Is Xbox support staff helping hackers hijack accounts?

Investigations prove that compromising Xbox Live accounts can be a trivial pursuit

Microsoft Thursday blamed Xbox Live network account hacks on users' gullibility, but evidence shows that in some cases the gaming service's own support staff could be unwittingly helping hackers snare players' identities.

Responding to reports of account theft on Xbox Live that surfaced this week after security researcher Kevin Finisterre -- of "Month of Apple Bugs" fame -- went public with how his account was pinched, Microsoft today said it had wrapped up its investigation. It was only yesterday that Microsoft announced it had begun looking into the thefts.

"Despite some recent reports and speculation, I want to reassure all of our six million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of Bungie.net or our Live network," Larry Hryb, the Xbox Live director of programming, said on his popular "Major Nelson" blog. "There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their Live account.

"Hope that clears things up," he added. A Microsoft spokesman later e-mailed IDG publication, Computerworld (U.S.) an almost-identical statement.

Both Hryb and the Microsoft spokesman also reminded users not to "give out information that personally identifies you, such as your real name, address, phone number, credit card number, etc."

But its Xbox Live support staff may not have gotten that message.

Xbox Live users have offered accounts to Computerworld of instances where the service's support representatives have given out personal information about an account without verifying the caller's identity. Computerworld also obtained an audio recording of one such call.

"We learned of [a hack into my son's account] in December, when Live charges were showing up on my credit card," said Lori Dobson in an e-mail. "When I contacted Microsoft, the rep I dealt with actually gave me the name and city, state that was using the account, other than my son!"

In the audio recording, an Xbox Live support rep ends up giving out another user's gamertag, the service's term for a player's username, as well as that user's street address and city. The caller, who was attempting to hijack a friend's account with that friend's permission -- the friend was listening in on the line -- started with a legitimate gamertag, but then when the rep said she could not pull up the file based on a bogus phone number, he shifted to phony information, eventually making up a last name and claiming he didn't know which credit card was associated with the account.

"Okay, I got it," the rep said after the caller had given out a fake surname for the account. She then read out another player's gamertag as well as a street address and city associated with that account.

Although the caller wasn't able to collect enough information to hijack the gamertag, the recording demonstrated the tactic that one Xbox Live hacking group uses. The Web site of the "Infamous" clan -- a group of Halo players who have crowed about hijacking accounts of other players -- boast how easy it is to dupe the service's support staff.

"How do we get your information? Its easy...you call [and] pretend to be that person make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah you might get one little piece of information per call but then you keep calling and keep calling everytime getting a little more information. once you have enough information you can get the password on the windows live ID Reset. they may tell you they cant but its bull s***. people at Bungie CAN and WILL reset your password."

The site, which was online as recently as Wednesday, was offline Thursday.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?