Ever since the first wave of "FIFA Hacks" surfaced last year, a lot of people have been complaining that their Xbox Live accounts had been "hacked". Microsoft has continually denied any such breach of security, but you know, there have been too many cases for too long now for this to be nothing.
So, uh, what's the cause behind the whole mess?
According to a report on Eurogamer, based on the testimony of a man who allegedly knows "how to hack into Xbox Live accounts", the culprit isn't Xbox Live itself, but Microsoft's Xbox.com website and, by extension, its Games for Windows Live service.
...point the finger at Xbox.com - the website. This allows eight password attempts at a Windows Live ID before CAPTCHA is triggered - the system that presents those squiggly words. A simple password-generating script can apparently be used to exploit this system before CAPTCHA kicks in.
The Windows Live IDs come from playing Xbox 360 games online. Gather Gamertags and Google search them in the hope you'll find related email addresses. Try these as Windows Live IDs and the Xbox.com website will let you know if they're valid - "the email address or password is incorrect" - or not - "That Windows Live ID doesn't exist."
Using these methods you can apparently brute force your way into a near-limitless supply of Xbox Live accounts and use their saved banking details to buy Microsoft Points.
If this is indeed the root cause — and remember, we don't know that it is — it certainly sounds about right. It always seemed too timely to be a simple case of lazy passwords on the part of users, but if it was a breach of Xbox Live itself, Microsoft would surely know about it. So a combination of the two sounds entirely plausible.
We're checking with Microsoft to see if they can comment, and will update if we hear back.