Log in or sign up to comment
144 Comments
  • 144 results
  • 1
  • 2
  • 3
Posted by Stahlbrand

Toulouse seems very reasonable, his explanation of MS's perspective was straight-forward and plausible. As somebody with fleeting familiarity with the issues of regional licensing complexity he mentioned, I can sympathize with the headache that un-fucking an account must be. Still it would be terrible to be victimized and then have to wait a super long time to get everything back. There is no easy solution to a problem like this in this age - too many borders and too much 20th century thinking, nothing will ever work as smoothly as it should where the interconnected 'online world' brashly tramples across political boundaries.

Also, LOL at the guy who said he was 101% sure he'd never been fished. That is the same as saying you're sure you've never been conned.

Posted by lockwoodx

@kingschiebi said:

People tend to avoid everything that is even just slightly more complicated if they are not forced to use it in a more secure way and unless every vendor does adopt the same usage regulations, customers will simply go the way of least resistance. It simply comes down to being a business risk, especially if you would be the first in a specific segment to do something like that.

Correct. I put off getting a smart phone for 4 years longer than I needed simply because I had no practical use for one and didn't feel like/didn't have the time for learning a new platform atm.

Posted by trjp

The worrying thing here isn't just that there's clearly a security problem they're ignoring (and have been for at least a year as Googling shows cases going back to at least late 2010) - it's the sheer scale of the problem.

If it's taking MS over a month to deal with each case - how many cases do they have?? I mean I cannot imagine it takes more than a few minutes for someone to look into an account and see what happened, so even if only 1 person were doing it, that's several hundred cases a day (and in reality it's probably 100 times that!?)

If that doesn't tell them they need to tighten-up security - I've no idea what will.

To back this up - just mention XBL accounts being hacked on any gaming forum and you'll find people instantly who've been through this - I don't know all that many people with 360s (hence my disinterest in Gold) but of the dozen-or-so I know, 2 were hacked before me and 3 have been hacked since - that's a fairly high percentage!!

You have to be an idiot to assume this is all down to phishing or social engineering - it's just too widespread. I'm 101% convinced that MS are just fronting - thinking if they say "XBL is a closed and secure system" that it will be believed - but it's clearly far, FAR from that.

Posted by blacklab

Bald guy with goatee is bald guy with goatee is bald guy with goatee.

Posted by VibratingDonkey

@kingschiebi said:

@VibratingDonkey said:

@kingschiebi said:

@VibratingDonkey said:

I see a lot of words but none of them are about two-step authentication.

...

The answer is usability.

...

An unverified system only needs to be verified once. Using this security feature is optional.

Even if it is just one step more, it is one step too much. Same reason why online shops try to do their best in making the actual shopping as painless as somehow possible. (i.e. Amazon 1-Click) and still there are people who are put off by that. It is getting less and "we" (for simplicity sake, I assume that people here are somewhat proficient with computers and the internet) is not the problem. It's the average person on the street that is having problems with that.

It is the same reason why Apple is tremendously successful with their IOS devices and why Microsoft is working hard on making Metro as accessible as possible.

People tend to avoid everything that is even just slightly more complicated if they are not forced to use it in a more secure way and unless every vendor does adopt the same usage regulations, customers will simply go the way of least resistance. It simply comes down to being a business risk, especially if you would be the first in a specific segment to do something like that.

That's partly why it is optional and the user needs to actively seek it out and enable it. It doesn't affect the usability for anyone in the slightest, apart from making it easier for users to keep their accounts secure. If you prefer to make it easier for criminals to steal your account and money then you're free to do so without being inconvenienced.

Personally I find the idea of a person being bothered by the presence of an optional security feature fucking bananas. In case that wasn't clear.

Also Microsoft has relatively recently implemented like three or four optional security features, two of which are enabled on or otherwise incorporates your console. Two step authentication could've been used in place of a bunch of them, improving usability by making all that stuff simpler.

Edited by CptBedlam

Nicely done, Patrick. Great Interview. And kudos to MS/Stepto as well.

Gotta say, the scope of these "hacks" surprised me quite a bit. MS really needs to get behind this.

Posted by mlipkin

Just got off with support this morning to check on the status of my investigation, and either MS support is the most poorly informed in the biz or Toulous was lying to you Patrick.

He said 25 days was an outlier--support said it will take a minimum of 25-30 days and to not bother calling back until then.

Also, Toulouse told you: "They would be able to continue to play on a local profile, earning achievements and doing everything else and then when they finally get to Xbox Live, once we recover the account for them, and give them the account back, then they should synchronize.[But] If they have to recover the account again to their Xbox, that’s a case where it will overwrite the profile that’s local. There are some circumstances where they might lose achievements that they’ve earned. I don’t know all the edge cases, by the way, that’s more of a support question."

Support said in almost all cases of fraud, you lose all the achievements earned while playing on the local profile. The only time you get to keep that progress is when the account does not need to be recovered to that particular console, i.e. some weird case where your roommate is the one that hacked you. So whey he says they should synchronize, that's bull.

Posted by mlipkin

Update: After being told by support this morning that my case was still in the queue and should expect a result around Christmas, I tweeted Stepto about how his 25 day as outlier was BS, 15 minutes later, I magically have an account reset e-mail in my inbox. I'm obviously happy this got sorted out for me, but furious at how many lies I've been told during this whole process.

Posted by Airship

Good job on this whole story, Klepek. Thank God someone in the game press had the balls to write what had to written.

Posted by Gunharp

@mlipkin said:

Update: After being told by support this morning that my case was still in the queue and should expect a result around Christmas, I tweeted Stepto about how his 25 day as outlier was BS, 15 minutes later, I magically have an account reset e-mail in my inbox. I'm obviously happy this got sorted out for me, but furious at how many lies I've been told during this whole process.

For real? Just like that for bothering Stepto?

Posted by Brendan

@MideonNViscera said:

The whole reason these things take forever is because they have to cover their asses so hard. Or at least they did. Maybe now that you can't sue them for every little thing it can speed up a bit haha

You can still sue them for every little thing, you just can't do it in a group now.

Posted by YOUNGLINK

No new news, but Patrick got the most he could out of stepto.

Posted by mlipkin

@Gunharp: For real. Tweeted him twice, including one that including this article. Almost immediately got an e-mail from MS telling me the investigation was completed and they were refunding me the money.

Edited by trjp

@Stahlbrand said:

Also, LOL at the guy who said he was 101% sure he'd never been fished. That is the same as saying you're sure you've never been conned.

I can honestly say I've never, ever, ever been caught by any sort of phishing scam for the following reasons

1 - I've worked with networks since before most people knew they existed - I've worked with network security, email and the web for decades - I ever wrote anti-phishing browser plugins back when such things were popular - I know how stuff gets done, I know how scams work and phishing is really, really, really obvious to me - I just don't fall for it - ever.

2 - I cannot ever remember receiving an email asking me to login to XBOX Live for any reason anyway - I've had them for PayPal and every Bank/Finance site you can think of but I cannot ever remember seeing one for XBL (and as I said earlier, I don't click on anything in emails - ever - anyway)

3 - I know I've not been phished in this case because they accessed my account using my secret question and I DONT KNOW WHAT THAT IS - I just hammered the keyboard to make it up - so I cannot possibly have surrendered it to anyone! :)

You (and MS) can keep kidding yourself that this is entirely a "user problem" but I strongly suspect there's more to it and that, sooner or later, you may well find yourself on the wrong end of it.

Meanwhile it must be costing MS a fortune to deal with all the cases - but then they'll be making a fortune from people who don't check their accounts carefully and get scammed and never notice (which, if it transpires this is MS's problem and not just a 'user problem' - makes them a party in fraud surely?)

Posted by magus213

@Rincewind said:

Patrick Klepek dropping bombs on this issue.

I prefer the phrase "dropping Hot Scoops."

Edited by KaneRobot

Of course Microsoft ignored the requests for info on people having to wait that long, they don't give a damn about individual customer problems. It took getting a story published on a major gaming site to get them to respond.

Not that they're any more nonchalant than other companies about some of their bullshit processes & problems (Tretton saying at E3 that PSN being dead for a month with user info stolen was "blown out of proportion" by the media, after all), but it's nice to see all these companies are fucking scumbags equally.

Posted by insanejedi

@mythrol said:

@insanejedi said:

Phishing and social engineering is your responsibility to prevent, not MS or EA. The fact that they are helping you at all to get back your stuff is something extra their doing, not their obligation. You'd be lucky if they helped you at all as Valve won't lift a finger when it comes to the fact that your account was scammed on steam. Don't be a dumbass and give away your personal information and always check your emails if they sound too good to be true or giving you something free. Most companies will never email you about ANYTHING on your password, so don't expect it to start now.

You're a dumbass. My account was not hacked due to phishing because I never give anyone my password, nor do I ever respond to BS emails trying to trick me into giving my password away. I honestly think there is a weakness in EAs system which allowed peoples accounts to get hacked because the passwords were the same.

As far as the interview goes, Fuck Microsoft. Im one of those people who's account was locked out for almost 90 days. Not due to "complexity of the situation" but because Microsoft screwed up MULTIPLE TIMES during the recovery process and they have a horrible notification process to let people know something went wrong or they need additional information. The ONLY way you can get something processed is if you take it upon yourself to continually call them for updates. They WILL NOT contact you.

Ive spent hours on the phone with their CSRs in regards to my account and like I told them, they are really lucky that the alternative options SUCK (PSN is no better). All it will take is one company to offer a service that does it right and I and many others will jump ship. The way they handle this stuff is horrible. Im not even a PC gamer but I might become one just because Steam is so much better.

You realize you just proved my point right? The passwords being the same? Who's the dumbass now who reuses passwords connected to accounts and email addresses of high value? And you accuse EA with absolutely no proof that they have a weakness in their system. I know for a fact that EA and MS both use 128 bit RC4 encryption, though I wish it was 256, 128 bit is adequate for most security concerns. Chances are, that the security problem is the human being and not the companies security. How many of the same passwords have you used in multiple sites that tie right back to your email or your XBLA account password?

Posted by Thumbrunner

Scoops always bringing in the great stories. I had not realized that during the process they had to relicense all of the material you had purchased after a hack. Great read.

Posted by Sekoku

@Krakn3Dfx said:

Pretty much reads like a support FAQ from their website, but okay.

Used to follow Stepto on Twitter. Guy comes across generally as a douche bag. I guess you kind of have to be in his role as Master of the XBL Hammer, but still.

He could have saved some time and just boiled it down into one sentence: "Yeah, we're going to try and be better about this...but not really."

Yeah, "Stepto" is a huge douche. People like Geoff Knightly, get bumped up in the queue of investigations faster than us plebes. What? That really makes no sense.

Also this interview could be boiled down to that, yeah. There really isn't anything interesting and if Patrick poked into it he could've asked how the accounts are regioned changed. Is that option available in the Live.com site? Why? Is there anyway to turn it off or have it have to be verified before the region is changed? Patrick didn't really poke/investigate the issue more.

Posted by trjp

@insanejedi said:

@mythrol said:

You realize you just proved my point right? The passwords being the same? Who's the dumbass now who reuses passwords connected to accounts and email addresses of high value? And you accuse EA with absolutely no proof that they have a weakness in their system. I know for a fact that EA and MS both use 128 bit RC4 encryption, though I wish it was 256, 128 bit is adequate for most security concerns. Chances are, that the security problem is the human being and not the companies security. How many of the same passwords have you used in multiple sites that tie right back to your email or your XBLA account password?

You can keep trolling us with your blind faith - but the fact you keep talking about passwords when most accounts are being compromised via their 'secret question' suggests you've not even bothered finding out about the problem you're blindly defending...

MS even got those 2 floppy-haired-fuckwits to do an in-dash video on how your 'secret question' should have a nonsense answer 'like another password' - I think it's clear they know this is the way into people's accounts (and resetting your password via your secret question does NOT generate an email so you don't know you've been hacked until the money is spent and you get the receipt by email).

End of the day MS are evidently besieged with people having problems and it doesn't matter who's "fault" it is, MS are the only people who can solve it and if they don't they should consider themselves likely for prosecution for aiding and abetting fraud.

Locking XBL accounts to specific devices would be a start (ala Steam's system) - as would putting a proper block on repeated attempts to guess secret questions (at this time it appears there's no limit on that - at least I lost patience trying it) - as would blocking repeated purchases of things like FIFA Gold Packs (better someone loses a few hundred points than thousands). New games should also have a system to verify that an account has a copy of a game they're trying to get DLC for - that will render the whole FIFA scam impossible.

Finally tho - if a customer calls and says they didn't buy some 'actually worthless online currency or digital download' then simply accept this with good grace, delete it from their account and don't fuck them around for months, lying to them and treating them like thieves eh??

Posted by VibratingDonkey

@YOUNGLINK said:

No new news, but Patrick got the most he could out of stepto.

His answers are not satisfactory. Fails to mention any measures to be implemented to address any of the issues people are having. Fails to mention duping of customer support staff at all. Which I believe is the most commonly believed cause for these hijacks. Stepto instead shifts blame onto the users, which is just plain old bad form. Especially when Microsoft is in a position to more or less stop account hijacking from being a thing.

"Look at all these various ways in which a criminal can steal your account! We're not doing anything to protect you against it. We could, but naaah. So it's all your fault if it happens."

I take issue with this stance.

But Stepto is surely in the same position as the people who said "Rumble is last-gen. Y'know things break."

Still, while you have to sympathize with the guy to some extent, he needs to get hardballed in a couple of areas. Dig down a little until he's forced to make a difficult reply.

Posted by Gourdmaster

Actual game journalism?!?!?!!!!!! Bravo Patrick this is some of the first investigative game journalism ive seen. Great stuff.

Posted by insanejedi

@trjp said:

@insanejedi said:

@mythrol said:

You realize you just proved my point right? The passwords being the same? Who's the dumbass now who reuses passwords connected to accounts and email addresses of high value? And you accuse EA with absolutely no proof that they have a weakness in their system. I know for a fact that EA and MS both use 128 bit RC4 encryption, though I wish it was 256, 128 bit is adequate for most security concerns. Chances are, that the security problem is the human being and not the companies security. How many of the same passwords have you used in multiple sites that tie right back to your email or your XBLA account password?

You can keep trolling us with your blind faith - but the fact you keep talking about passwords when most accounts are being compromised via their 'secret question' suggests you've not even bothered finding out about the problem you're blindly defending...

MS even got those 2 floppy-haired-fuckwits to do an in-dash video on how your 'secret question' should have a nonsense answer 'like another password' - I think it's clear they know this is the way into people's accounts (and resetting your password via your secret question does NOT generate an email so you don't know you've been hacked until the money is spent and you get the receipt by email).

End of the day MS are evidently besieged with people having problems and it doesn't matter who's "fault" it is, MS are the only people who can solve it and if they don't they should consider themselves likely for prosecution for aiding and abetting fraud.

Locking XBL accounts to specific devices would be a start (ala Steam's system) - as would putting a proper block on repeated attempts to guess secret questions (at this time it appears there's no limit on that - at least I lost patience trying it) - as would blocking repeated purchases of things like FIFA Gold Packs (better someone loses a few hundred points than thousands). New games should also have a system to verify that an account has a copy of a game they're trying to get DLC for - that will render the whole FIFA scam impossible.

Finally tho - if a customer calls and says they didn't buy some 'actually worthless online currency or digital download' then simply accept this with good grace, delete it from their account and don't fuck them around for months, lying to them and treating them like thieves eh??

So if idiot's are driving toyota's and blaming toyota for something like failed brakes it's somehow magically toyota's fault when the facts and studies just show that these people are idiots? The social engineers would have only gotten your secret question if it was true and if you let it out somewhere to someone. If you had a facebook page where you advertised that your dog name was "bill" or your mom connected you Via facebook and also had other relatives that don't have their last name changed so you got her maiden's name.

Stop being entitled asshats and blaming that it's everyone's problem but your own. The suggestions you give could be some of the most sophisticated encryption and security entry ever, and it won't give two shits if the man behind the computer is a dumbass and gives out his personal information that links to the secret question or just blatantly gives out the password. Worst yet are people who don't even know that their doing this. Like I said if you have a facebook page with your mom on it, and your mom links to relatives on her side, you could find out what her maiden's name is as just one example. It's impossible to make anything foolproof because you'll just make better fools.

You realize that they can't simply remotely delete the download from your account. Even if they could would you really want Sony, Nintendo, Steam, MS to have that ability to kill whatever you have from your 360, PS3, or even PC hard drive remotely? A: The money has changed hands from MS to whoever other company which is EA at the moment. B: The download has been made and if there was a policy like that, no one would pay for content ever because they would simply download it, report to MS that they didn't actually buy it, and then keep the DLC on their hard drive.

At the end of the day, so long as the database has not been compromised which I have yet to see evidence of, YOU picked the password, YOU picked the answers the questions.

Posted by UnsolvedParadox

I attended Stepto's talk at PAX Prime 2011 regarding the Live platform, and was really impressed with both his approach and commitment to security. It was both classy and pragmatic for him to chastise one of the audience members who suggested that Sony's security issues at the time were to Microsoft's advantage, noting that they were both partners in the fight against intrusions.

Posted by Elyk247

I play FIFA 12 all the time. I guess I'm just lucky. (Knock on wood)

Posted by fupallstar

is it just me or does he kind of look like the Bryan Cranstonfrom Breaking Bad?

Posted by jimmdogg

Great article. But it does little so soothe my anger at the issue. My account was locked for 100 days. ONE HUNDRED DAYS. It doesn't matter if most issues are resolved in under 27 days if you are one of the outliers. I was never given any reason on why it took so long. I never had any communication with the fraud team. I never found out how my account was compromised, if charges were filed on the fraudulent party, or any other details about the incident. The only email I ever got from them, and I called in at least 10-15 times, was the one telling me my account was now unlocked. I was given a token for 3 months of live. In the meantime, I had started a new gamertag and put about 1200 Achievement points on it. Should I go back to my old account and give up 12 hours of playtime in MW3 and my Dark Souls and Skyrim saves. This is my Christmas quandary.

Posted by trjp

@insanejedi: @insanejedi said:

So if idiot's are driving toyota's and blaming toyota for something like failed brakes it's somehow magically toyota's fault when the facts and studies just show that these people are idiots? The social engineers would have only gotten your secret question if it was true and if you let it out somewhere to someone. If you had a facebook page where you advertised that your dog name was "bill" or your mom connected you Via facebook and also had other relatives that don't have their last name changed so you got her maiden's name.

Stop being entitled asshats and blaming that it's everyone's problem but your own. The suggestions you give could be some of the most sophisticated encryption and security entry ever, and it won't give two shits if the man behind the computer is a dumbass and gives out his personal information that links to the secret question or just blatantly gives out the password. Worst yet are people who don't even know that their doing this. Like I said if you have a facebook page with your mom on it, and your mom links to relatives on her side, you could find out what her maiden's name is as just one example. It's impossible to make anything foolproof because you'll just make better fools.

You realize that they can't simply remotely delete the download from your account. Even if they could would you really want Sony, Nintendo, Steam, MS to have that ability to kill whatever you have from your 360, PS3, or even PC hard drive remotely? A: The money has changed hands from MS to whoever other company which is EA at the moment. B: The download has been made and if there was a policy like that, no one would pay for content ever because they would simply download it, report to MS that they didn't actually buy it, and then keep the DLC on their hard drive.

At the end of the day, so long as the database has not been compromised which I have yet to see evidence of, YOU picked the password, YOU picked the answers the questions.

You really are a prize idiot - I'm not even sure why I reply to fanbois like you, utterly convinced of something which you know NOTHING about whatoever.

I know for a 101% solid fact that no-one got my password or secret question from me - that means whoever broke into my account either

a - did so using a brute-force attack (something only Microsoft can prevent)

b - did so via a means which has nothing to do with my password or secret question whatsoever

Even if I'm unique and everyone else is handing out their login details willy-nilly - that means you need to tighten up security MORE - not less.

MS can do MUCH MUCH more to reduce these issues. Requiring additional authorisation before moving accounts between devices (ala Steam's system) - requiring backup authorisation before allowing purchases (just asking for a card's CVC code before authorising a purchase would totally cripple the FIFA Points scam overnight).

They could upgrade login security to use an Authenticator-like code (see Blizzard, Google and most Banks for such systems) which would render phishing completely and totally obsolete (and costs next to nothing as you just release free Apps/desktop tools to do the Authentication)

Why don't MS do these things? My guess is that they think putting any other 'hurdles' in the path of people buying stuff will reduce their income - kids will have to bug parents for the code, adults will have to go find their card and might lose interest and not login - but it would increase security IMMEASURABLY from where it is now.

Given that MS make having a card on your account pretty-much mandatory for most Gold Subscribers (and I'm pretty sure XBLIG developers need to keep payment details up-to-date also) - it's not like most people have a choice about risking their account being hacked and money charged to their account.

The FIFA scam gives hackers a way of making money - so it's not just amusement and vandalism, they're doing this before it's FREE MONEY and thus it will continue until MS do something (or law enforcement gets sick of them doing nothing and starts kicking-in doors)

Posted by Warihay

It has now been about a month and a half for me since my account was hacked. Just now hearing that they are communicating with the engineering team due to the "complexity" of the hack on my account. Very irritating especially considered I just started my winter break from college and I can't progress my Battlefield 3 character. 1 month free of Live is nice and all but doesn't really mean anything when anything I do on a new account won't carry over. Only thing I really wish is that the fraud team communicated more with the user on what they are doing and what steps they are taking to resolve the problem. Anyway, still a good article Patrick.

Posted by darichardson

@jimto: Sorry for the late reply, but you didn't read what I said. I know he didn't flip a switch to hack my account. He hacked my account, and once inside, he flipped a switch to have the region transferred. If you had read my post it said that I never actually lost access to my account because the password was never changed. I never said the hacker was stupid or lazy, either.

The switch that was flipped was the region transfer and nothing more. Additionally, I stated that Microsoft had already refunded me the money for what had been taken. THE ONLY THING LEFT is to have my region transferred back to the United States from Poland, yet Microsoft continues to drag its feet. This is the only switch that I was referring to, the region transfer part.

I will say, at the very least, that Microsoft has at least sent me another update email since I posted that with a 30 day code, but all that I really want is to have my region transferred back to the US.

Posted by Feddy

Great set of questions thanks Patrick.

Posted by LandGrinch

are the comments always so hostile

Edited by richard_m_morales

@MrTom: Same here. I don't have experience in IT. But I too use Malwarebytes and Super.

I received an email in Portuguese from billing@microsoft.com on December 21, 2011 stating that my account has been transferred from Brazil to the United States. So I thought I got my account back. I try to log in on the billing site and its still showing my account as being locked. So I phoned up support. Just to be told they wouldn't trust that email. That the final email will be from similar emails I have received before with a link to change my info and that it will be in English. I went from being happy thinking I had my account back to just being pissed off again. I even tried emailing Stepto about this on December 2, 2011. Never received a reply back. Been having this issue since July 9, 2011.

Here's my post on Xbox.com Forums about my issue.

http://forums.xbox.com/xbox_forums/xbox_support/f/12/t/150494.aspx?PageIndex=5

Posted by capgrass

Hot topic these days...

Posted by daemissary

I guess I got lucky because my account was hacked on Dec 18th and I just got the email saying the investigation was done today. I did file a dispute with my credit card company as well as calling Xbox Support, maybe that is why it was resolved so quickly?

Posted by calbags

@patrickklepek: great article. yo! Patrick, you have the connections, bring in Sterling. When you guys left i stopped watching feedback.

Posted by urbanterror

cool

Posted by LRavenwolf

Great insight - There is an issue that I have yet to see fixed where my account was hacked, and my Xbox Live membership was changed. To be fair, the 10k MS Points that were purchased and gifted by the hacker were refunded. However, I had 18 months of Xbox Live Gold purchased from previous sales and pre-paid cards that I lost because the hacker changed my plan to the Family Gold plan to gift the MS points. It has almost been a year and I still have not gotten that time back. I had given up on getting that back as its been almost a year and every time I call I get the same crap answer that they're looking into it but nothing ever happens. I may just pick up the issue again after reading this. It just pisses me off too much to let go.

Posted by Gunslinger0130

Excellent set of articles Patrick, well done!

Posted by Massive_basset

Account transferred to Russia back in Sept 25th here. Still Russian today. I used to netflix on my Xbox almost daily, now I almost bought a Roku on woot today... but its got to be almost over... right?

Posted by raikoh05
Posted by Griffinmills

Good to hear Microsoft being more forthcoming in regards to their security woes than I remember Sony being in agreeing to this interview.  Interesting set of questions here too!  Good stuff all around.

Posted by Xsheps

@Griffinmills: probably because microsoft is an american company and sony isn't.

Edited by Napalm

@Griffinmills said:

Good to hear Microsoft being more forthcoming in regards to their security woes than I remember Sony being in agreeing to this interview. Interesting set of questions here too! Good stuff all around.

I'd hardly call it "forthcoming". Microsoft needs to do damage control to prevent something like this from getting out of hand. They aren't actively trying to repair the problems at the core with this current flood of reported stolen accounts, and Stepto is only in the limelight to ease public opinion, say some nice things and talk about how they want to protect their users information.

Believing anything beyond that is really just being a little bit too gullible. Just a quick Google search yields dozens upon dozens of reports and subsequent comments from people who have had their accounts stolen, locked for ridiculous periods of time, or a combination of other awful scenarios. People on the Xbox/Microsoft security team are only pushed into the public to do damage control, and only fix the most public and damaging cases to uphold the public view that they, "are on top of the case and have solved the issues." It's the classic Superman scenario.

EDIT: I also don't want to make it sound like Stepto has ulterior motives, or isn't sincere in his job. I believe he is, but Microsoft as a company is questionable when it comes to these things, especially repairing internal processes and procedures to hopefully help the arisen issues.