The Xbox Live hack claims have been around for quite some time now but over the last few months the claims have been getting louder and more common and now we’ve apparently found the culprit.
And as much as certain elements out there would love for it to be a security breach on the XBL service itself it’s actually something far simpler than that.
When you go to Xbox.com you can sign into your Xbox Liver profile and manage everything from there which is really handy but an obvious weak point for them. Generally the avoid brute force attempts websites only allow you to attempt 3 invalid login’s before locking your account.
However Microsoft actually allows 8 and then doesn’t even lock your account but just redirects you to a CAPTCHA image.
So the rumour is that there are some robots trolling the Internet looking for Xbox Live usernames and email addresses to use to login with. So for example I’d post on a forum that I want to play Gears of War 3 and anyone else who does should add me (LazySAGamer) or just drop me an email (firstname.lastname@example.org)
Now that robot knows my combination and will take that to the Microsoft site and start brute forcing passwords until it finds one. Every 8 failures gets redirected to a room full of underpaid wage slaves who simply type in the Captcha.
The idea sounds simple enough and would be very hard for Microsoft to stop as they wouldn’t want to man a support desk just to reset passwords so how else can they fix this?
Well simple really, after the second wrong attempt you are given a 5 minute penalty, 10 on the 3rd, 20 on the 4th and so on. That instantly blows out the possible time it would take to brute force an account and therefore make it an unrealistic option.
But then again I’d also expect Microsoft to have seen a brute force attempt pretty quickly and not have this running for months.
So who knows if it is true or not but to be safe you may as well… do nothing. There isn’t anything you can do besides remove credit card details from your account.
Oh and know I’m not stupid enough to post my linked email address here am I? My Xbox live account is linked to a different email address.
Last Updated: January 16, 2012