While many of us were safely gaming away this holiday weekend in the US, it was only done so because Microsoft was able to quietly patch a bug that prevented further Xbox Live members’ email addresses to be hacked.
Last week, Motherboard had received some anonymous information about hackers being able to capture the emails associated with any Xbox Gamertag. Through an independent verification, where Motherboard gave the hacker’s test Gamertags, the claims were confirmed.
Fortunately, it seems the anonymous hackers were less nefarious in their intentions because they also pointed Motherboard in the direction of the root cause. A bug in the Xbox Live enforcement portal is how the hackers claimed to gain access to email information from Xbox’s online gamer profiles.
In addition to pointing out the bug, the anonymous hackers also asked that Motherboard report on the issue only after Microsoft had a chance to patch it. The secrecy behind quietly allowing Microsoft a chance to address this was due in large part to a similar bug being used to dox Instagram celebrities back in 2017, a result the anonymous hackers sought to prevent this time around.
Even as the company was made aware of the vulnerability, Microsoft’s Security Response Center waived off immediate concern, citing that while emails “may be considered sensitive information, however since it provides nothing else to identify the issuer, is not something that meets MSRC bar for service.”
Perhaps, the MSRC’s tone-deaf response to an obvious user threat reached the doorsteps of the higher-ups because 24 hours later, Microsoft issued a release regarding an update that we sent out to patch the bug.