Xbox Live accounts of Microsoft employees were breached via â€œseveral stringed social engineering techniques,â€ the company said.
Although the breach didnâ€™t relate to a vulnerability in Microsoftâ€™s systems, the company is investigating the incident by working with law enforcement and the companies used in the social engineering scheme. By obtaining social security numbers of the targeted employees, hackers were able social engineer other companies that require SSN for security validation.
Security researcher Brian Krebs, who detailed the social engineering method days earlier, was then targeted by cyber-criminals as he was assaulted by SWAT teams in his house following an anonymous 911 break-in report.
â€œWe are aware that a group of attackers are using several stringed social engineering techniques to compromise the accounts of a handful of high-profile Xbox LIVE accounts held by current and former Microsoft employees,â€ reads a Microsoft statement. â€œWe are actively working with law enforcement and other affected companies to disable this current method of attack and prevent its further use. Security is of critical importance to us and we are working every day to bring new forms of protection to our members.â€
Pointing to several websites that use credit card reports and driversâ€™ licenses, Krebs might have been targeted by the same cyber-criminals who used the data to compromise the Xbox Live accounts.
Acknowledging that it does not use SSNs for security checks, Microsoft said that, by exploiting several security loopholes in third party companies, hackers were able to target high-profile Microsoft officials and break into their Xbox Live accounts.
â€œMicrosoft does not collect or use Social Security numbers in its services, including Xbox LIVE Gamertags or Microsoft accounts,â€ according to Microsoft. â€œAttackers are targeting high-profile Microsoft employees by social engineering other companies that do use this data to intercept security proofs from Microsoft to compromise the accounts.â€
As a precaution, Microsoft is directing users to its â€œAccount Securityâ€ webpage, with tips on how to prevent account hacks.