaches. its not a bruteforce attack its using the fact most people illiterate and.reuse dumb passwords

    • gtfo ‘Nope’ it’s not microsofts fault, BUT they should have implemented better security and should handle the affected users more effectively

  • It is, however, Microsoft’s fault that their website allowed unlimited password attempts before rejecting further attempts.

    Yknow, like Hotmail does.

    Or any other sign in system that isn’t horribly, horribly, flawed.

    Surprised the level of hate levelled at Sony over “design flaws” isn’t being publicised against MS though.

    • Allowing unlimited password attempts is ridiculously weak security and should never be used on public-facing sites, especially those that are likely to attract hackers looking for financial details. CAPTCHAs don’t help here, given that CAPTCHAs can be cheaply broken (see

      Hats off to Kotaku for reporting this, since increased public scrutiny will encourage Microsoft to fix the problem and hopefully treat victims fairly, as opposed to their current head-in-the-sand attitude.

    • What Microsoft website allows for unlimited attempts? I am pretty sure xbox live credentials are managed by a Windows Live ID, and you cant try more than a few times before your account gets blocked.

  • If people who use stupid passwords that can be cracked so easily then that’s their fault. You’re also assuming that all those losing access to their accounts for 2-3 months are XBL Gold users.

    • You’re making quite a bit of an assumption there. I’ve personally been hit with this issue, and the password that I had tied to the account was quite long, convoluted, and was not used for anything else other than Xbox Live. I was the only person who used the account, have only used it on the one Xbox console (that only I use), and the only person aware of the password. And yet, my account was still compromised.

      Also, you seem to be indicating that having a password that isn’t easy to crack will somehow stop this from happening. The whole point is that by taking advantage of the loophole, any password can be cracked eventually.

  • This actually happened to me today, glad I had an old card connected to the account… I’ve removed cards, changed passwords and whatnot

    • Yep happened to me on Sunday – they finally “locked” the account for investigation after I called them back to find out why it hadn’t been locked yet – suggests to me that their “escalation team” has a lot on their plate this month!

      I don’t mind how long they take so long as I get my points back (I was holding on for the new Alan Wake)

  • I dont see how its MS fault -_-

    As they say, hacking and hijacking are not the same thing,. THeir data is not compromised

    • No, just their website. If you have a service that requires signing into an account, and there is a way (using access to that service, in this case via for people to brute force their way into said account without any trouble, you have a flaw in your system that needs to be fixed. Waving your arms around and saying that it isn’t your problem doesn’t make it so.

  • I still haven’t been refunded the points that were stolen… and their ‘investigation’ revealed no intrusion. A quick check on my purchase history shows 2 purchases that weren’t mine though… so what does that tell you?

    • I’m assuming you’ve changed your password since then. Out of curiosity, what was your password at the time? Something basic that could be compromised using the method mentioned in the article? Did you use the same email/password combination on any online forum or other gaming service that has been compromised over the last 6 months?

      If your account was logged in successfully, then there was no intrusion.

      • I somewhat disagree about your definition of intrusion in this instance, I can’t say what kind of investigation MS did, but there would be a high chance that the login to his account was probably outside of Australia. If the login is from another country, to me that is an intrusion, regardless if they got the right details first go.

        If the investigate provided no such easily seen red flag, then that might suggest the person who logged into the account is incredibly local to James Mac and that James Mac is just incredibly unlucky.

        • If logging in from overseas is all that is considered an intrusion, there would be a lot of people unhappy if there accounts were locked out as a result.

          We all want the freedom to log in wherever we want, likewise we want it to be a smooth process to log in. For me, CAPTCHA is annoying, half the time I can’t work out the word as it is. My password is secure, I shouldn’t have to prove I’m “human” by reading some illegible crap because there are people out there that can’t remember a secure password – we (as a species) want the freedom to have basic passwords, but we can’t handle the consequences and need to have someone to blame for it.

          • The account was logged into from China… MS tech support know this because the security question was changed to Chinese charectors.

          • I previously stated that “in this instance” why I think it’s still an intrusion, different types of accounts will have different levels of what the definition of an intrusion is, I’m not talking about a standard email account which you send emails while you are on holidays.

            This account is an XBOX account, the customer has chosen a country, they have a registered XBOX serial to the account also, chances are they have also accessed GFWL or the website from a PC/Phone, each of them logging a different device, but can be all traced back to the same country.

            Now we are talking about this account being accessed from overseas, perhaps I was on holiday, but if I was did I really take the 360 with me? There is no real need to access this type of account from overseas, unless…

            Maybe I have migrated to another country, but the fact of the matter is that I am likely to have taken the same XBOX and/or PC with me, so the account is verified with the original hardware.

            “This instance” is that one random login from a first time device to the account was made (assumption is China), that was reported as fishy by the owner of the account, but after a full investigation MS have stated there was no suspect activity? I call shenanigans of the highest level in South Park.

            and yes, if my account was accessed from overseas and transactions were made, they should be calling me about it and not the other way around, if that means a temporary account lock, then that is fine with me.

  • My opinion wont be popular but i don’t think its terribly fair to blame the person with the simple password. Their might be a reason they have a simple password, i.e. being a child or learning difficulties etc. Its also a reason they may of been targeted. Microsoft could take some of the blame by not offering a helping hand when it comes to these situations. Unfortunately we dont live in a time where people are properly educated about the internet and how to protect yourself so blaming them isn’t terribly fair. Just Saying.

  • I had my account locked down for 1 month and received 2 months of compensation time, mainly due to the fact it took them nearly 2 months to even recognise my request. Now if only they’d hurry up and refund my 300 dollars. It’s been nearly 3 months since they advised me they’d be refunding it :/.

    5 months from lodging of original request to potential theoretical resolution is not great practice, Microsoft. 🙁

    • Absolutely. I knew someone that for their password, they would pick a number they associated with the particular site, between 30 and 50, press space-bar that many times. That was their password. Same theory applies and good luck using a brute force or dictionary-based attack on that one.

  • I had this happen to me personally and going via PayPal after shutting down the payment agreement was less hassle then going through Xbox support. My account is apparent still in good standing with no lockout. All sorted in 7 days to

  • This happened to my account in December (only actually discovered it last week when I was going to purchase some DLC). Rang support that evening, spent half an hour explaining what had happened, and everything was sorted out within a week. Got my points back, plus a free month of XBL. I’m glad I had a free subscription, tho, and as such had no payment methods linked to my account – they just bought a bunch of FIFA crap and left. The “months” of waiting must be only for paid subscribers… which is more serious, I suppose, cos they’d have to coordinate the investigation with a third-party (bank/paypal/etc), which would take far more time.
    Tbh, with the relative ease that the issue was dealt with, I’m more annoyed about them besmirching my profile with a sports game! Those 15 gamerscore will be a constant reminder of the inevitable outcome of not changing your password for five years…

    • Damn I was hoping they’d remove em – that’s the most dishonest gamerscore since the Hannah Montana game.

  • i got hacked last weekend and i use an incredibly long/confusing password this fucking sucks cuz now i cant use my xbox for anything for the next 2 weeks!!!!! ill hav a ps3 by the time this is all done with…

  • I my account suddenly had 3 achievements for Fifa 12 last week and most of my prepaid points (4170) had been spent. I changed my password and phoned Microsoft and was told that my account could be suspended for 25 days while they take a look. 2 days later my account was returned with 4200 points plus I got 2 x 1 month live codes. I couldn’t be happier.

  • My account of 7 Plus years was hacked Jan 14th 2011 I had 2 Fifa 12 achievements and my 2900 prepaid Microsoft points were spent and my password to my Hotmail changed. I am no password moron has my password is very hard to crack something is seriously wrong with Microsoft’s end.

    It was easy to get back my hotmail account and me the password 2 times as harder then before but as I found out there brute force hacking passwords due to xbox.coms Flaw where you can have unlimited attempts at trying passwords.



    • dude no way!!!!!!!! i was hacked last week and 3000 points were taken and i had TWO FIFA 12 achievments! thats how i noticed it was hacked cuz i dont even own a FIFA game and my password is like 17 characters long or somthin so i know that wasnt the issue…..wth

      • and this all happened the day after i contact them about som other issue. so i called them back again and im like “hey i think one of your employees hacked my shit” then theyre like “sorry we dont hav any record of you calling earlier or a record of this employee.” and the best part……YOU CANT SUE THEM

      • This just happened to me in a relatively short period. Between 4am – 730am PST today someone hacked my account (I have hotmail) bought FIFA roster crap and played FIFA 12 using my account. I noticed it so quick because my smarthphone logs into hotmail to check mail and was unable to (invalid password). I got to a computer and went thru the recovery password crap and then called MS to report my missing points. It’s still being escalated. What I’m most pissed about is when this story hit last week, hotmail had just forced me to change my password (I have the 72 day expirary thing checked) so this person(s) managed to snag a brand new password (and no it was not simple) The agent at MS was exasperated when I mentioned that it was FIFA. Obviously they have been getting a lot of calls about this

  • I was hacked and although it took about 3-4 weeks to get my account unfrozen they gave me 2 months xbl membership as compensation. All in all the experience was ok apart from the initial shock. Annoying that it happened and they do need to look at their security process IMO (especially credit card info coming through on a recovered account).

  • I hate how there like here you can have 30 days free while we fix your main account… in my case all my BF3 stats + achievements and gun unlocks and all that crap are on the account now frozen… I DONT WANT A NEW ACCOUNT I WANT MY OLD ONE BACK ALREADY!

    I told the guy when he said 25 days oh okay so a PSN outage time frame. He just laughed and I said yeah i’m trolling but i’m pissed off.

    7 + years XBL and I had to get brute forced hacked due to a flaw in Microsoft’s security SUE.

  • Don’t think it’s safe when you get it back and change password either, changed password made it long with upper/lower case numbers and special characters and was hacked again in 3 days… This time I had removed my gold subscription, paypal account and credit card from paypal account so they couldn’t take any more money, also go a heap of fake emails trying to get my paypal details. Ps3 looks better everyday, which is a shame cause I like xbox but the effort to protect account if I want any ms credits on the account is more than it’s worth if ms won’t do something. Why can’t we lock the account to one console or use a token/dongle if we want?

  • @nohappy

    I think I just stopped the hacker before he took my account AGAIN After I just got it back yeserday.

    I played Battlefield 3 again

    Then about 3 hours later tried to go onto

    Windows live ID password not correct.. Im like OMG NOT AGAIN!

    changed my password and details 4 time! At least now my credit card and paypal are removed from my console. =D

    If the hacker is typing my gamertag he will find this post so. HACKER FUCK YOU!

Show more comments

Log in to comment on this story!