Windows Live login suggested as Xbox Live security flaw

See, your first problem is your analoghype.com account. I got rid of that crap when I stopped using Lycos.

Just kidding! I never stopped using Lycos.

Maybe for now they should send an email to the account holder if there have been numerous failed login attempts.

How this is Live's fault is beyond me. This is basic password security. If you go to http://howsecureismypassword.net/ and it takes less than 30 minutes to brute force your password than you deserve to get hacked...

The real security flaw would be people are using awful passwords. You still can't get in without a password.

This is absurd for a number of reasons.

First of all, it assumes that the passwords people use are so utterly stupid that they can be brute force hacked in a relatively fast fashion. That's patently stupid, for one. Secondly, most of the phishing or hacking victims have said they had strong passwords. So unless they've been attempting to brute force crack someone's password since the original Xbox came out and they got incredibly lucky, then that's no dice. Third, I'm more than willing to bet that many of the hacking victims didn't have their e-mails searchable on Facebook or social networking sites.

It's not even a good theory. The CAPTCHA thing needs to be fixed, absolutely, but that's not even much of a security flaw in the grand scheme of things. You'd have to have good knowledge of what someone would use as a password (or have someone who has an insanely simple password) to have any value in that issue. I'm sure there's some way people are getting this information (and it's more likely they're not even finding out passwords, but using some sort of social engineering to get into someone's account -- like calling customer service and exploiting a flaw in the human system), but this doesn't seem even remotely likely.

Everyone should set up a pass code until this is resolved, Its a bit of a hassle to enter a button combo every time you want to play but at least its another security step. Guess it doesn't help if they buy the stuff on xbox.com though.

http://support.xbox.com/en-US/billing-and-subscriptions/account-management/xbox-live-pass-codes

This is the way almost ALL web verification happens. This does not mean the service is hacked, or that Microsoft is lacking in their security. These "hackers" are nothing more than common thieves with a lot of time on their hands. It's like blaming a door-lock company because someone broke into your home through a window (pun).

I think the best thing to do is remove Credit Card info until MS allows some sort of secondary pass-code (like a security question) which you can set as always on. My bank does it, and since MS is almost like a bank now, maybe they should too.. but don't think that this is unique to Microsoft. They just happen to be the biggest target so the chance of a hit is far greater.

MS is correct that the service is not compromised but they can certainly take steps to make this sort of scheme more difficult... if in fact this is how they are doing it.

hacknotifier.com, and easy way to check your email to see if it shows up known databases

I've never heard of the Anal Og Hype domain before.

I just tested this on my account. When you hit the Sign in with different account and use the same previous email. You have to enter a CAPTCHA code regardless.

Looks like Microsoft closed the loop to me.

If you could find someone on Facebook, you'd easily learn:

1) What state they are in - for sports related passwords (like "packers" which is probably 90% of Wisconsin passwords)

2) Pets names - another huge chunk of passwords.

3) Their kids names - the last remaining chunk.

If the hacker is more clever deducing passwords than the user is picking them (likely) than that could be your answer right there.

What he said.

if you have Call of Duty Elite paid or free from the LE you have to have a CC on file with MS or Elite will suspend your account until a CC is on file. I don't understand why, but that's how it is.

I can't believe there are still apologists for this crap. The same people who believed Microsoft early in the 360s life when they blamed the RROD on people not keeping their consoles in well ventilated areas.

I don't think trying to guess people's weak passwords constitutes "hacking".

They're full of crap. It's definitely their own security flaws. Blizzard pulls this same crap. I stopped playing WoW and using the hotmail address tied to it in 2006...and that was the ONLY thing I used that password on. The security question was completely fake "Who is your favorite teacher?" or whatever...and I put in some Latin phrase. In 2009 the WoW account was hacked...in 2010, the hotmail account. They both of course blamed me even though I didn't touch the accounts for years. It's a simple brute force attack I think...years of guessing passwords probably in my cases. Still a security flaw on their end

Dumb users... you can only try to make them care about their stuff, but they won't and they'll blame someone else when their shit gets stolen.

Um yeah, you do realize that it would take a hacker close to forever entering in passwords over and over again to see if they work. With all the different password combos and without the aide of a program to try to get in they would manually be entering in different passwords over and over again until they got one that worked. That would also send red flags to MS if a hacker spent an entire day trying to get into an account and they would know that is how the hackers are gaining access to the accounts.

I seriously doubt this is how the hackers are getting access to the accounts.

Question is: did the accounts that were hacked have security questions associated with them and not a trusted pc? If so then add a trusted pc which will remove the security question option since a security question is a lot easier to figure out for a hacker to reset your password than the other options.

goto xbox.com and sign in.Click on My Account, click on change password and then find the Security info in the Account security section and click on Manage.

Add your computer name as a trusted pc and an alternate email address or your cell phone so that when a hacker tries to get into your account they won't see the security question they will only have customer support, use your trusted pc or email a link as options. Much more secure than a security question.

Note if you don't have a trusted pc as an option the security question will show up. Once you add a trusted pc, the security question will not be there for a hacker to gain control of your account.

But that's not to say this is how the hackers are getting in... if they have your password they got it from somewhere... the odds of them guessing it are fairly slim.

Being able to determine a valid username (which for live and many other systems is just an e-mail address) is not a serious security issue. Your username is exposed through any number of other insecure methods, including e-mails to your account. Pretending an account is valid when it's not or visa versa is "security by obscurity" in its weakest form, and completely meaningless in the security world. Your actual authentication methods are where the work should be focused.

....

"AH suspects that the hackers grab gamertags from a game of Halo or Call of Duty, then Google the tags to find associated emails on social networking sites. They now have a potential list of Windows Live IDs. "

You can stop right here, because this list is going to be 80% correct. It's not hard to guess account/email combos because people are consistent. You don't need the verification for this to be used for brute force attacks or phishing schemes. Changing that feature does not significantly change your exposure.

I recently got hacked (day before yesterday) and all I can say is I NEVER gave out any info. I've been on the Gold Membership since 2005 and never had any issues until now. I just hope I get refunded from Microsoft, because it seems like a lot of people are having to jump through some hoops.

@Kibbles XIII I was able to do it from the dashboard. Under settings then account. Then go to manage payment options and remove payment option.

I was able to get rid of my card that way.

See when the PSN got hacked Sony ADMITTED it and took measures to prevent it!

When it happens to Live MS DENIES it and says don't worry about it. In the meantime you have unauthorized charges on your credit card!

Why do people say that Live is a much better experience?

If you cannot access your account from the console that is a flaw right there. You have to access from the web and I don't fully understand the purpose of that? How difficult is it to allow access from the console?

MS needs to make some changes and really REALLY improve their customer service and STOP STOP STOP outsourcing to India as they are not doing a good job as they create more confusion and problems!!

Maybe it will require another class action lawsuit to get their attention!!

"Mircrosoft told us recently that the Windows Live ID has not been compromised and the FIFA hack, along with other similar incidents, are cases of social engineering or phishing."

Microsoft also said they're post 50% RROD failures was "within industry standard failure rates".
They have lied to me before & if it wasn't for the awesomeness that is Gears Of War I probably wouldn't put up with their lies... Damm you Gears of war for being so awesome!!!

Well I got hit unfortunately. Just called them up to report it. Now I gotta wait for the investigation to conclude with a hopefully happy ending.

This article made me think of a strange issue Amazon had. I have one variation of my password for Amazon, and another longer one for something else. I accidently entered in the longer password, and Amazon let me in.

So...as I've been saying since the beginning. This is a phishing job, not a hack. PS fanboys are begging for it to be a hack, Xbox fans are usually uninformed and get scared.