[Jerrrry]

The months before rolling this out, they modified an internal API "reserve-gamertag" and introduced a small chance of a race condition.

This race condition allowed anyone spamming (3k+ req/sec) this one specific public API to eventually (2 minutes) take any unbanned inactive Xbox360 gamertag that hadn't been migrated to the XboxOne platform.

Xbox has no bug bounty program; ironically this means the finder of this exploit made 10x what Microsoft would had given him, even by a generous estimate.