The reports of hijacked Xbox Live/Windows Live accounts are somewhat ominous. At this point, they haven't been confirmed by Microsoft, so it might as well be a rumor.
Were there reports of this before the Windows Live beta launch recently? Obviously, it's a bit post hoc ergo propter hoc to say the availability of Windows Live is the source of a possible security breach, but the timing is suggestive. Apparently Microsoft has launched a probe. Hopefully Microsoft will issue a press release on the veracity of the reports.
If there was (or perhaps is) a problem, it hasn't been handled well. I'd rather Microsoft have been more forward if they knew of problems. Even if it was just cover for deficiencies in the Xbox 360's original design, extending the Xbox 360 warranties was a good PR move. In keeping with that, Microsoft perhaps should have stepped up to say there was a problem, that they'd fix it, and that they'd take care of anyone who was bitten by a security breach. If there are no problems, they should be out in front as soon as possible telling everyone as much.
This raises a possible explanation for why Sony is hesitant to give the PSP access to the PlayStation store. The PSP is a compromised platform. People can, and are, writing software for it, and Sony cannot control them. A user can run homebrew code on a lot of PSPs, including a program that will brick the system.
So the combination of hacked firmware and a networked application which handles a user's financial information raises the possibility of malware that phones home with that information.
Update: Kotaku has a response from Microsoft. The official word isn't informative: it just says they take security seriously and they're investigating all reports. A representative apparently conveyed to Crecente that they haven't found any security breaches. Why wasn't that in the official statement?
[Originally I wrote about Windows Live as if it were launched. It isn't, but is in public beta. Obviously, I made a mistake. More info here.]
The beta hasn't even started yet, actually, at least not the public phase. I'm signed up and confirmed, but nothing has gone out yet.
The compromise is almost certainly a low tech one. Remember that some people have been out there hiring people to grind their gamerscore, a process that requires giving your account details to someone else in a remote place.
Not exactly the smartest cookies right there.
It's an interesting point and maybe this is just the ex-security analyst in me ... but if someone was keeping username/password information on a machine that they were also running homebrews?
I wouldn't have much sympathy.
On the other hand, if this is MS/Sony/whoever not doing the right dilligence when it comes to encryption and the like - throw the book at them.