Microsoft's Major Nelson has stated that they've looked into it and found no evidence of hacking being successful against their Xbox Live service:
As he puts it - it doesn't get much clearer than that. So what are these "isolated incidents"? Apparently some social engineering:
Finisterre did not put much store in the threat until the next day, when he found his girlfriend's account--which he had been using the day before--kicked off the system with a message that someone else was using her gamer tag on Microsoft's service, Xbox Live. Finisterre confirmed that he could no longer log onto the service, and a message on the Account Management page indicated that the account had been suspended.
After more than a half dozen calls to the support staff of XBox Live, which Halo 2 uses to authenticate players, the status of the account is still in limbo.
While Nelson warns players against giving out personal information, the problem Security Focus describes is with Microsoft support. Clan Infamous claims to document ways to call support, pretend to be a player and get account information (aka pretexting). Then people can essentially go joy-riding online.
This isn't the worst security problem to have, even if it's a little embarrassing. It doesn't require a firmware upgrade or anything - just better training for some staff and more draconian measures when it comes to offering up account information.