Microsoft statement did not list the source of the leaks but the company said that the leaked keys have so far not been used in any cyber attack. In the security advisory released Wednesday, Microsoft said it has invalidated the leaked certificate. “To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate,” reads the advisory. The leaked digital certificate cannot be used to impersonate domains, create new certificates or sign code. However the biggest concern is that the private keys could be used to mount a in a “man-in-the-middle” attack. Potential hacker could use the leaked Xbox Live private keys to gain access to a secure connection. “Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user,” Microsoft explained. A hacker could intercept messages sent between Microsoft and the Xbox Live user. Information or sensitive data could be stolen via this method. An Xbox Live user could give up their password to a hacker via a MiTM attack, ZDNet reported. Microsoft has recommended that you enable automatic update in order to protect yourself.
