Where most sites offering free Microsoft Points are pure scams, a recent site gave away real codes to the point that it crashed due to heavy traffic. The hackers had discovered an algorithm that cracked the 25-letter codes.
So all people had to do was refresh the page over and over again for codes for 160 MSP (might be a mistake, 1600 points?), a Halo Reach Banshee avatar prop, or a 48-hour Xbox Live trial. Apparently, people had enough time to steal $1.2 million in MSP before Microsoft shut the exploit down.
There's not much Microsoft can do except lick their wounds, though $1.2 million is probably how much they spend on coffee filters in a week. Of course, they could go through all the accounts and see which people had recently entered a crapload of 160 MSP codes on one specific day, and whip out the ban hammer.