One of the darkest signs for any company, especially one that handles credit card information, is the thought that even its own employees aren't safe from outside incursion. That's what happened at Microsoft (News - Alert). The company recently issued a statement confirming reports that "a handful of high-profile Xbox Live accounts held by current and former Microsoft employees." But perhaps more frightening is the means by which these accounts are being hacked.
According to the statement from Microsoft, the company revealed that it had become aware of a "group of attackers," who were using a variety of "stringed social engineering techniques" to carry out the hacking in question. Microsoft went on to describe its involvement with law enforcement, and how security was "of critical importance" to the company--the kind of things a reader would expect to see in a statement involving a hacker attack--but beyond the statement is where things start to get truly disturbing.
Recently, security researcher Brian Krebs found himself under attack, in a simultaneous cyber attack and a so-called "Swatting" measure--by which false information is given to an area police department, with the specific goal of eliciting the response of a full SWAT team--which led to some making some comparisons between the attacks on him and the attacks on the Microsoft accounts. Some have drawn a comparison between Krebs' attacks and his recent work on revealing the means by which some Microsoft accounts were being hacked, involving third-party sites that offer social security numbers for sale.
Krebs himself, meanwhile, remembered the recent attack involving Wired reporter Mat Honan and discovered some parallels there, especially as related to a hacker that went by the name of Phobia. Even Ars Technica weighed in recently, suggesting that a denial-of-service attack it had suffered could possibly have been linked to Phobia.
But currently, Microsoft is directing users to standard security recommendations, though some note that these recommendations are currently led by "security proofs," some of which were actually recently found compromised. While Microsoft doesn't collect social security numbers in the standard run of business, the use of social security numbers to break into an account is all the more disturbing.
The loss of a social security number is dangerous enough under normal terms. Perhaps the worst part of the whole process is how little control over the matter the individual user would actually have; it is somewhat comforting to know that it required a multi-level breach of security across several sites to perform the hacking, but that's a comfort of the colder variety. Still, in the end, all we as regular people can really do is watch our bank and credit card statements and keep as tight a watch on our own information.
Edited by Brooke Neuman