Bug Allowed Hackers to Get Anyone’s Email Address on Xbox Live

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


Image: JUNG YEON-JE/AFP via Getty Images

A serious flaw in Xbox Live allowed hackers to easily find out the email address used to register any Xbox gamertag. 

Last week, an anonymous hacker reached out to Motherboard claiming to be able to discover the email behind anybody’s Xbox gamertag. By default email addresses linked to gamertags are private. Motherboard was able to verify the existence of the vulnerability by providing the hacker with two gamertags, including one created just a few minutes earlier for testing purposes. The hacker sent back the email address used to register the two accounts within seconds. 

A second anonymous hacker said that the bug was in the Xbox Live enforcement portal, where gamers can contact the company’s team that polices the Xbox online community. 

After Motherboard contacted Microsoft last week, the company patched the bug. Initially, the Microsoft Security Response Center, or MSRC, a part of the company that protects customers from being harmed by security vulnerabilities in Microsoft’s products and software, didn’t consider the bug to be a serious security risk.

“We received multiple reports regarding this and have informed the appropriate team about the issue and will let them address this as needed,” the MSRC said in an email on Monday, responding to Motherboard’s bug report. “An email may be considered sensitive information, however, since it provides nothing else to identify the issuer, is not something that meets MSRC bar for service. As such, MSRC is not tracking the issue and will leave it to the product group to determine a mitigation as needed.”

On Tuesday, a Microsoft spokesperson confirmed that the company “released an update to help protect customers.”

Do you, or did you used to, work at Microsoft? Do you know anything else about the company? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Wickr at lorenzofb, OTR chat at [email protected], or email [email protected].

The hacker who alerted Motherboard of the bug asked us to publish this story only after a fix. 

“If you publish the article before it’s patched it will get…