In-game friends list. You hack one account, log in and look at their friends list, hack those, etc. I was the one whose circle of friends was all hacked, and none of us know anyone else's information, nor would any of us have socially engineered the other even if we did. To suggest is preposterous.
It was already mentioned on a previous page, but one plausible scenario involves the fact that you can completely bypass password authentication when logging into your console if you've ever downloaded the profile. For example, put your profile on a USB stick and go take it to another console. Notice you do not have to enter your password. It stands to reason that if there were a way to download a profile through some sort of backdoor or vulnerability in the XBL API, then game would be over.
Note that things like this actually are common and happen all the time.
Things like customer service reps giving out user's information in droves happens... Well, rarely, to say the least.. It is also a slow process. Do you know how inefficient it would be to have to place 10,000 phone calls and hope you don't get the same rep in the process who would be like "hey didn't you just call 30 minutes ago?" Do you also know how absolutely unequivocably trivial it would be for Microsoft to identify and put a stop to this if it was in fact the problem?
This is like clinging to the idea that that TV in your living room that is flickering and all your friends say is broken is actually fine, but you're rapidly being sent back and forth between a different dimension where things look slightly distored, so you end up with a flicker effect, as opposed to simply just saying the damn thing is broken.
I mean yea, it's theoretically possible by the laws of the universe that this is what's happening, but if so then go buy a mega millions ticket because the random number generator used by Mother Nature is going absolutely insane.