It’s important to recognize a few facts before we can speculate on the vector of infiltration. First, the hackers are gaining access to accounts without changing the password. They may decide to change the existing password once they are in to prolong their access to an account, but they always seem to have the original password, which is what they use to access the account in the first place.

Given that fact, we should be able to rule out one class of attack: the "social hack." Typically, social attacks involve targeting specific individuals, gathering personal information through Google and various social networks, and using those details either over the phone with a customer service representative while masquerading as the target or through a website’s password reset mechanism to answer any discoverable challenge questions.

The end goal is to reset an unknown password that was set by the rightful owner of an account to a temporary or new password known only to the hacker. Since the Xbox Live intrusions are occurring without the password being reset, we can discount social attacks as a possible cause. In addition, social hacking is far more time consuming than other types of attacks and usually employed when a hacker has a very specific target. There are prominent examples of celebrities, politicians and other public figures having their email and cellphone accounts invaded and their dirty laundry aired publicly. But it’s not a particularly efficient method for a profit-minded hacker who doesn’t care whose account he accesses and is more interested in turning over as many accounts as he can as quickly as possible.

Another fact we must remember is that enough victims have reported their compromised accounts had unique passwords to cast doubt on another popular theory on how these intrusions are being accomplished. Given the number of other services and sites like PSN, Gawker, or Valve that have had their own systems hacked into and customer information stolen, it is not unreasonable to suspect that hackers are using email addresses and passwords pilfered elsewhere and hoping Xbox Live account holders use the same login credentials on multiple sites. In fact, a few months ago, Sony’s new czar of network security, Philip Reitinger, disclosed that he had detected and blocked just such a mass login attempt against PSN. Sony's network technicians detected this activity as irregular and possibly harmful to PSN users and immediately took measures to protect and inform their customers of the danger.

Unfortunately, it’s a difficult hypothesis to prove, but we have reason to doubt this is a comprehensive explanation. As mentioned above, some victims at least claim to have been using passwords unique to their Live account. From personal experience, I can tell you that the information used to gain unauthorized access to my own account in August did not come from PSN as I did not sign up for PSN until a few months after that intrusion. I can also verify that my information was not contained in the database stolen from Gawker and that the Valve intrusion occurred after my Live account had been hijacked. I know of no other publicized hacks, within the gaming industry or otherwise, that could have exposed my password for Xbox Live.

For many months, Microsoft refrained from commenting officially on the apparent epidemic of account thefts. It was not until a few months ago when a number of prominent gaming journalists found themselves victim to the same fraud and started writing about it for their respective sites did MS release a statement. Officially, Microsoft denies suggestions that the Xbox Live service itself has been hacked and blames "phishing scams" for the so called "FIFA hacks."

Phishing scams essentially involve tricking users into entering their user names and passwords for a service into a fake version of the real site. Typically, someone will receive an email suggesting that there is a problem with his account or promising some kind of freebie that includes a link to a site that looks very official but is actually hosted and controlled by hackers. World of Warcraft is a frequent target for this kind of scam as in-game gold continues to be an asset with real-world value.

It’s not hard to see why Microsoft would blame phishing for incidents of Xbox Live fraud. It’s a known and ongoing problem in the industry, it jives with the fact that the intruders seem to know user passwords, and it conveniently absolves their own security infrastructure of any responsibility. And in truth, phishing is likely responsible for some level of fraud on the service, but it is a leap to suggest it explains all of this latest increase. To many, it appears very much to be a case of Microsoft blaming the victims with a plausible but unverifiable excuse while deflecting attention from a very real, ongoing problem.

And there are many reasons to be skeptical of the official explanation. For one, many people with a high degree of technical knowledge and understanding of good security practices have fallen victim. I can tell you that I personally, emphatically did not fall for a phishing scam. I have never even seen a phishing scam that targets Xbox Live; although, there tends to be one or two WOW scams in my spam folder each week. It’s also difficult to believe Geoff Keighley or Michael Pachter were tricked into signing up for free MS points. Worse than that, if this was a wide spread and incredibly effective phishing scam, where is the evidence? Microsoft offers no proof to support the claim, and we are being asked to believe that not a single person in the gaming press, NeoGAF, 4chan, or SomethingAwful has been wily enough to recognize and document the scam site so many are supposedly victims of? It’s a poor phishing scam that is apparently impossible to find.

All the circumstantial evidence suggests that something else is going on. If these can’t be social attacks, don’t appear to be related to third-party compromises, or entirely caused by phishing sites or emails, then there must be an undisclosed or perhaps undiscovered security flaw allowing hackers to discover user passwords without being noticed. As it just so happens, last week just such a problem was discovered on Xbox.com.