So, a few of you might have noticed there’s been a rather disproportionate number of X-Box Live account hacking going around. Maybe it’s happened to you, maybe someone you know, maybe some dude named XxBlaze420 posted on a message board you frequent and was like, totally pissed off about it, giving you the chance to revel in some schadenfreude for the day. Maybe this is the first you’re hearing about it, but regardless: this is a real thing. It is happening.
I’m no alarmist. This isn’t on the level of say, the PSN leak, but it is something Microsoft seems pretty bound and determined to ignore, which is even more troubling. Sure, you’ll always have the social engineering dumbasses who click every link in an email they get or input information into “FREE MICROSOFT POINTS” websites, but this has already happened to a couple of people I know: friend of Gear Fish and fellow indie divers Armless Octopus - Daniel Conner (aka Dcon) and Apathy Works‘ (Cute Things Dying Violently) Alex Jordan, neither of which are so incurably dense they would fall for tricks of that nature.
I hear about account hacks all the time, something I usually dismiss because in general ”People Are Stupid” has been a relatively solid mantra for me to rationalize such occurences. So when it happens to people I have reason to believe aren’t stupid, it gives me pause.
I did a bit of digging on the subject, but hadn’t found anything too substantial until yesterday when Analog Hype posted an excellent article on the vulnerability. Now, I can’t say for 100% certainty that this is why and how those accounts were hacked, but considering that neither of them are hard to google or contact, it’s probably a pretty safe bet.
Why is your account vulnerable?
In short: xbox.com
If the email for your Windows Live ID is easy to find, it turns out it’s pretty easy to hack.
When logging in through the website, Windows Live ID gives you eight chances at an incorrect password before it asks for CAPTCHA code, at that point all the hacker needs to do is click “Try with another Live ID”, it resets and they’re good to go for another eight chances. Now, that might sound like a barrier that would make doing this annoying enough to not be worth the trouble but automating the process is easy stuff. It’s just simple brute force.
Why should you care?
Chances are, most of you don’t use a bazillion different bullshit emails for everything like I do because you are sane people. Chances are you also don’t use different, immensely complicated passwords for everything either because you are lazy and remembering different passwords sucks. Getting your account hacked could mean they’ll spend a bunch of your money on stuff, which means dealing with the hassle of putting a stop to credit card authorizations, among other layers of things you will need to unfuck with your account.
However, it’s potentially a lot worse than just having some asshole buy a bunch of Microsoft Points if you use the same email and password for anything else that’s vital in your life, forgetting nonsense like social networking: bank accounts, paypal, email…if you use anything similar, you could be in some deep shit.
What should you do?
1. Make sure your password is complicated and arcane. Use special characters, write a complete sentence, etc.
2. If possible, make sure the email associated with your Windows Live ID isn’t all over the internet. Use Privacy Settings on Facebook, Google+, Twitter, etc.
3. Take your credit card off your account. Until Microsoft takes better steps for account protection, point cards are a safe (if inconvenient) alternative.
4. Call or write Microsoft – this one’s optional as it doesn’t directly help you, but the more people speak up, the harder it gets for them to ignore an obvious and simple vulnerability.
Finally, just spread the word – this is where those social networks DO come into play: repost this (or the Analog Hype article) and make sure people take steps to protect themselves. X-Box Live might be host to an antisocial lot of hooting dickholes, but no one deserves to have their life screwed with like this. Yes, even the XxBlaze420′s of the world, because chances are they’re using their mother’s credit card anyway and she’s a pretty nice lady.