Last week, MS denied reports that Xbox Live accounts or here had been compromised, putting ID thefts down to 'phishing' and denying security breaches at Bungie.net / Xbox Live - MS have this week conceded that more was and is afoot than users simply giving away their details to dodgy emails and websites.
MS this week concedes that there is more of a concerted effort going on by fraudsters to dupe MS and their partners into giving away personal details (which can give the criminals access to a user's Microsoft Points, which can then be spent). 'Pretexting' is apparently the technique the nefarious criminals have been using, described by Wikipedia thusly:
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone. It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g., for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
This technique is often used to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager (e.g., to make account changes, get specific balances, etc).
Xbox Live director Larry Hryb became aware of the problem via security researcher Kevin Finisterre who realised that much of the security compromises had occurred through the MS support centre. "There's no other way to say it; this situation shouldn't have happened. Our customers deserve better. The Xbox team takes what happened and the resolution of it very seriously," Hryb apologised, stating that staff would be re-trained and policies altered to counter this threat.