Yesterday afternoon a website started offering free Microsoft Points. I’m sure you if you type “free Microsoft Points” into Google you’ll still get pages upon pages of websites saying you will get free points if you just fill out 4 surveys and give them your social security number. This time, this really was a site giving away free Microsoft Points. Hackers found an algorithem to add to existing, used codes to get new ones. A person would just have to sit back and refresh over and over and rack up the 160MSP codes. Not every code would work, but a majority would. The site started to 404 due to the heavy traffic.
If you have closer ties to the pirating community, you could find a program to get the codes for you. With this, you had a choice between a code for 160MSP, a Halo Reach Banshee avatar prop, or a 48 hour Xbox Live trial. This method took a little more work out of the user, but it was still simple enough for a 12 year old to figure out. A Megaupload link to the .exe file could be found on Xbox pirating websites like xbox360iso.com.
Microsoft found out about this exploit and put a stop to it immediately, but internet pirates still had enough time to steal $1.2 million worth of Microsoft Points (according to Beantown Gamer’s source). One pirate said that they were able to get $150 worth of points in a matter of 20 minutes. Microsoft has yet to say what they plan on doing about this, but it doesn’t seem like there is much they can do other than just bite the bullet on this one.
From xbox360iso.com
The origin of the exploit can be found here: http://www.thetechgame.com/Forums/viewtopic/t=954941.html
Update: Microsoft spokesperson commented on the $1.2 million lost. $1.2 million being reported earlier is much lower. The spokesperson said it’s “nowhere near” that amount but they did not say anything about an actual amount.
-Justin McFarland
Save & Quit writer
Chances are Ms will revoke the points and SHOULD ban the accounts
I doubt it, I don’t think they can separate which ones are the real deal from the ones that are hacked, but who knows.
If Ms is intelligent, they have rolling backups. Take a backup from before the site started getting hit, restore it to a separate computer, then compare the Microsoft Points totals before and after the exploit. Set a threshold limit, and any account that shows an increase in points greater than that threshold that doesn’t have recorded purchases of points to account for the difference gets hit with the banhammer.
Neh no need for ban. No user should be punished for an out-of-game exploit. Only in-game hacks counts.
I am sure that Microsoft execs were not laughing this morning singing the praises of hackers and all the good that they do. Maybe instead of criticizing Sony and offering their phone to hackers to crack it, they partner up w them and Nintendo and apple and see if, together that can do something about these thieves. Hell, hire them. I guarantee that all their ideals would go out the window for enough zeros. I love supporting creators of great games, allowing them to continue doing what they do best. Grab these guys and focus their talents on helping the industry. I’m sure they have alot to offer. Otherwise, throw the weight of the law at them.
Agreed.
Giving a hacker a job cause he cost a company millions is like USA giving into a terrorism and giving them what they want. Problem is if they do that, then the next hacker is gonna aim for the same thing. No matter how good ‘said’ hacker is, guarantee there is a better hacker out there.
This makes these guys “Black Hat” hackers… Gray Hat at best. A “White Hat” would have exposed the exploit to Microsoft and THEN asked for a job.
It’s like telling the good guys to stop using guns to protect people.
It will be easy to hunt down the people who used this Exploit. It is a matter of looking at the time frame the website was up and the people who gained MS points quickly. If you get banned then try to call to say you got your points legally, then you better have proof.
mike, you’re kidding right? You know how many innocent people would get banned using your poor method? Alot. They have to be 100 percent sure that they did it …if not then there is nothing they can do. Nothing.
Microsoft can run the algorithm themselves and ban the codes it comes up with. Anyone with a validly purchased points card can return them or obtain new points from Microsoft.
Doubt it. The codes printed on the actual promotion cards would likely have been based on the same algorithm. So potentially, people were entering the codes off the cards they legitimately came into possession of only to receive a message that the code had already been redeemed.
A few days ago there was a lot of Buzz going on about people selling points on ebay really cheap, (These were codes not silver accounts with points attached.) It would be unfair to blindly ban everyone because I’m sure some people didn’t even know about this exploit and just thought they were getting a good deal on ebay.
Serve Microsoft right, the greedy poor quality company of the world
You are an idiot
I dont understand how MS can be called greedy when they donate more to charity than another other software/gaming company COMBINED. Its gotta be either im wacked out nuts or some people are totally ignorant of the facts.
Micro$oft only donates money to causes because It’s tax deductible. The less tax the company has to pay will save them money for a bigger raise executives and share holders. This is corporate economics 101.
If your such a genius, you would know that A.) The money that they donated, they had already paid income taxes on. B.) The tax deduction DOES NOT equate to the same amount of money that you donate. Using your line of thinking, they should just donate ALL their profits to charity because they will make it back in the end and pay less taxes on it. Hell, why don’t we all just do that!!?? You first Hondafan.
Huh?
When a corp gives a donation they get to take it off in taxes sure – but do you understand Microsoft’s tax rate for the past two years was only 1.8 percent? So for each dollar they give to charity, they reduce their taxs by a whopping 1.8 cents(Apr 17, 2002)..
Cant say i know anyone that thinks spending a dollar to save 2 cents is a good idea other than a politician…
They will have systems in place to see who bought what and what with. For starters they will only need to look at the data that suggests people topping up their accounts with 160MP points between X and Y time frames.
They will then look for patterns where that person did a top up of these points more than 3 times. Those like the above example that topped up 160MP at a lot of times suddenly, with it stopping when they put the fix in place to stop the exploit will be punished.
It states in their T&C they only need reasonable belief that you are using it fraudulently to ban you and take legal action if necessary and an account that suddenly starts making 160MP top ups during an 7 hour period while stopping when the fix was in place is more than enough to ban a console and account. If there is the slightest little off chance that they trap a genuine user in that, and it will be highly unlikely they will be genuinely innocent, then simply providing proof of your transactions such as a credit card statement or receipt, etc would be more than enough for them to reactivate your account and chuck in 160MP as a way of an apology.
But overall, they will probably target those that are clearly flaunting the system by looking at clear top up and spending patterns during that particular period of time and hit the heaviest abusers the hardest, leaving the “could they be innocent or not” brigade well alone.
The fact is even if there were 100,000 people abusing the system and they could only confirm without doubt about 400 of them… taking action against those 400 people will soon hit the forums, networks and media sites and the publicity of their banning action against 400 people would be more than enough conclusion for them to show they WILL take action against frauds and do not attempt any similar action in the future! It will act as a deterrent rather than as an actual punishment for any but the most severe cases.
As for recouping their losses…. that is simple, they will set on their entire army of legal representatives and tech analysts to discover the identities of those that hacked and distributed the programme, and to sue them for the full amount of lost revenue plus compensation from damages. Any hosting website that participated by allowing it hosted will get legal letters demanding they pass on all details of those that did it or face a lawsuit action naming them as an accessory to the fraud of $1.2 million…… usually enough to scare even the biggest hosting providers to supply the information of those that started all this.
At the end of the day, if you did it and managed to get one or two free MP hits out of it you are probably going to get away with it and no worries, but if you are like the guy in the example who made $150 dollars in one day, you could be facing a ban from Xbox Live, and if you are the ones that found this crack and distributed it in an attempt to defraud Microsoft…… best hide in the bushes or hope your chequebook can cash cheques for $2 million!
Ummmm you realize $1.2M would be eaten up in legal fees in no time at all? They’ve already done what they can – closed the exploit. It’s not like they keep track of every code they issue. They’re generated using an algorithm, printed and shipped automatically. Clearly I’m not saying MS deserved it or anything to that effect, but they’re pretty much out of luck on this one.
You don’t think they have logs of who redeemed what code at what time? Whoever redeemed hundreds of codes in a 20 minute timeframe was hacking. It’s pretty straightforward from that who was DEFINITELY cheating. Now, redeeming 10 codes in 20 minutes, less sure and that person would probably not get hit. There are no legal fees; their TOS says they can ban you for no reason.
It wouldn’t be difficult to identify a lot of the people who happened to be doing this. All Microsoft has to do is look for a bunch of idiots redeeming 160 MSP codes over and over again.
^^^ QFT.
Microsoft knows exactly who redeemed which codes, and where the codes came from (you can see your redemtion/purchase history at https://billing.microsoft.com/ and click on Points).
Anyone that redeemed 1 code is probably legit — they clicked on the link in the email that they received, and redeemed the code they were allotted.
Anyone that redeemed lots and lots of codes is most likely not legit — it is unlikely Microsoft sent a single person lots and lots of emails, so they can take a closer look at that account.
Why the hell would Microsoft any effort into punishing these people. $1.2 million dollars is nothing to a company like Microsoft. No one is attacking the core user experience of the Xbox 360 so there is no reason to actually go after these people.
This talk of Microsoft pulling a massive dragnet to start revoking accounts and undoing points is a lot of hysteria. Let’s not forget that many people got multiple 160 points codes legitimately without using the hacking software or doing anything exploitative. How much of this 1.2 million was legitimate 160 points codes? Not to mention, this happened days ago, I guarantee 75%+ of these points are already spent, they certainly can’t be taken back. The only thing that could happen is for bans to be handed out, and throwing out sweeping account bans for something that was essentially their fault when some people were using the promotion legitimately is nightmarish-ly draconian. The blurring of the lines here between what was promotion and what was exploitation is so arbitrary that I can legitimately see good and honest people cashing some of these codes in without thinking they were doing anything illegal or even unethical.
Microsoft screwed the pooch here, they really messed up. People who snagged hundreds of dollars in MS points using wares should probably be punished. If it’s possible to distinguish between those people infrastructurally then I suppose punish them. But I hope they don’t take it out on loyal customers who snagged 5 or 10 bucks because they failed to pick up on “too good to be true,” or especially in the case of those who got lucky and got multiple codes from the promotion.
I also want to say that the “exploit” here which I know was just changing 5 characters in the URL was in no way, shape or form “hacking.”
“bacause we can”
MS was incompetent this tiem around
It’s *not* hacking? Is changing 5 characters on the Amazon URL to change the price of an item *not* hacking too? It IS hacking if you perform unauthorised access to a system *and* take something you’re not entitled too. The law in most places believes this to be a crime.
And you can bet Microsoft has telemetry and tracking systems for *ALL* data on Live. If they feel inclined, they’ll make a couple of examples of the heavy hitters. They were watching the modded Xbox guys for _months_ before banning them.
The people defending the thieves have to be the most retarded people to ever post a comment. It’s 1.2 million $ stolen. Anyone with one brain cell would know it’s unethical to use old codes over and over again by changing the numbers. They found a way to cheat the system. They bought a code card with a certain amount of money to get a certain amount of money to spend. Microsoft doesn’t want people paying 5$ and then cashing in 100$.
Anyone that defends them are just completely STUPID,