Xbox LIVE points hack cost Microsoft thousands, not millions

A promotion offering Microsoft Points, 48-hour Xbox LIVE passes, and in-game props could have cost Microsoft more than it bargained for last weekend after Xbox LIVE users discovered that they could generate hundreds of working codes and redeem thousands of points. Most users exploiting the flaw were interested in the Microsoft Points: each code was worth 160 points, an amount that would normally cost $2 to buy.

The flaw was remarkably simple. Microsoft's promotional system used a special URL to generate the redeemable codes. That URL included within it two important parameters; a two-digit number used to pick the kind of code that would be generated—Points, passes, or props—and an enormously long string that governed which set of codes the system would hand out. It turned out that changing four specific characters in that string to any number from 0000 to 9999 allowed the system to generate new codes, making it easy to create thousands of codes. The problem was first publicized by a user named Dark posting at The Tech Game in a thread that has since been locked.

Estimates have been made that Microsoft Points worth between $1 million and $3 million dollars were generated illicitly before Microsoft shut the system down on Monday. These high numbers have, however, been ridiculed by Microsoft representatives, saying that the true figure is nowhere near that high. On the face of it, it looks like they have a point. Seven different two digit numbers that yielded Microsoft Points were discovered, and each two-digit code was then paired with the four digit number to generate a redeemable code. That would seem to imply that 7 × 10,000 codes were possible. With each code having a value equivalent to $2, that makes a total of just $140,000.