Hackers briefly punctured the Xbox 360’s veil of security yesterday, finagling an algorithm that generates virtual currency used to purchase items through Microsoft’s online games store. The exploit reportedly allowed users to reuse special access codes and rack up counterfeit Microsoft Points, redeemable for downloadable content.
The exploit was originally posted to an online forum, where a user claimed it could generate “legitimate Xbox LIVE Promotional Codes used by Microsoft,” and urged others to “make use of this glitch as quickly as possible!”
“Awesome, I have gotten enough to get the ballad of gay tony!” wrote one user of the exploit, referring to the second expansion for Rockstar’s freeform crime spree, Grand Theft Auto IV.
“Its [sic] definitely legit guys, i started at 140 msp, and went to 9420msp,” wrote another.
“OMG… It works but im [sic] really hoping i don’t get banned,” wrote a third.
Beantown Gamer, which noticed the exploit first, claimed the hack cost Microsoft as much as $1.2 million, but dubiously attributed the figure to a single unnamed source “in contact with 1-800-4MY-XBOX.” (Microsoft’s official Xbox support line.)
That didn’t stop news sites from pouncing on the splashy headline-grabbing figure anyway, provoking a response from Microsoft, who called the number “inaccurate.” The company told Gamasutra its actual dollar losses were “nowhere near the amount that has been reported,” though it didn’t offer a specific number.
What’s more, Microsoft says it’s working to quickly identify users who accessed the exploit (not a difficult trick, since the codes were re-used) and that it’s exercising “appropriate enforcement” in dealing with them.
Savvy gamers know better, but if you really think “free stuff” grows on search-trees, you might want to think twice. Search on “Microsoft Points generator” at your peril. Besides the patent illegality posed by a working exploit, you’re just inviting malware, viruses, the ire of legitimate paying customers, Microsoft’s banhammer, and–since swiping points you didn’t pay for technically counts as stealing–your very own lawsuit.
More on TIME.com