A number of “high profile” Xbox Live accounts belonging to Microsoft employees were hacked, according to a statement from Microsoft, who says the attackers used a number of social-engineering tactics to get access.
The statement from Microsoft reads:
We are aware that a group of attackers are using several stringed social engineering techniques to compromise the accounts of a handful of high-profile Xbox Live accounts held by current and former Microsoft employees. We are actively working with law enforcement and other affected companies to disable this current method of attack and prevent its further use. Security is of critical importance to us and we are working every day to bring new forms of protection to our members.
This is more than a surface-level social engineering attack on Microsoft, however. Brian Krebs, a security reporter who was recently “swatted,” or pranked when someone reported a fake incident that had police at Krebs’ door, found the prankers were actually a group of hackers. The group of four, according to Krebs, was seeking revenge after he reported on a website called ssndob.ru where people were selling social security numbers. This is reportedly one of the tactics used to gain access to the Xbox Live accounts.
As it turns out, Krebs also connected one of the hackers from this group called TeamHype to the hacker who took down Mat Honan’s digital life in 2012. This hacker, called Phobia, may have also been behind the “swatting” prank.
Microsoft responded saying that it does not use social security number in its Xbox Live accounts, but that the hackers were effectively “daisy-chaining” by social engineering one of Microsoft’s partners (see: “affiliated companies in the statement above) and gaining enough information to bypass Microsoft’s “security proofs” or the information it collects to make sure you are who you say you are.