Larry Hryb, Microsoft's Xbox Live Director of Programming (perhaps better known by his gamer tag, "Major Nelson"), wrote in his personal blog Friday that "[as] originally posted, Xbox Live has not been hacked. That is still true."

However, Hryb conceded, "[a] security researcher, Kevin Finisterre [of DigitalMunition.com], discovered not a hack, but the fact that some accounts may have been compromised as a result of 'social engineering,' also known as 'pretexting,' through our support center."

"There's no other way to say it," Hryb said. "This situation shouldn't have happened. Our customers deserve better."

Audio Tapes Persuasive

The turning point in this story came when Finisterre recorded a phone call to Xbox Live customer support in which he used social-engineering techniques to take over another gamer's tag (with that gamer's permission). He posted the recording to his "StolenUpdate" site and provided a copy of the recording to Hryb, who described it as "painful-to-listen-to."

Following the disclosure by Finisterre, Hryb said that the Xbox Live team reexamined its customer-support policies and training. The team was joined by Stephen Toulouse, a senior product manager in Microsoft's Security Technology Unit, who wrote in his blog that he spent Friday working on the issue at Microsoft's Millennium campus.

"I hated the reason I had to be in [the Xbox Live] offices," Toulose wrote, "but getting to work over there was an experience I wouldn't trade for any amount of money."

Toulose thanked Finisterre for investigating the issue and providing so much information to Microsoft, and emphasized once again that the problems were behavioral and not software-related.

"The point is that this wasn't a technology problem," Toulose wrote. "Few people were impacted, and we'll make sure that customers aren't on the hook financially for any activity in the Xbox marketplace if someone got their account."

Microsoft Revamps Training

"[The Xbox Live team has] already begun retraining the support staff and partners," Hryb said, "to help make sure we reduce this type of social engineering attack."

Microsoft has also posted a page to Xbox.com entitled "Troubleshooting Access to Your Xbox Live Account" to assist gamers who think that their account might have been compromised.

In an e-mail interview, Finisterre said that better training is the key to preventing social-engineering attacks. "It really boils down to making sure they really can validate whom they are talking to," he said.

Finisterre expressed some disappointment that Microsoft had not responded more quickly to gamer complaints, but praised the company's aggressive investigation over the past week.

"In all honesty," he wrote, "I expected more in the beginning and I think I have adequately voiced that on numerous occasions and via the content on my site. I must say, however, that Steven Toulouse and Larry Hryb have both really stepped up to the plate to make sure while moving forward that things get handled how they should have in the first place."