Update: Microsoft has confirmed that the exploit actually resulted in much less than the previously estimated. The original story is below:
Earlier this week, a website started offering free Microsoft Points. A group of hackers figured out the algorithm behind a set of promotional codes that were each redeemable for Microsoft Points, which is the currency used on Xbox Live. Knowing the algorithm allowed hackers to add to already used codes to get new ones. Beantown Gamer has the details:
I will keep the name of the website secret as to the integrity of the situation, but I can talk about how easy the process was to obtain all of these points. A reliable source tells me that upon inserting the website into your browser, you let it load the boxes on the screen load. If the boxes have the text 'live content', refresh it until a code appears. Each code is worth a whopping 160 Microsoft Points each, just redeem it on Xbox.com! This process was never ending, just refresh, rinse, and repeat. There were so many people doing this at one point that the website 404ed. In a matter of 20 minutes someone I know has obtained over $150 worth of Microsoft Points.
In other words, a person could just refresh over and over and rack up codes for the 160 Microsoft Points. Not every code would work, but a majority would. There were even mini programs coded up that could get the codes for you.
Microsoft found out about the exploit and put a stop to it immediately. Until that point, however, Internet pirates managed to steal $1.2 million worth of Microsoft Points. One pirate managed to get $150 worth of Microsoft Points in just 20 minutes. Microsoft has yet to say what they plan on doing about the problem, but unless they can isolate the codes from the legitimate ones, they may have to let this one slide.
It's important to note that there are hundreds of websites that claim to give you "free Microsoft Points." Almost all of these are fake; they ask you to fill out countless surveys, hand over your social security number, and are often riddled with malware. The last thing we want is for our TS readers to head over to these websites in the hopes that they'll stumble on a legitimate one they can exploit.