Microsoft has officially responded to this weekend's compelling report suggesting that the recent spate of illegally-accessed Xbox Live accounts were facilitated by brute force attempts made through the Xbox.com website. In a statement, the Redmond giant contends that the issue is "industry-wide" and there is no specific "loophole" that hackers are taking advantage of. As always, they recommend following a stringent online security regimen and employing strong passwords to deal with the issue - though suggest that phishing and fraud still has a lot to answer for. Full quotes and details after the break.
In a statement made to IGN, Microsoft reiterates that Xbox Live's security has not been compromised, and that brute force attacks are a sad but universal phenomenon.
This is not a 'loophole' in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue.
Microsoft can confirm that there has been no breach to the security of our Xbox Live service. The online safety of Xbox LIVE members remains of the utmost importance, which is why we consistently take measures to protect Xbox LIVE against ever-changing threats. Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. We continue to evolve our security features and processes to ensure Xbox LIVE customers information is secure. Online fraud and identity theft are industry-wide problems, and as such people using any online services should set strong passwords, not share those passwords across multiple services and refrain from sharing any personal details that could leave them vulnerable.
We can see the logic in this argument, and would urge you to ensure that your password is as strong as possible (you can read tips from some savvy Dealspwn readers here). But since Xbox.com allows anyone to reset CAPTCHA after eight unsuccessful login attempts by simply clicking ''try with another Live ID (which would be possible to automate with a simple bot/script), we reckon that Microsoft are still making themselves an easier target than most.