Microsoft's helpdesk is the key to the recent Xbox Live account thefts, according to a gaming clan which admits to being one of the culprits.
The InFamOuS clan said on its website that its members "steal at least 10 accounts a day".
"Now you may be wondering how we get your information? Its easy, you call 18004myxbox, pretend to be that person, make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah," the group boasts on its site.
"You might get one little piece of information per call but then you keep calling and keep calling every time getting a little bit more information every time.
"Once you have enough information you can get the Password on the windows live ID Reset, they may tell you they can't, but its bullshit. People at Bungie CAN and WILL reset your password."
Xbox Live account thieves have made similar claims on online forums in the past. The described method is known as social engineering and attempts to dupe Microsoft helpdesk employees into divulging confidential information.
The InFamOuS clan also admitted to using credit cards linked to the accounts to purchase so-called Microsoft Credits.
The issue of stolen Xbox Live accounts surfaced earlier this week when security researcher Kevin Finisterre tagged the problems on the Full Disclosure security mailing list. He reported the matter after his girlfriend's 'gamer tag' was stolen.
Microsoft has always maintained that its systems are secure. The company concluded an internal audit on Wednesday and proclaimed that it had not found any issues.
"We have looked into the situation and found no evidence of any compromise of the security of Bungie.net or our Live network," said a company spokesperson.
Microsoft admitted, however, that most known cases of Xbox Live account theft are the result of social engineering, where criminals dupe victims into giving up confidential data.
The vendor did not immediately respond to a request for comment on the claims made by the InFamOuS clan.
In response to Microsoft's statement, Finisterre quipped to www.vnunet.com that Microsoft was correct in blaming social engineering, but left out that it was the firm's employees who were targeted.