Microsoft's new security leak puts Xbox LIVE user data at risk

Microsoft accidentally jeopardizes Xbox LIVE user accounts by leaking a website security certificate.

Published Wed, Dec 9 2015 8:31 PM CST   |   Updated Tue, Nov 3 2020 12:02 PM CST

Thanks to a slip up at the hands of Microsoft, Xbox LIVE accounts accessed through the official Xbox LIVE website can now be hijacked on Windows 10 and Windows Phone platforms. The company has said that it's "not currently aware" of any reported suspicious activity, but warns users that their accounts may be at risk.

Microsoft's new security leak puts Xbox LIVE user data at risk |

Microsoft reports that it "inadvertently disclosed" the private keys for sensitive security certificates, which hackers can use to acquire Xbox LIVE account information from Windows users. Armed with Xbox website's SSL/TLS digital certificates, hackers can prompt users to re-enter usernames and passwords on an insecure network. Be aware that this security measure doesn't affect Xbox 360 or Xbox One users directly, and is only limited to access to the Xbox LIVE mainsite.

"Microsoft is aware of an SSL/TLS digital certificate for * for which the private keys were inadvertently disclosed," reads the security warning. "The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue."

The notification notes that all modern versions of Windows including Windows 8, 8.1, 10 and Windows Phone platforms will be automatically updated with new certificate trust lists once Microsoft issues a fix. "To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate."

For now you should avoid signing into mainsite and wait for the all-clear from Microsoft. We'll be sure to update this newspost once more information is released. If you're extra paranoid, you could even access your account information via console and remove any sensitive financial information such as credit cards and the like. Remember, once your account is compromised, hackers can rack up tons of debt with in-store purchases and completely compromise your bank account.


Derek joined the TweakTown team in 2015 and has since reviewed and played 1000s of hours of new games. Derek is absorbed with the intersection of technology and gaming, and is always looking forward to new advancements. With over six years in games journalism under his belt, Derek aims to further engage the gaming sector while taking a peek under the tech that powers it. He hopes to one day explore the stars in No Man's Sky with the magic of VR.

Newsletter Subscription

Related Tags

Newsletter Subscription
Latest News
View More News
Latest Reviews
View More Reviews
Latest Articles
View More Articles