Login | Signup

Report: Xbox.com Password Flaw Behind Recent 'Hacking' Woes?

Jonathan Lester
brute force, Hack, Microsoft, Xbox Live, Xbox.com

Report: Xbox.com Password Flaw Behind Recent 'Hacking' Woes?

When Is A Hack Not A Hack?

When it's brute force. According to a new report from AnalogHype who were contacted by an eagle-eyed hacking victim, the recent spate of unauthorised Xbox Live account access may stem from a vulnerability in the Xbox.com website. Jason Coutee, a network infrastructure manager who had his Xbox Live account hacked earlier this year, noticed that Xbox.com allows users to make eight incorrect password attempts before CAPTCHA challenges them... which can be reset by clicking 'try with another Live ID.' Hackers can therefore run simple automated password-generating scripts and gather lists of Windows Live IDs from numerous online sources.

This is definitely a rumour at present, but a compelling one nonetheless. It certainly explains the sporadic nature of the accessed accounts, since it isn't technically a hack at all, rather a brute force attempt. The FIFA 12 connection, which heavily suggested a loophole in the EA servers, could be explained away simply because it's one of the best selling games of the year with plentiful DLC. We hope that Microsoft will at least issue a statement soon since users are still falling prey to unauthorised access months after this issue was first reported, .

Add a comment5 comments
ODB_69  Jan. 14, 2012 at 12:04

Don't but it personally. Why no COD link? Why only FIFA? it's EA clearly

JonLester  Jan. 14, 2012 at 12:21

I agree that the FIFA 12 connection was, and still is, incredibly suggestive.

However, there is a plausible explanation for your point. MW3 has no DLC at present, hence there's no need to hack an account in order to use someone else's credit card. FIFA 12, on the other hand, has loads of DLC and is the second best-selling X360 game of the year - hence would be most hackers' (or people who've bought access from them) first port of call. Other games - XBLA downloads especially - have certainly been bought as well.

Last edited by JonLester, Jan. 14, 2012 at 12:26
DrTrouserPlank  Jan. 14, 2012 at 12:39

This sort of thing is easily avoided by having a strong password, ideally one that has numbers, letters (upper and lower case) and special symbols. Ideally the password wouldn't even be a word as such so that it won't appear in the dictionary scripts that people usually use with brute-force attempts.

Last edited by DrTrouserPlank, Jan. 14, 2012 at 13:36
DivideByZero  Jan. 14, 2012 at 19:24

Yep. There are two main type of brute force attacks.

1) try everything... A, B, C, and so on up to ZZZZZZZZZZetc.
2) a list of common words.

As I work in IT, my advise is this.

Pick a password that if fairly long, letters numbers and upper and lower case. Make sure it is easy enough to type. Then for each thing you have, suffix it with a unique ID for the site / service. So for example, if you have "Passw0rd1" as your main password part then you could have Passw0rd1Deal, Passw0rd1Amaz, Passw0rd1Psn etc.

This means if your password ever gets jacked, then no automated tool is going to hack into anything else you own.

Having one password for all things is the worst thing you could do and is basically the route of easy hacking. Annonymous did this to get into someone huge a while back. One users password on the web was same as their work ID and bang. Access to everything.

EDIT: DOn't use Passw0rd1 - it's a default MS one! :)

Last edited by DivideByZero, Jan. 14, 2012 at 19:25
Anarchist  Jan. 15, 2012 at 00:16

Godsake, my post this morning for some reason got deleted... But it basically said the same thing as dividebyzero. I'd put money on the fact this 'hack' started because of a semi dodgy website being signed up to by lots of users using the same email/password as their live ID. Most people use the same email/password for absolutely everything.

Which is the worst thing ever that you could do.

Email Address:

You don't need an account to comment. Just enter your email address. We'll keep it private.