Microsoft warns that hackers could spoof Xbox Live site using leaked security certificate (updated)

Before making any changes to your account on the Xbox Live website, double-check to ensure you’re not on a fake page designed to steal your data.

Microsoft has warned today (first reported by ZDnet) that it has “inadvertently disclosed” the security certificate for its Xbox Live website, which resides under the Xbox.com domain. This means that cyberattackers could duplicate an Xbox Live website without triggering any of the warnings you would get for browsing a site with faulty certificates. Hackers could then perform something akin to a “man in the middle” attack where it makes you believe you are communicating directly with Microsoft, but it is instead intercepting and saving all of your sensitive information.

The good news here is that Microsoft is aware of the problem, and it has made the affected certificate invalid. That means most versions of Windows will now automatically detect that these spoof sites aren’t valid. But the company is still suggesting that users remain vigilant when clicking through to Xbox Live websites.

Microsoft did not explain how the leak happened, but it did point out that it doesn’t think it was the result of an attack. Instead, it seems that Microsoft simply leaked the certificate data itself completely by accident.

We’ve asked Microsoft for more information about how this happened, and we’ll update this post with any comment from the company.

Keeping a site like Xbox Live secure is something Microsoft seems to take seriously — and for good reason. Millions of people have registered for Xbox Live, and a huge percentage of those customers have their credit-card information tied to those accounts. This would make that site and the service a target for malicious hackers. And we’ve already seen a digital assault capture the credit-card numbers, email addresses, and passwords from approximately 77 million people as the result of a cyberattack on Sony’s PlayStation Network.

That 2011 breach was so severe that Sony actually took PSN offline for 23 days. Microsoft obviously wants to avoid anything like that.

Correction 9:55 a.m.: We earlier said the website for Xbox Live was Xboxlive.com, not that it’s on Xbox.com.