Kevin Finisterre, one of many Xbox gamers who claim that they've recently been shut out of their accounts after hijackers have taken them over, says it's Microsoft's Xbox Live support staff who are giving the information away.
"It's because they outsource their support staff to Mexico or somewhere like that and the staff barely speaks English," he told eWEEK in an e-mail exchange. As justification for this view, he pointed to an Xbox forum posting by "JuStCaLLMeC0DY," a member of an online gaming clan by the name of InFamOuS that has posted a "black list" of accounts stolen and the reasons why they were chosen (the site has been taken down since this morning).
"we dont take account xbl support gives out the info and we take it ty," JuStCaLLMeC0DY wrote in his posting.
"Some folks are having their Microsoft points stolen and or points purchased via their stolen gamer tag," Finisterre said in a posting to Secunia's Full Disclosure security mailing list on 19 March. Points are Microsoft's forum of currency for use in online gaming. One point costs about 1.25 cents USD in real-life currency.
Before its site disappeared, InFamOuS had posted a list of stolen accounts that included seven account names. The reasons why the accounts were stolen, according to the site, included "Says 'I'm Unjackable! my account is Invalid!'" and "Talked so much [obscenity] to GoD and entire Clan!"
Control over one's gaming account isn't the only thing at stake; some gamers posting to Xbox Live forums claim to have had their credit accounts stolen and maxed out.
Finisterre recorded a telephone conversation with what he said was a Microsoft Tech for Xbox Live in which the purported support person confirmed that accounts are being stolen and that "Hackers have control of Xbox live and there is nothing we can do about it."
In the conversation, which Finisterre has posted on his site, the support person told Finisterre that Microsoft was aware of the situation and that "this has been happening quite often today."
Microsoft has acknowledged recent reports of fraudulent activity and account theft taking place on the Xbox Live network and is looking to verify the support conversation. Tales of stolen Xbox Live accounts posted on Xbox Live forums date back to at least September. Finisterre posted a summary of what he called the "Microsoft coverup?" on BugTraq on March 20.
A spokesperson told eWEEK that Microsoft is investigating the reports.
"Any customer with a question about the security of their Xbox LIVE account should contact 1-800-4-MY-Xbox, and an Xbox Customer Service Representative will help them understand our security policies and procedures," the spokesperson said.
Perhaps they will, or perhaps Xbox Live support staff will scratch their heads and shrug, as they reportedly did when Finisterre called about his account. In his call with support staff, Finisterre said he was told that there was "nothing" the support staff could do, and that the problems were blamed on Bungie Studios, the Microsoft-owned developer of the games "Halo" and "Halo 2."
"There's nothing I can do because Bungie is the one who's in charge," Finisterre says he was told by the staffer.
Microsoft issued a more detailed statement on March 21 denying that the Live network had been compromised.
"Despite some recent reports and speculation, we want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of Bungie.net or our LIVE network," the statement said.
"There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account. We think this is a good time to remind our members that they should never give out any of their personal information," said the statement.
Microsoft reiterated that "to our knowledge, no credit card or other personal information was exposed."
To protect their Xbox Live accounts, Microsoft advised customers "follow the guidelines outlined in the Xbox Live code of conduct on Xbox.com.
This code of conduct in part directs customers not to "give out information that personally identifies you [such as your real name, address, phone number, credit card number, etc.] while you're playing. This includes voice chat and the names you create for your gamertag or mottos. This information could be used by other players for illegal or harmful purposes. Also, don't give out the personal information of other players."
"We are always evaluating our security policies and procedures," the statement noted.