Last week, Microsoft‘s “ongoing-but-shhhhh” Xbox LIVE security scandal was back in the news after one user’s story was copy-pasted from Tumblr and made it into gaming news headlines.
This prompted Microsoft to make some kind of official statement on the matter – something they’d managed to avoid doing up until then. And mostly continued to avoid doing so, with Xbox LIVE enforcement and policy boss Stephen Toulouse admitting only that Microsoft’s customer response could maybe be a bit better.
Now reports over on Eurogamer and AnalogHype are suggesting the problem is not with Xbox LIVE’s network itself, but sloppy security control on the website, Xbox.com. That’s according to “a man who claimed to know how to hack into Xbox Live accounts”, who contacted both sites (although the article on AnalogHype is currently inaccessible).
The Xbox.com website allows eight password attempts at a Windows LIVE ID before the CAPTCHA system locks out further attempts – eight attempts which hackers are allegedly exploiting with a password generating script.
“The Windows Live IDs come from playing Xbox 360 games online. Gather Gamertags and Google search them in the hope you’ll find related email addresses. Try these as Windows Live IDs and the Xbox.com website will let you know if they’re valid – ‘the email address or password is incorrect’ – or not – ‘That Windows Live ID doesn’t exist,'” reads the Eurogamer report.
“Using these methods you can apparently brute force your way into a near-limitless supply of Xbox Live accounts and use their saved banking details to buy Microsoft Points.”
Microsoft has apparently been contacted about this, but has not yet made any further comment.