Estimate
That estimate of $1.2M has already been debunked: http://arstechnica.com/gaming/news/2011/03/xbox-live-points-hack-cost-microsoft-thousands-not-millions.ars
Hackers managed to figure out the algorithm used by Microsoft to generate promotional codes tied to XBox Live, costing Redmond an estimated $1.2m before it put a stop to the scam. The algorithm created 160 counterfeit MS points, the currency used on XBox Live, at each iteration. "Hackers found an algorithm to add to existing, …
Can these points be converted back to real dollars?
They do not have intrinsic value, it's just that Microsoft has chosen to allocate a value to them... So they've lost a potential $1.2M in revenue, but it certainly hasn't cost them $1.2M! I wouldn't expect a liability of $1.2M to suddenly appear on MIcrosoft's ledger for this.
I'd argue that it's cost them nothing. Mind you, I'm reading Cory Doctorow's For The Win at the moment, so that might explain this point of view!
Trying to reimburse forged codes to a personally identifiable account is pretty stupid. These idiots will be lucky if MS just resets their points to what they were. I expect the worst offenders will have their XBL account sent to banheim and will receive a knock on the door from Mr Plod.
It is akin to having a shop that uses its own currency, someone finding a way to counterfeit that currency, going and using it at that shop, but writing their real name and address on the back of every single note. You might as well just tattoo the word 'fraudster' on your forehead and be done with it.
Did the system actually record the legit codes that were generated and given out (and hence MS can just find anyone who used a code that wasn't officially issued), or did the system just regard every code as equal, provided it fit the algorithm?
If it's the latter, I don't see how MS could discriminate between people who used codes they got legally and those who used an illegal code. Sure, maybe if someone used 200 codes in a 10 minute timespan it'd be obvious, but if they just used the one?
This post has been deleted by its author
Microsoft will potentially be screwing a lot of people over if it does eliminate all of the points created in this manner. And there is a perfectly valid defense for any customer accused of creating the points fraudulently, which is almost undoubtedly true in some of these cases.
It is very unlikely that someone did not take advantage of this code creation ability to sell discount microsoft points for real money. If a customer was duped in this manner, and Microsoft then takes the points from them, the customer will essentially be held responsible for Microsoft's security error. Not good business. If it really is only a few thousand dollars worth of liability, Microsoft can afford to suck it up to avoid a potential PR shitstorm when it takes a hundred dollars worth of MS points from a dyslexic kid who didn't know he was doing anything wrong...