Xbox Bug Allowed Hackers Access to Any Email Address on Xbox Live

A bug in Xbox Live allowed hackers to instantaneously find the email address associated with any registered gamertag. Microsoft patched the bug Wednesday following reporting from Vice's Motherboard.

Motherboard received tips about the bug from two anonymous hackers, one of which was able to produce the email addresses linked to a gamertag that had been created minutes earlier to test the bug. Those email addresses are private by default. That hacker described the bug as "the easiest vulnerability I've ever found," in an online chat with Motherboard.

NEW: a bug in the Xbox Live enforcement portal allowed hackers to discover the email addresses used to register *any* gamertag.

Could have led to mass doxing of email addresses, according to the hacker who told us about the bug.

Bug is now patched. https://t.co/IFH38Ya8vy
— Lorenzo (he/him) (@lorenzofb) November 25, 2020

The second hacker said the bug was in the Xbox live enforcement portal, which gamers can use to contact Microsoft's team in charge of policing the Xbox Live community.

The Microsoft Security Response Center, a division focused on protecting customers from security vulnerabilities in the company's products and software, initially dismissed the bug as a non-serious risk. The MSRC told Motherboard it left fixing the bug to the Xbox Live product team.

Motherboard held off on publishing reporting on the bug until the fix had been deployed at the behest of one of the tipster hackers.