Microsoft Wednesday acknowledged reports of hackers stealing player accounts on the company's Xbox Live gaming service and said it is launching an investigation.
Reports of account theft on Xbox Live have been making the rounds of the network's user forums since at least December, but complaints amped up this week when security researcher Kevin Finisterre -- of "Month of Apple Bugs" fame -- announced that he had been hacked.
In an e-mail interview, Finisterre said he was victimized last Thursday. "We were playing with some folks that were cheating by a known method called 'standbying' or 'bridging,' and during the game, we were told 'I am going to steal your account,'" said Finisterre. "Sure enough, the next day, my Xbox said, 'We are sorry, but someone else has signed on as your gamertag, and we have to log you off.'"
Gamertag is Xbox Live's term for a player's username.
"Immediately after that, I was banned from Xbox live until 3/18/2007," said Finisterre. He called support, but got what he called "the runaround." Several days later, when Finisterre was supposed to be able to again access his account, he logged in to Xbox Live again. "Boom, now we are banned until the 24th," he wrote. "When I call in, they still cannot tell me anything. My account is still under investigation and that's all I know."
Other Xbox gamers have related similar stories. One, identified as "St00mPPP33yYyYY," wrote on Dec. 31 that "sumone [sic] just hacked my account over xbox live...he called bungie and gave thenm [sic] the ip and my account name." Bungie Studios is the Microsoft-owned game developer responsible for the popular Halo series.
Another player, pegged as "Y The Red Bar," relayed a more recent tale. "My Xbox Live account was hacked and all credit card info was stolen and used to run up points, etc. Microsoft says, 'Oh, well, better call your credit card companies; nothing we can do,'" Y wrote a month ago.
On Xbox Live, gamers can use a credit card to buy Microsoft Points, in-network currency that can be used to download movies and TV shows, games and interface modifications.
Finisterre went public after being frustrated by Xbox Live's outsourced support and being stymied in his attempts to reach someone at Bungie who would give him a straight answer. As part of his campaign, Finisterre even posted an audio excerpt of a 36-minute-long conversation with Xbox Live support (download iTunes audio). "It is obvious that they are outsourcing Xbox Live support to ... somewhere with a high population of folks that speak broken English," Finisterre said.
He blamed a group of hackers who go by "Infam0uS" as responsible for at least some of the account hijacking. The group's Web site makes no bones about stealing Xbox Live identities; it currently lists seven, stolen for reasons that include "Talked s*** to JustCallMeFRESH" and "Stole from clan."
Microsoft did not respond directly to questions about whether Xbox Live and/or Bungie.net had been hacked -- accounts stolen by virtue of a data breach, in other words -- or whether other tactics were used, such as phishing e-mails or even a form of "pretexting."