Microsoft reversed itself on Friday, confirming that some vandals have likely been able to con its Xbox Live support personnel into giving up users' personal information and assigning accounts to malicious thieves.
The reversal comes after security researcher Kevin Finisterre provided the software giant with a recording of a conversation with an Xbox Live support person, in which the staff member reads off the gamertag and city of residence for a random user after being provided with fake identity information. While some Xbox Live members have boasted that they could steal accounts by social engineering the support staff at Microsoft's gaming service, the software giant had dismissed the incidents as more likely the fault of the users involved.
Microsoft has now acknowledged that many of the incidents could very well be the fault of the support staff, as SecurityFocus first reported. The software giant is continuing to investigate, but will also be making changes to head off the threat, said Larry Hryb, Microsoft's director of programming for Xbox Live.
"We are making some pretty top-to-bottom changes to reduce this type of attack," said Hryb, who also uses the gamertag 'Major Nelson'. "This shouldn't have happened. Clearly, along the way here, people have not followed the policy and need to be educated with the policy."
The software giant stressed that only a very small number of accounts have likely been stolen and that some group's claims that they have stolen 10 accounts a day are likely bravado. The company also said that its current authentication mechanisms for checking the identity of customers calling into support should work, but that some support personnel will have to be retrained.
Microsoft thanked Finisterre for bringing the issue to their attention. A maintenance outage is scheduled for Tuesday, but has nothing to do with the account stealing issue, Hryb said.
Posted by: Robert Lemos