A massive Xbox 360 hack was used by criminals to steal billions of dollars in assets from victims across the world, researchers have warned.
Researchers from the UK-based security firm Trend Micro say the Xbox exploit they analyzed in June 2015 was “the largest known exploit” for the exploit code used by the Xbox Live Gold membership service.
Microsoft has said the exploit could not be used to steal money from users.
In a blog post, Trend Micro says the exploit was “based on an in-memory exploit that was used to attack a large number of victims, including many banks, retailers, payment gateways, and retailers that had their data stored on the Xbox One’s cloud servers”.
“This is the first time we have found an exploit that targets such large organizations, and the largest known exploitable Xbox 360 attack in the world,” the researchers said.
The Xbox 360 vulnerability has also been exploited in other attacks, including one in October last year that resulted in $5.5bn in damages.
Trend Micro said that while the exploit has been used to conduct “large scale attacks” against banks and retailers, it was also used by cybercriminals to commit the biggest theft of assets from customers.
“These attacks have been targeted at high-value targets, including banks and large retail stores, and included many highly targeted exploits,” it said.
“While the Xbox Xbox 360 is still being patched, the attack was still being used in 2017.”
Trend also noted that the exploit used by hackers to steal tens of millions of customers’ data in March 2017 was used in another Xbox 360 breach.
The researchers said it was likely that Xbox LiveGold members had not had their accounts compromised because they had not been targeted.
Microsoft said the Xbox attack did not target its Xbox Live service, which is used to access Xbox Live services that customers use to play games and watch TV.
“It is important to note that we do not currently have any evidence to indicate that this attack targeted the Xbox Online service, as it has not been used by any of our customers,” the company said.
However, the vulnerability is believed to have been used for several other Xbox 360 hacks, including a second one in May 2015, which involved the theft of $1.9bn from customers in Germany.
The Xbox exploits are not the first of their kind.
Last month, a UK-born computer security researcher said he had discovered a similar Xbox exploit, which also exploited a Microsoft cloud service.
A researcher from US-based cybersecurity firm Kaspersky Lab said that it was “pretty clear” the Xbox exploits were part of a “large-scale attack” that used a remote code execution vulnerability in Microsoft’s Azure cloud service to steal $6bn.
Kaspersky said the exploits were discovered by Russian security firm Krasnodar Security.
Experts have also warned that it is possible that hackers may be using exploits for similar purposes, including to attack financial institutions.