"High-profile" XBL accounts of MS employees targeted by hackers
Social security number loophole linked to third-party apps, says Microsoft
A number of "high-profile" Xbox LIVE accounts owned by current and previous Microsoft employees have been targeted by hacks reportedly linked to the gathering of US social security numbers.
Microsoft has acknowledged the problem and is working with law enforcement agencies to trace the attacks and close the existing loopholes, which it says are linked to third-party applications. Microsoft issued a statement on the attacks to The Verge, which originally covered the story.
"We are aware that a group of attackers are using several stringed social engineering techniques to compromise the accounts of a handful of high-profile Xbox LIVE accounts held by current and former Microsoft employees," the statement reads. "We are actively working with law enforcement and other affected companies to disable this current method of attack and prevent its further use. Security is of critical importance to us and we are working every day to bring new forms of protection to our members."
The attacks are thought to stem from a third-party agency which collects social security numbers as part of a user profile, which has been compromised. A stringed connection to the XBL accounts is then followed, unravelling various security measures and passwords on the way.
"We are actively working with law enforcement and other affected companies to disable this current method of attack and prevent its further use"
Microsoft statement
"Microsoft does not collect or use Social Security numbers in its services, including Xbox LIVE Gamertags or Microsoft accounts. Attackers are targeting high-profile Microsoft employees by social engineering other companies that do use this data to intercept security proofs from Microsoft to compromise the accounts."
There is considerable evidence that the attacks could be part of a larger story centred around an ongoing persecution of security blogger Brian Krebs, reports The Verge.
Krebs had recently been covering the spate of attacks on Microsoft employees. After he published details of the methods he believed were used in the attack, Krebs suffered a DDOS attack on his website, and, far more worryingly, had a SWAT team raid his house after a hoax police call reported that invaders had entered his home and shot his wife.
Krebs believes that these events, and the attacks on Microsoft employees, are potentially being perpetrated by the same attackers and could be linked to a piece he wrote exposing a website which was selling the social security details of US citizens, including many celebrities. After covering his work on the issue, both Ars Technica and Wired were also subjected to DDOS attacks.