Xbox Live account takeovers put users at risk

Celebrity gamer wants his virtual armor back


Hackers have hijacked the Xbox Live account of a celebrity gamer and made off with a prized piece of virtual armor in a brazen act that suggests the online Microsoft service still puts the security of its users at risk.

Colin Fogle gained widespread acclaim in gaming circles after posting a video showing how it was possible for a Halo 3 player to shoot and kill himself with his own sniper rifle. Bungie Studios, maker of the wildly popular first-person shooter title, was so impressed it awarded him a special piece of in-game Recon armor and publicly acknowledged the feat.

Since then, the 18-year-old says his Xbox Live account has been hijacked three times. The most recent takeover came on December 29, when he was suddenly logged out of his Xbox Live account. When he tried to log back in, he got error messages saying his password didn't match his user name. And because accounts contain credit card numbers, home addresses and credentials used to log in to Hotmail and MSN Messenger accounts, the breach goes beyond a mere affront to a gamer's pride.

"With this kind of information, they can steal much bigger things than my virtual armor," Fogle says. "If somebody doesn't like you, anyone can do this. The thing that upsets me the most is that, as we looked into this more and more, we saw how easy it is."

Indeed, web searches like this one suggest it's not unusual for Xbox Live subscribers to report their accounts have been taken over.

Kevin Finisterre, a security researcher and Xbox Live enthusiast, has also investigated the topic when someone broke into his girlfriend's account last March after the pair accused some gaming rivals of cheating during a spirited session of Halo 2.

"At the end of the match, we voiced our opinion and a kid says, 'Shut up or I'll steal your Xbox Live account," Finisterre says. "About eight hours later, I wasn't able to log into my girlfriend's account."

Both Fogle and Finisterre say the thieves then took to online forums to brag of the exploits. In both cases, the thieves claimed they were able to access the accounts by coaxing information out from Xbox Live support employees.

The hackers frequently will call the toll-free number and pretend to be the owner of the account they want to take over. They will provide the Xbox Live ID and then ask for the physical address that's associated with the account. Later, they'll call back and ask for the phone number. Eventually, the hackers assemble enough information to convince a support person they are the rightful owners of the account.

Finisterre was able to piece together details of a friend's account when he (and the friend, who silently listened) used the technique last year. Managers from Xbox Live implemented changes designed to stop the abuse, Finisterre says, but even then, he continued to receive emails from frustrated game players who said their Xbox accounts had been broken into.

Microsoft representatives didn't respond to a request for comment. Fogle says he recently received a password reset form from Xbox support, but he has yet to complete it pending an investigation into the hack.

Meanwhile, the thief sporting Fogle's armor continues to cavort in forums and taunt its rightful owner.

Says Fogle: "Microsoft over time has shown they won't do anything unless it's a huge PR issue for them. We're paying dearly for this [service], and there's a huge security hole where we can lose our identity." ®


Other stories you might like

  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading
  • To multicloud, or not: Former PayPal head engineer weighs in
    Not everyone needs it, but those who do need to consider 3 things, says Asim Razzaq

    The push is on to get every enterprise thinking they're missing out on the next big thing if they don't adopt a multicloud strategy.

    That shove in the multicloud direction appears to be working. More than 75 percent of businesses are now using multiple cloud providers, according to Gartner. That includes some big companies, like Boeing, which recently chose to spread its bets across AWS, Google Cloud and Azure as it continues to eliminate old legacy systems. 

    There are plenty of reasons to choose to go with multiple cloud providers, but Asim Razzaq, CEO and founder at cloud cost management company Yotascale, told The Register that choosing whether or not to invest in a multicloud architecture all comes down to three things: How many different compute needs a business has, budget, and the need for redundancy. 

    Continue reading

Biting the hand that feeds IT © 1998–2022