Finisterre seemed to lean toward the latter, a low-tech form of identity theft where a criminal calls technical support, poses as a legitimate customer, and somehow convinces the representative to issue a new password or hand over the existing one.
"Some of the forums where the Clan Infamous is talking, they state that they are basically taking advantage of dumb Xbox Live customer support. So there may not actually be some [zero-day] exploit [but] rather stupidity of the staff on hand," Finisterre said.
Microsoft's only official response was to say that it is looking into the matter. "There have been reports of fraudulent activity and account theft taking place on the Xbox Live network," a company spokesman said Wednesday. "Security is a top priority for Xbox Live, and we are actively investigating all reports of fraudulent behavior and theft.
"Any customer with a question about the security of their Xbox Live account should contact 1-800-4-MY-Xbox, and an Xbox customer service representative will help them understand our security policies and procedures," the spokesman added.
If Finisterre's experience is any guide, that recommendation may just waste customers' time. "I've stooped to calling random Bungie employees until I get someone to hold accountable," he said. "It's kinda pathetic that I had to go to the media to get this investigated. It's also sad that so many other people on Xbox forums are getting blown off, too.
"Neither Bungie or Xbox Live support has owned up to anything really, so ... here I sit waiting for my callback still," Finisterre said.