Hacked: Xbox LIVE Banhammer Stepto Gets Jacked

A hacker social engineered his way into taking over the Xbox LIVE account and the website of Stephen "Stepto" Toulouse, the policy enforcer and ultimate banhammer for Xbox LIVE.

What happens after being banned 35 times from Xbox LIVE? Well in one case of "payback" this weekend, a hacker social engineered his way into taking over the Xbox LIVE account and the website of Stephen "Stepto" Toulouse, the top cop and ultimate banhammer for Xbox LIVE. According to RipTen, Stepto "doesn't have as much control and power over the infamous ban-hammer as he would like."

Stepto is the Director of Policy and Enforcement for Xbox LIVE, banning gamers for things such as playing pirated games and cheating. He will make comedy routines out of gamers' excuses and of banning people for breaking the rules. After working for Microsoft for over 15 years, Toulsen wrote A Microsoft Life. The video below was when Stepto read from "The Book of Enforcement." You may chuckle, but most banned gamers probably don't.

In a 6:21 minute YouTube video (warning - peppered with cursing), the hacker showed that he social engineered Network Solutions to take over email, reset the password, and infiltrated Stepto's Xbox LIVE account. Then he changed Stepto's settings to say, "Jacked by Predator." He claimed to have attempted to contact Stepto on numerous occasions about a weakness in Xbox LIVE's security, stating, "Stepto, this is for console banning me over 35 times. You had it coming, man." There are several comments on the video suggesting this wasn't the smartest course of action and that Stepto may well be pressing charges against Predator soon.

Stepto's personal blog, stepto.com, was also compromised. Until it was fixed, he warned people not to send email as it was no longer private. The ultimate Xbox LIVE banhammer's Twitter account recorded some of the events as the tweets below indicate.

When it comes to this type of hack, social engineering, even if you are "secure," it all comes down to how easily a third party can be social engineered. Chris Hadnagy, author of Social Engineering: The Art of Human Hacking, has been trying to teach security through education for years on the site Social-Engineer.org - where there are also ton of resources to learn how to social engineer.

Head-hacking seems to be one of the most lethal attack areas against corporate America - it also seems to go a bit unnoticed until panic sets in of upcoming DefCon social engineering contests. As the Social Engineer site notes, we are all social engineers to some degree. "Due to the mystery surrounding this dark art many people are afraid of it, or they feel they will never be able to accomplish a successful social engineering test. However, every time you try to get someone to do something that is in your interest, you are engaging in social engineering. From children trying to get a toy from their parents to adults trying to land a job or score the big promotion, all of it is a form of social engineering."

While Stepto waited to regain control of his site, his email, and his Xbox LIVE account, he tweeted a little jab to Network Solutions, "I absolutely love that the @netsolcares twitter has not logged in in 11 hours. (need 24/7 help? we're here!)"

Being the banhammer probably doesn't make him the most loved soul in the gaming world, but the flipside is that Stephen "Stepto" Toulouse helps keeps XBL clean. For now, things are back to normal now for him.

A year ago, the Director of Programming for Microsoft's Xbox LIVE, Larry Hryb, known by his gamertag Major Nelson, had his Xbox Live profile hacked by "FearTM" who also uploaded a YouTube video of the hack.

Like this? Check out these other posts:

Follow me on Twitter @PrivacyFanatic

SUBSCRIBE! Get the best of CSO delivered to your email inbox.