Microsoft on Wednesday announced the leak of private keys for Xbox Live that could lead to a potential hack. The source of the disclosure was not explained by Microsoft, but the company did note no attacks from the leak have been detected. If you have an Xbox Live account, here's how to protect yourself.
In the security advisory released Wednesday, Microsoft said it has invalidated the leaked certificate. "To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate," reads the advisory. The leaked digital certificate cannot be used to impersonate domains, create new certificates or sign code.
There are still concerns the private keys could be used in a "man-in-the-middle" hack.
In this scenario, the leaked Xbox Live private keys could be used by a hacker to gain access to a secure connection. "Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user," Microsoft explained. A hacker could intercept messages sent between Microsoft and the Xbox Live user. Information or sensitive data could be stolen via this method. An Xbox Live user could give up their password to a hacker via this attack, ZDNet reported.
To protect yourself from a potential hack, Microsoft recommends setting up the automatic updates for all supported releases of Microsoft Windows. The disclosure was included in Wednesday's list of monthly security bulletins. For December, Microsoft issued 12 bulletins including cumulative security updates for Internet Explorer, Microsoft Edge and vulnerabilities to Silverlight, Microsoft Office and Microsoft Windows.