Microsoft responds to theft of $1.2 million in Microsoft Points

Microsoft responds to theft of $1.2 million in Microsoft Points

Microsoft has responded to the theft of hundreds of thousands of dollars in Microsoft points. The company, according to a new statement, is invalidating points that were accrued illegally, and is contemplating reprcussions against offending accounts.

The full Microsoft statement:

“We are aware of the situation and have taken steps to invalidate the codes obtained illegitimately. We take safety and security very seriously and require that Xbox LIVE members use the service in compliance with applicable laws and specifically prohibit people from engaging in illegal activity as a part of our Terms of Use and Code of Conduct. Our Policy and Enforcement team is evaluating whether or not certain individuals have violated the Terms of Use for Xbox LIVE and will take the appropriate enforcement on an individual basis. Codes obtained legitimately by users will not be impacted.”

In case you are behind, this is what happened:

If you are an Xbox user you are most certainly aware of Microsoft Points, points that you can buy in gift-card format at many major retailers. Each card has a code on it that you type into your console to redeem the points.

But what would happen if hackers found a way to generate codes that worked, opening a floodgate of free points? There is no need to be hypothetical: it already happened. Over the past few days hackers created thousands of codes using an exploit that created fake, but usable strings of digits, and redeemed them for over $1.2 million in points.

Each faked code could generate some 160 points, and by repetition some intrepid hackers racked up the points by the thousand. The estimate of 1.2 million dollars lifted in points comes from a source that seems to be well trusted by the gaming community.

No matter the final dollar figure, be it plus or minus 100,000 dollars or so, it is obvious that Microsoft was had, and publicly, for around 7 figures in digital goodies. Assuming that stolen points are quickly turned into games and the like, Microsoft might never uncover the fraudsters and recover the points, and thus the losses they are sure to incur.

The hack is now dead, with Microsoft no longer accepting duped codes. We may never know the final damage tally, but it can be said safely that the egg on Microsoft’s face will take at least a few days to clean off.

Read next: The top 3 demonstrations of the NoDo update for WP7 [Video]