A promotion offering Microsoft Points, 48-hour Xbox Live passes, and in-game props could have cost Microsoft more than it bargained for last weekend after Xbox Live users discovered that they could generate hundreds of working codes and redeem thousands of points. Most users exploiting the flaw were interested in the Microsoft Points: each code was worth 160 points, an amount that would normally cost $2 to buy.

The flaw was remarkably simple. Microsoft's promotional system used a special URL to generate the redeemable codes. That URL included within it two important parameters; a two-digit number used to pick the kind of code that would be generated—Points, passes, or props—and an enormously long string that governed which set of codes the system would hand out. It turned out that changing four specific characters in that string to any number from 0000 to 9999 allowed the system to generate new codes, making it easy to create thousands of codes. The problem was first publicized by a user named Dark posting at The Tech Game in a thread that has since been locked.

Estimates have been made that Microsoft Points worth between $1 million and $3 million dollars were generated illicitly before Microsoft shut the system down on Monday. These high numbers have, however, been ridiculed by Microsoft representatives, saying that the true figure is nowhere near that high. On the face of it, it looks like they have a point. Seven different two digit numbers that yielded Microsoft Points were discovered, and each two-digit code was then paired with the four digit number to generate a redeemable code. That would seem to imply that 7 × 10,000 codes were possible. With each code having a value equivalent to $2, that makes a total of just $140,000.

Abusing server flaws is against the Xbox LIVE terms of service, so the company would be entitled to hand out bans to those who abused the issue. However, the codes that were generated are legitimate, and it may prove difficult for the company to figure out which rewards were legit and which are not. Nonetheless, in a statement issued today the company said that it had "taken steps to invalidate the codes obtained illegitimately." The company said that it was still "evaluating whether or not certain individuals have violated the Terms of Use for Xbox"; if they have then Microsoft will "take the appropriate enforcement on an individual basis." There are unconfirmed reports that some people who took advantage of the flaw have already been banned.