Password Exploit Fingered for XBL Hack


The ongoing hacking of Xbox LIVE accounts has been one of the more evergreen stories in the gaming interwebs for the past few months, ever since it was first discovered that people’s accounts were being hacked to purchase stuff for FIFA 12.

Now, it seems, Eurogamer and AnalogHype have both published their findings into how these hacks have occurred. Both sites seem to have been contacted by one Jason Coutee, who had his account hacked and decided to figure out the exact process that goes into hacking an account.

The first step is to gather gamertags from simply playing Xbox LIVE games, which can be done after a vigorous round of Battlefield 3 or something. Google is the next stop, where hackers will try to match the gamertag with the associated e-mail address—which can then be used to try and log in to

Once there, hackers will try and test the e-mail addresses they’ve collected to see if they’re valid Windows Live IDs. allows up to eight password attempts before a captcha is presented to the user, and all the while this process can be smoothed out with password-generating scripts. Once the password is found, the hacker gets in to the account and changes the password, the ID, purchases points and games and junk with the user’s attached credit card info, and then sells the ill-gotten games through the internet.

Hackers and computer-savvy people know things like this. I’m going to go out on a limb and say that most (not all) Xbox gamers aren’t totally in the know about how website security measures work—or how they fail. I know that this was news to me—sure, I knew there were methods of hacking into people’s accounts, but I wasn’t aware of how totally easy it was.

As of now, Eurogamer, AnalogHype, and Jason Coutee have contacted Microsoft about the exploit’s ease of use, but haven’t gotten any reply.

“Everybody at Microsoft refused to acknowledge the issue and because of that, gamertags are still being hacked,” remarks the AnalogHype post, offering a potential solution: “Microsoft can easily fix this issue by sending an email to people when there are more than X amount of failed login attempts and by by storing session id’s.”

Our own computer-savvy intern, Landon “Boy Genius” Robinson, explains that he’s pretty familiar with this kind of tactic (or, as I will now call it, “hacktic,” because I’m clever). His suggestion would be for Microsoft to require a log-in name that’s unique and known only to the user who’s trying to log in—in short, NOT the e-mail address you’ve probably got attached to your LinkedIn page, your Facebook account, and all the rest.

These both seem like good measures that Microsoft could start to implement to try and block against what is likely to be the black hats’ current point of entry. Regardless, earlier this week I went ahead and removed my credit card info from my Xbox account—just in case.

It’s funny—I got a PlayStation 3 for the holidays and I’ve been griping about how annoying it is that I can’t do anything with my PSN account from the website. I can’t download demos, I can’t purchase games, and I can’t even add friends from the website. As it turns out, this is probably for my benefit, as the lack of web-based control is a safeguard against getting hacked. Or am I being naïve here too? Help me out, people.

What do you think? Were you familiar with this kind of exploit? What are your suggestions for Microsoft’s next move to combat what seems to be a growing problem?

Via Eurogamer and AnalogHype

  1. Yeah but can you elaborate on how they find your e-mail from the gamertag?

    That seems to be the initial root of it.

    • If you share your gamertag info online, or if your gamertag has a lot in common with your name, your e-mail address, etc., Google may hold the answer. It’s likely that many people put their gamertags up on Facebook, to try and find people to play with them, or on blogs, Twitter, whatever. People adept at using Google or other search engines to gather information will usually be able to find people who mention their gamertags online–and since a gamertag is what you need to get people to find you and play with you on the network, I’m sure there’s a wealth of tags posted out there.

  2. Microsoft, should implement a system which can detect how quick each password retry is and if its too quick (Example less then a second a retry) then IP should get banned from Windows Id Sites and the Actual User should notified of this.

    Or after the 18 wrong password message you should be locked out or have to 10 Minutes, 24 Password 30 Minutes and keep gradually increasing.

  3. This is one of the reasons why I try to keep my account email addresses as distinctly separate as possible. I have one address as my official email for school and the like, one personal address, and one address exclusively for Xbox Live. It may not be the most secure thing in the world, but it at least prevents me from using my Xbox Live info on any part of the internet but At least posts like this remind me to check the security of my account more often.

  4. Good thing i dont share…

  5. I like the two ideas in this article, Microsoft should add them to their website asap. Since my GT was signed in on another console while I was using it (luckily no harm done since I signed back in instantly and changed my password) I’m going to change my password every other month now.

  6. Correct me if I’m wrong, but if people made themselves proper secure passwords (ie, not: password321), this method wouldn’t work nearly as well.

    • Well actually passwords are bruteforced alot quicker than they used to. The only way to really be sure is to have a passphrase that is easier for a human to remember but harder for a computer to generate. Passphrases are more exploited by password databases than actual bruteforce password generators. Here is a nice link to let you know how fast your password can be bruteforced with modern pc’s

  7. ….My account was hacked. All friends deleted, New activity like MW2 and 3, Picture change, etc.

    Good thing it was just an unused Silver Account, and doesn’t contain Credit Card info. It’s still annoying, though.

  8. Same thing happened to me as alpha. Account was hacked but luckily i only ever purchase credit from EB games and my account was silver at the time all my contacts where deleted and a different picture was placed on my account.

  9. The worst is that Xbox Live accounts aren’t the sole victims with this approach: Xbox Live resides on top of Windows Live ID which can and effectively is used in way more websites than Xbox and other Microsoft ones.

    When you get your Id stolen, it can affect Xbox Live, Hotmail, Windows Messenger, Skydrive, and many other websites using Live Id as a SSO (Single Sign On) solution.

    Microsoft should take this security threat very seriously because it can spread over many other usages.

  10. I might just post a list of my enemies’ GTs online…

  11. People in these comments are stupid and know nothing, this is just brute forcing.

  12. Brute Forcing passwords is nothing new, It takes a really long time and is easily noticeable.

    I bet the people getting ‘hacked’, have really stupid passwords that you could guess in maybe a day.
    e.g. “qwerty”.

  13. I was very aware of this ‘hacktic’. In fact in the early days of xbl, I used to do this to piss people off…but a problem that was seemingly solved back in 2007 shouldn’t be an issue now. Infact you can do this with little to no software if people are uncreative with their security question. Boy do I feel safe when a person with the intel of a 15 year old can steal my cc info from a billion that grounds itself on it so called secure operating system.

  14. Un-ban Your IP From Forums, Blogs, and other Websites – By faking your IP you can often access numerous sites you had been banned from.

  15. Can you hack BennygamesNL pleaseeeeee

Tell Us How Wrong We Are

Your email address will not be published. Required fields are marked *