Kevin Finisterre is a security researcher. In March of 2007 he called 1-800-4MY-XBOX. Not to steal anything. To document what was possible. His girlfriend's account had already been taken. He had spent months watching forum posts from other victims pile up with no response from Microsoft. So he picked up the phone, walked through the same support process Clan Infamous had been exploiting for months, and wrote down exactly what he found. Then he published it on the Bugtraq security mailing list. What you are about to hear is what that call sounded like.
Xbox Live launched in 2002. By 2007 it had over eight million subscribers. Microsoft called it the future of gaming. The welcome screen said, and this is a direct quote, that Xbox Live uses security technology to help safeguard your information.
That was not accurate.
What was actually happening in March of 2007 was that a group of teenagers operating under the name Clan Infamous had figured out something that no security certification, no vendor audit, and no policy document was going to catch. They figured out that the weakest link in the entire Xbox Live security chain was a phone number. Specifically, 1-800-4MY-XBOX.
Who Was Clan Infamous
They billed themselves as the best account stealing and boosting clan in Halo 2. That is not my characterization. That is how they described themselves on their own homepage. They were organized. They had a methodology. And they were stealing at least ten accounts a day.
Think about that for a second. Ten accounts a day. Every day. From a support line that Microsoft was running out of Redmond.
The targets were competitive players. People with high-ranked gamertags in Halo 2. The kind of accounts worth something in the underground economy of 2007, where a gold-ranked gamertag could be sold, traded, or used to boost other players for money. The motivation was not purely financial. Some of it was status. Some of it was rivalry. All of it was made possible by a support process that had no real verification layer.
CALLER: "Yeah I got locked out, gamertag is XxSniperKingxX, I'm in Michigan..."
REP: "Okay, can I verify your billing zip code?"
CALLER: "[reads from notes compiled across prior calls]"
REP: "Alright, I'll send a password reset to the email on file."
The Method
Security researcher Kevin Finisterre documented this on the Bugtraq mailing list on March 19, 2007. He had been watching forum complaints pile up since August of 2006. His own girlfriend had her account stolen. He collected the evidence and published it because Microsoft had not acted.
The method Clan Infamous used was pretexting. You call the support line. You say you are the account owner. You have a problem. Maybe your console crashed. Maybe your sibling changed the password. Whatever story gets the rep engaged.
The rep has a verification checklist. Gamertag. Billing address. Zip code. Last four digits of the card on file. The rep needs enough of these to confirm your identity. The critical vulnerability was that no single call had to supply all of them. Each call gave you a little more. You hang up. You call back with a different rep. You bring slightly more information this time. You keep going.
Here is how Clan Infamous described their own process in their internal documentation, which Finisterre obtained and which The Register published:
You might get one little piece of information per call, but then you keep calling and keep calling, every time getting a little bit more information. Once you have enough information you can get the password and the Windows Live ID reset.
That is it. That is the whole technique. No malware. No packet sniffing. No SQL injection. A phone and patience.
The Support Line Could Not Protect Itself
Microsoft's Xbox Live support reps were doing their jobs. That matters. The problem was not incompetent reps. The problem was a verification protocol that had a fatal assumption baked into it: that the person calling was who they said they were, and that building a complete identity picture across multiple calls was not something an adversary would think to do.
It was absolutely something an adversary would think to do. The phone pretexting techniques Clan Infamous used had been documented in security literature going back years. HP had just gone through a massive public scandal in 2006 over pretexting used against its own board members. The technique was not new. The application of it to consumer gaming accounts was the only novel element.
Major Nelson, Microsoft's official Xbox Live blogger, posted two security updates in March 2007. On March 21st he wrote that Xbox Live was actively investigating all reports of fraudulent behavior and theft. On March 23rd he clarified that this was not a breach of Xbox Live systems. The security systems were working as designed. The human element was what failed.
That framing is worth sitting with. The security systems worked. The humans answering the phones could be socially engineered. Therefore it was not a security breach. By that logic, no social engineering attack is ever a security breach because the software did not fail. Only the people did.
When It Happened To The Face Of Xbox Live
Larry Hryb is Major Nelson. He was Microsoft's director of programming for Xbox Live and the public voice of the platform. He ran the Major Nelson podcast. He was the person Microsoft put in front of the community to talk about Xbox Live features, updates, and news. If Xbox Live had a face in 2006, it was his.
His account got suspended.

The message reads: "You have been suspended from communications on Xbox Live. You will not be able to communicate until 7/27/2006." This is the same system he was publicly evangelizing. The same verification process he was defending. And it was compromised in a way that took his account down publicly enough that a screenshot circulated.
Think about what that means. The person whose job it was to tell the world that Xbox Live was safe, that Xbox Live used security technology to help safeguard your information, had his own account suspended as a result of the exact threat vector Microsoft was simultaneously downplaying.
Microsoft's official posture in March 2007 was that this was not a breach of Xbox Live systems. The security systems were working as designed. Major Nelson's suspended account from July 2006 suggests the problem had a longer runway than the official response acknowledged.
The Network Layer
The phone-based account theft was not the only technical exploit running through this community. The same competitive Halo 2 players who were losing accounts to Clan Infamous were operating in a game where the network itself had been weaponized.
The technique was called Bridging Host. Halo 2 matched players peer-to-peer, with one player designated as host. The host had a latency advantage, timing control over the session, and in the hands of someone running modded code, the ability to manipulate the match in ways the other players could not see or counter. Getting that host slot was worth engineering for.
The stack required a Windows machine sitting between the Xbox and the router. Cain and Abel ran on that machine and sniffed the lobby traffic. Bungie's matchmaking servers had a known IP in 2006: 65.59.234.161. You marked that as trusted in your tool of choice. You identified your opponent's IP from the lobby traffic. You added it to the trusted zone the same way. ZoneAlarm Pro or CommView sat on top, selectively shaping which packets reached which player. Your Xbox looked clean to Bungie's servers. Your opponent's connection degraded on your schedule.
None of those tools were written for Halo 2. ZoneAlarm Pro was a commercial personal firewall product. Cain and Abel was a penetration testing tool used for ARP spoofing and credential auditing. CommView was a professional network analyzer. The gaming community found the application.
JuStCaLLMeGoD
One person in this ecosystem went further than the others.

This was the screen. Not a push notification. Not a phone call. Not an email warning with a link to reset your password. Just this, sitting on your television, the next time you tried to sign into Xbox Live. Your account had been recovered on a different console — which is the platform's way of saying someone had called 1-800-4MY-XBOX, walked a support rep through the same partial verification checklist Clan Infamous had been exploiting for months, and moved your account to hardware they controlled. The message at the bottom tells you what to do next: call 1-800-4MY-XBOX. The same number the attacker just used to take it.
JuStCaLLMeGoD was an account stealer. That part matched the pattern everyone else was running. What he did next did not. He flooded Major Nelson's DNS. Not through a support call. Not through social engineering. A straight packet flood, targeted at a named Microsoft employee, with a message that was not subtle about what it was: I'm gonna fry your DNS kid.
That was a different category of event. Teenagers losing their gamertags was one kind of problem. A Microsoft employee who ran the public face of Xbox Live having his connection knocked offline by a targeted DDoS was another kind entirely. Law enforcement got involved in a way it had not for the account theft. JuStCaLLMeGoD was raided and ultimately arrested in 2008.
The IP logging and packet manipulation techniques running through Halo 2 lobbies for years were used against a person Microsoft could not reclassify as just another user dispute. The framing that had worked in March 2007 — that this was not a breach of Xbox Live systems, that the security systems were working as designed — did not survive contact with a packet flood aimed at one of their own employees.
What It Cost Real People
The victims were not abstractions. Mr. Jokerz was a nineteen-year-old college student in Michigan. His account was stolen six times. Attackers charged several thousand dollars to the credit card attached to his account, buying Microsoft Points for resale. They also harvested his home address and phone number from the account profile. Then they called him. Over a hundred times.
His account was stolen six times. After the first time Microsoft helped him recover it. After the second. Eventually the answer started becoming that there was nothing to be done. The process that was supposed to protect him was the same process being used against him.
The account theft was not a victimless crime targeting corporations. It was targeting eighteen and nineteen year olds who had a credit card tied to a gaming account and who trusted that the company running the platform had thought through what happened when someone called in pretending to be them.
Full Disclosure Did What Microsoft Did Not
By April 2008 the issue had made it to the Full Disclosure mailing list, which documented a phishing site designed to harvest Xbox Live credentials directly. Same account, same pattern, different delivery mechanism. Fake Xbox sites, stolen credentials, credit card fraud.
Microsoft eventually tightened the account recovery process. They added more verification steps. They made it harder to reset credentials over the phone without additional out-of-band confirmation. The specific pretexting window that Clan Infamous exploited was eventually closed.
But it took public disclosure on security mailing lists to make that happen. Kevin Finisterre published his findings because he had watched months of complaints go nowhere. The Register covered it. ZDNet covered it. The coverage forced a response that private reports had not produced.
That is a pattern worth recognizing. Not because Microsoft is uniquely bad but because it is typical. Security improvements in consumer products follow public embarrassment with a reliability that internal audit processes do not match.
What This Was, Plainly
The welcome screen on Xbox Live told you that Xbox Live uses security technology to help safeguard your information. That was true in a narrow technical sense. The servers were not breached. The encryption was not broken. The database was not dumped.
What was not true was the implied promise that your account was safe. Because the security technology protecting the account could be completely bypassed by calling a phone number and being patient. No technical sophistication required. No tools. No exploits. Just social engineering at scale, run by a gaming clan that documented their process and shared it internally.
The future of gaming had an 800 number you could call and talk your way through.
Sources: Kevin Finisterre, Bugtraq mailing list, March 19, 2007. Major Nelson blog, March 21 and March 23, 2007. The Register, March 23, 2007. Full Disclosure mailing list, April 2008. Michael Mendy, "TCP's Evolution: From Secure Networks to Gaming Exploits in Halo 2."
