Reports of account theft on Xbox Live were present on Microsoft"s member forums since at least December. Recently Microsoft stated that it had "found no evidence" of a data breach, and that any thefts had occurred could be blamed on users knowingly or unknowingly giving out personal information, but now the company has admitted that the service"s support staff is at fault, victims of ""pretexting" calls by identity thieves. Larry Hryb, director of programming at Xbox Live, wrote on his blog about the issue. The response to the blog entry was a mixture of appreciative comments and pessimistic ones. Some users suggested that Microsoft should allow users the ability to remove credit card information from their accounts.
"A security researcher, Kevin Finisterre, discovered not a hack, but the fact that some accounts may have been compromised as a result of "social engineering", also known as "pretexting," through our support center. Once I realized what he was talking about (he sent me some painful-to-listen-to audio files) I confirmed that the team is fully aware of this issue. They are examining the policies, and have already begun re-training the support staff and partners to help make sure we reduce this type of social engineering attack. There"s no other way to say it; this situation shouldn"t have happened. Our customers deserve better," wrote Hryb.