Kevin Finisterre, a security researcher at Digital Munition, raised the issue on the Full Disclosure mailing list over the weekend, calling attention to rumors that Microsoft's Bungie.net was the victim of a breach that exposed a portion of Xbox Live.
"Some folks are having their Microsoft points stolen and or points purchased via their stolen gamer tag," Finisterre said.
A quick search of user forums at xbox.com and other gaming sites turned up multiple messages from Xbox Live users complaining about hijacked accounts, which typically link gamer tags to Windows Live ID (formerly .NET Passport).
According to Finisterre, there is a group online called "Infamous Clan" brazenly offering to "jack" Xbox Live accounts and boasting about successful account theft.
Several Xbox Live users contacted me to confirm the rumors and make it clear that the stolen accounts are being used for nefarious purposes.
One reader writes:
"I have been involved with Microsoft Support for days on this exact issue and have spent many hours on the phone trying to prove to them that, first, my Windows Live ID was stolen and, second, the ID and password associated with my ID were changed; two actions that Microsoft swears can NEVER happen; and third that the thief was able then use my credit card information associated with one of my Windows Live ID accounts to purchase over $800 of Microsoft products.
Thank goodness for other websites that still contained my old Windows Live ID information and also the fact that, in order to gain access to those other websites, you NEED a Windows Live ID. After spending over 20+ hours on the phone with support and finally getting them to realize that I did indeed have a Windows Live ID, after pointing them to the other websites, I was told by a supervisor that "Yes, in fact, we have heard of some instances where a user's Windows Live ID had been compromized!"
After finally getting this confirmation and having a case number assigned and forwarded to Microsoft Security Investigations, they, also, confirmed it as a breach, issued me another Windows Live ID and then reinitialized the stolen Microsoft Products that were associated with the old ID over to the new ID."Another gamer wrote in with an identical complaint, warning that Microsoft's product support staff have been unhelpful. "They admit this is an issue but say there's nothing they can do about it," he added. Digital Munition's Finisterre also made a note about the lack of support from Microsoft:
I just got off the phone with a Microsoft Tech for Xbox live that has confirmed this to with me and they have stated that accounts are being stolen and that "Hackers have control of Xbox live and there is nothing we can do about it."
Microsoft did not respond to a request for comment.