Xbox Live Accounts of Microsoft Employees Hacked Using Social Engineering
Xbox Live accounts of Microsoft employees were breached via “several stringed social engineering techniques,” the company said.
Although the breach didn’t relate to a vulnerability in Microsoft’s systems, the company is investigating the incident by working with law enforcement and the companies used in the social engineering scheme. By obtaining social security numbers of the targeted employees, hackers were able social engineer other companies that require SSN for security validation.
Security researcher Brian Krebs, who detailed the social engineering method days earlier, was then targeted by cyber-criminals as he was assaulted by SWAT teams in his house following an anonymous 911 break-in report.
“We are aware that a group of attackers are using several stringed social engineering techniques to compromise the accounts of a handful of high-profile Xbox LIVE accounts held by current and former Microsoft employees,” reads a Microsoft statement. “We are actively working with law enforcement and other affected companies to disable this current method of attack and prevent its further use. Security is of critical importance to us and we are working every day to bring new forms of protection to our members.”
Pointing to several websites that use credit card reports and drivers’ licenses, Krebs might have been targeted by the same cyber-criminals who used the data to compromise the Xbox Live accounts.
Acknowledging that it does not use SSNs for security checks, Microsoft said that, by exploiting several security loopholes in third party companies, hackers were able to target high-profile Microsoft officials and break into their Xbox Live accounts.
“Microsoft does not collect or use Social Security numbers in its services, including Xbox LIVE Gamertags or Microsoft accounts,” according to Microsoft. “Attackers are targeting high-profile Microsoft employees by social engineering other companies that do use this data to intercept security proofs from Microsoft to compromise the accounts.”
As a precaution, Microsoft is directing users to its “Account Security” webpage, with tips on how to prevent account hacks.