Xbox LIVE Policy Director Has Online Accounts Hijacked

A disgruntled gamer has managed to hijack the domain, email and Xbox accounts of Stephen Toulouse, Microsoft's director of policy and enforcement for Xbox LIVE.

It seems it all started with a social engineering attack against Network Solution, the registrar used by Toulouse for his stepto.com domain.

The Xbox official confirmed the successful attack on Twitter by writing: "Sigh. please be warned. Network solutions has apparently transferred control of Stepto.com to an attacker and will not let me recover it."

With control over the domain, the hacker managed to obtain access to Toulouse's personal @stepto.com email address and used it to reset the password for his Xbox LIVE account.

The attacker, who calls himself Predator, posted a video (strong language) of him controlling the account on YouTube. Apparently, he was annoyed with Toulouse for repeatedly banning him.

As director of policy and enforcement for Xbox LIVE, Toulouse is responsible for banning people who try to cheat the system.

The hacker offered to hijack other people's accounts for a price of $250, however, he doesn't seem to be very good at covering his tracks.

Domain hijacking incidents are not uncommon. In fact, their number appears to have increased during the past two years, especially those involving high profile websites.

There are several methods of instrumenting such attacks, the most common being the impersonation of the domain owner.

This shouldn't theoretically happen, because large domain registrars have security checks in place for procedures that deal with changing ownership or recovering control of a domain.

However, it only takes one poorly trained employee for this system to break down. For example, Baidu, the company operating the largest Chinese search engine, sued Register.com for gross negligence after one of its staff handed over control of Baidu.com to a hacker.

The attacker failed to produce valid answers for the identity verification checks and used a suspiciously named @yahoo.com email address as new contract for the domain, something that should immediately have triggered red flags.