News security flaw behind XBL account thefts?

Security exploit seemingly exposed by fraud victim

Insufficient security measures on the official website may be to blame for the growing number of Xbox Live account thefts.


That's according to a network infrastructure manager who contacted Analog Hype (thanks Edge) after having his own account accessed and his credit card details used to fraudulently buy 8,000 Microsoft Points.

Jason Coutee is said to have uncovered a hole in security which allows an indefinite number of password attempts, requiring only that a CAPTCHA code be input after eight failed ones. Once entered correctly, you get another eight attempts, with accounts not being locked down as a precaution after too many failed entries.

According to the report, skilled hackers are able to bypass the CAPTCHA code and run password-generating scripts that brute force their way into Xbox Live accounts.

Coutee suggests hackers are obtaining Windows Live IDs from playing Xbox 360 games online, gathering Gamertags and Google searching them in the hope finding related email addresses. When these are inputted as Windows Live IDs, will tell you whether they're valid accounts or not. While Coutee attempted to report his findings to Microsoft, he was reportedly given the run-around by a number of departments.

Last week, Microsoft refunded an Xbox Live user who hit the headlines after discovering she was the victim of an overseas phishing scam.

Despite growing concerns over Xbox Live account theft, the platform holder says "the online safety of Xbox Live members remains of the utmost importance", and it insists "there has been no breach to the security of our Xbox Live service."