Xbox Live Bug Let Hackers Access Gamertag Email Addresses

A bug in Xbox Live allowed hackers to find any email associated with a registered gamertag. The site used to report bad behavior in the Xbox online community was hiding a vulnerability that allowed hackers to snag user email addresses.

Motherboard reported that last week an anonymous hacker reached out to them claiming to be able to find the email attached to any Xbox gamertag. Motherboard verified the hacker’s claims by sending them two gamertags, one of which was created specifically for this testing. Within seconds the hacker sent back the email addresses these tags were registered with. Normally, these email addresses are supposed to be private. Another anonymous hacker told Motherboard that the bug could be found in the Xbox Live enforcement portal. This page is where players can contact the Microsoft team that monitors Xbox’s online communities.

Despite the apparent threat to customer security, Microsoft’s original response to this security breach was not exactly urgent. In an email response to Motherboard’s bug report, the Microsoft Security Response Center (MSRC for short) said, “An email may be considered sensitive information, however, since it provides nothing else to identify the issuer, is not something that meets MSRC bar for service. As such, MSRC is not tracking the issue and will leave it to the product group to determine a mitigation as needed.”

But on Tuesday a Microsoft spokesperson confirmed that it “released an update to help protect customers.” One of the anonymous hackers who contacted Motherboard specifically requested that reporting on the leak not be published until after a fix had been made because it was “the easiest vulnerability I’ve ever found.” Ensuring such precautions are taken is important, even with information that’s not extremely delicate like email addresses. Hackers have a precedent of using these kinds of vulnerabilities to dox people, like in 2017 when they used a similar bug on Instagram and created a searchable database to dox celebrities.

