So there's been some kind of security problem with Xbox Live accounts for a while now. Microsoft denies there's been any compromise of its own data, yet still, for months now users have complained of having their accounts hijacked by people making unauthorised transaction.
A theory emerged last week that the cause of the issue was Microsoft's Xbox.com website, whose login structure was allowing people to run "password-generating scripts" in order to get hold of a user's account information.
In response to this, Microsoft has issued a new statement, which while admitting that Xbox.com is indeed the cause of the problem, says it's no fault of Microsoft's.
"This is not a loophole in Xbox.com," Microsoft told Eurogamer. "The hacking technique outlined is an example of brute force attacks and is an industry-wide issue."
Which is interesting, since the man who first brokered the Xbox.com theory, IT consultant Jason Coutee, claims that Microsoft very quietly went in over the weekend and changed the website.
"Before, it would just let you try over and over" Coutee says. "But now it seems that, even though I'm still able to use the link to get past the CAPTCHA, they handle the sign-in request on the server in a way that it will stop replying after about 20 attempts.
To me, this seems like they tightened security but didn't make any noticeable changes on the front-end so they could discredit me."
Whether this is indeed the case, I have no idea. I'm no IT expert. But I do know Microsoft still has a bit to answer for here.
To be clear, the problem is not that Microsoft's security has somehow been breached. In this regard, it is entirely unlike Sony's PSN attacks of 2011, in which user data was literally broken into and stolen from Sony servers. Nor is the breach itself entirely Microsoft's fault. As the company states, it's a common approach used by unscrupulous internet types, and relies on the user having a common, duplicate or relatively simple password. This is one reason why only some accounts have been compromised, and not all of them.
That's the "good" news for Microsoft. The bad news is that it's handling the whole affair terribly.
Let's say you're one of the unlucky ones whose account is hijacked. Once the breach is detected, it's standard Microsoft practice to lock down your account. But accounts are being locked down for months at a time, sometimes a minimum of 2-3, and while many users are saying they've got a full refund (sometimes more!), others complain that they've only received as compensation a single month's free Xbox Live. In effect meaning they've lost 1-2 months (minimum!) of a paid service for something they had no part in.
UPDATE - While we've received emails from users claiming to have received only a single month's refund, the old-fashioned standard for Xbox Live downtime, others are saying they've received the full amount, sometimes even slightly more! Which is swell. Story updated to reflect this.
There have also been problems with accounts being locked down. While many users have seen their accounts shut down within 24 hours of the break-in being reported, others - both in emails to Kotaku and in more public forums - complain that it has taken much longer.
And what of users who have not been affected? As soon as Microsoft knew this was happening, and on such a scale as to warrant this continued public prodding (and our almost daily emails from affected readers), it should have acted. Publicly investigated the cause and told everyone about it, instead of just denying it was a hack on Xbox Live itself and sending notices to enthusiast gaming press. It should have sent out bulletins to users, maybe even taken advantage of the Xbox 360 dashbord to say, hey, maybe now is a good time to change your password, make sure it's a tough one.
Instead, it has crept along issuing constant denials and "not a problem" statements while more and more people lose their accounts, for months at a time, over something that could have been easily prevented.
The whole affair brings back painful memories of the RROD problem plaguing early model Xbox 360 consoles, which Microsoft continually denied and ignored for years until it was finally forced, very publicly, to act.
Microsoft's internal security may not have been compromised in these "attacks", as the company has been so keen to point out. It's just a shame it's communication with users hasn't been to the same standard.