The Director of Policy and Enforcement for Xbox LIVE, Stephen Toulouse, had his Xbox LIVE account hijacked yesterday. The attacker purportedly used social engineering to convince Network Solutions to transfer DNS control of Toulouse’s stepto.com domain name, allowing the attacker to receive any email sent to that domain. The attacker most likely used this to reset Toulouse’s Xbox LIVE password and gain unauthorised access to his account, where he goes by the gamertag of Stepto.
The excited attacker subsequently uploaded footage of the hijack to YouTube, where he changed Stepto’s motto from “Behave” to “Jacked by Predator”. The attacker also advertised his account hijacking services in Stepto’s bio, offering his AOL Instant Messenger contact details and payment methods. In his description of the video, Predator proudly boasts “ANY ACCOUNT $100 – $250 PayPal or AlertPay!!”.
Predator revealed that the attack was carried out in revenge for being banned from using Xbox LIVE. During the video, he appears to hold Stephen Toulouse personally responsible for this: “Stepto, this is for console banning me over 35 times. You had it coming, man. Like, I’m tired of getting the console ban; now let’s see what I can do to your account.”
Proud of hijacking the Director’s account, Predator ends his video’s description with “I rest my name as Xbox Live’s greatest account jacker.”
Predator later uploaded a second video, noting that Stepto’s account had been locked out. Toulouse regained control of his email and his domain’s nameserver settings several hours after the attack, and his Xbox LIVE profile now looks to be restored.