Confessions Of A Teenage Xbox Hacker

In some ways Juvi is just an average 18-year-old. He speaks in short, brusque sentences. He works as an artist at a tattoo parlour. He was born in the UK, but he now shares a loft with his girlfriend in Spain. He spends a lot of time on the internet, and he sometimes says mean things to people online.

In other ways he's a little bit different: Juvi claims he's hacked into hundreds of accounts on Xbox Live, YouTube, AIM, PayPal and various other services over the past few years.

Juvi, who prefers to use that internet handle rather than his real name, uses what's called social engineering -- that is, phishing for information from customer support representatives -- to reset email addresses, change passwords and get into other peoples' personal accounts. He's done this for quite some time now, and he says he's made thousands of dollars doing it.

Juvi used to be able to get into just about any Xbox Live account -- and he can still get into some -- but he says Microsoft has clamped down on security for their gaming console in recent years. Other companies aren't quite as vigilant.

During a conversation on Skype earlier this week, Juvi let me listen in as he convinced a Netflix customer support representative to give him the password to someone else's account. It was frighteningly simple; all Juvi needed was the email address of his target -- easy to find on AIM, YouTube or any other social network -- and a full name, which anyone can get by entering an email into Spokeo, an online phone book.

Walking me through the process, Juvi pulled up an email address for an account he had previously stolen. He already knew the password, but he wanted to show me how easy it was to get it reset on Netflix. So without giving me any other info, he had me enter the email address on Spokeo. A few seconds later, I had the full name of the guy who owned the original account. That was all we needed. Juvi loaded up a conference call and dialled up customer support.

"Thank you for calling Netflix," said the representative. "What can I do for you today?"

"Um, I forgot the password for my Netflix account," Juvi said. "Is there anything you can help me- to reset it?"

"Yes I can," said the representative, asking for the email address. Juvi gave it to him.

"And who am I speaking with?" asked the representative. Juvi gave him the account owner's name.

"Give me one second here to plug in the information... I see you started an account in April of 2010 -- have you had an account since then?"

"No, I haven't -- I did create the account a long time ago," Juvi said.

"OK, so that was two years ago, correct?"

"Correct."

"OK, I was just making sure that you- that I didn't pull up the wrong account and that you may have another one that has more recent activity on it," the representative said.

"Yeah, OK," Juvi said.

"Give me one second here and I'll reset the password for you," the rep said. "Alright, sir, if you would just go to Netflix.com for me and click on 'Netflix sign-in' in the upper right-hand corner?"

"OK," Juvi said.

"Once you're there, you're set to log into your account," the rep said. "Put in the email address you gave me, and then your password will be 1-2-3-4-5 and let me know if that works for you."

"Yeah, that worked."

"OK then, so you're good to go," the rep said.

And that was that. I tried to log onto this Netflix account -- someone else's Netflix account -- with the new "12345" password. It worked. I started to feel supremely guilty, like I was entering someone's house without their permission and looking through their things. I quickly closed the browser.

"This account doesn't have a credit card added," Juvi told me, "but if it did, you could see the last four digits."

Scary stuff.

The Xbox Hacker

Three or four years ago, Juvi stumbled upon a website that had been defaced by some group of hackers. "Hacked by [some name]," it read. Juvi was immediately interested. He Googled the name and found a forum for people who like to do illicit things on the web. Posting a new thread to introduce himself, he asked where beginners should start off. A few people suggested keyloggers, devices that can track a target's key strokes and keep a printed record of their passwords and credit card information.

"I just thought it was pretty cool," Juvi said. "I just thought that it seems pretty easy to get access to somebody's account, and when I started Xbox Live I would get host-booted offline, so I wanted to be the one to host-boot them back, like get revenge or whatever."

("Host-booting", a phrase first made popular by Halo 3 users, is slang for kicking someone off Xbox Live.)

STAY SECURE - There's no surefire way to stave off hackers, but here are tips for dodging some common hacking methods:

  • Use different email addresses for your social accounts and important services. Keep your Twitter email different from your PayPal email.
  • Two-step verification is your best friend.
  • Don't pick easy security questions. Make sure the answers to your security questions aren't Googlable.
  • Share as little information as possible on your accounts.
  • If someone calls you up and says they're from Microsoft, don't believe them.

Keyloggers weren't enough, though; in order to get into peoples' Xbox Live accounts, Juvi had to try different techniques. He'd guess peoples' security questions, many of which were mindbogglingly easy to answer. And he'd mine for details, either Googling or calling different customer support representatives and phishing for different bits of account info from each one.

"If you can find the name of somebody, you can find their email," Juvi said. "From their email you can see if it's connected to an Amazon account, PayPal maybe, even Netflix -- anything that stores credit card information. And then all you need is the last four digits."

Sometimes Juvi would set his sights on gamers. He'd call up Xbox customer support pretending to be a Microsoft employee, then say something like "Hi, I'm John Doe from Tier 3 and my Customer Care Framework has crashed. Could you help me pull out some information on this gamertag?"

With a name, email address, date of birth and the last four digits of their credit card, Juvi found it pretty easy to get into an Xbox account. That was all the information he needed in order to convince customer support to reset the email attached to someone's gamertag. Microsoft has tightened security since then, though.

"[Now] you need the last console that it was signed in on, the console ID, the serial ID," Juvi said, "and it takes one to three days for them to find out whether you've got access to the account or not. You used to be able to just do it in one phone call, like straight up."

These days, Juvi says he doesn't get into that many Xbox accounts. People are using other sorts of phishing techniques to get peoples' information, though: "You can get information on that person and call that phone pretending to be an Xbox employee, say that you need their information for something, say someone's been trying to access their account and you need to confirm that they're the owner.

"Basically all you need for that is the email and the secret question. You could reset the email, sign into the Xbox account -- if you were able to get the console ID and the serial number, you'd be able to sign into their account easily. That's pretty hard to do."

In fact, Juvi added, "you pretty much can't, unless you have access to their console or unless they tell you. Possibly some really, really dumb people -- you could get it out of them."

Victims Who Deserve It

In July, Juvi hacked the YouTube account for SteelSeries, a gaming accessory manufacturer that distributes headsets, keyboards, and mice. He deleted all of their videos and posted a couple of his own.

"It was actually really easy," Juvi said. He got the email address associated with the YouTube account, then went to to take a look. "I was gonna call up and get his email reset, but the secret question was like something really stupid, like 'when was Steelseries founded?' So I just googled it and it was right there."

(I reached out to SteelSeries to hear their side of the story, but as of press time, I haven't heard back.)

Juvi deleted all of SteelSeries's videos, some of which are still missing today. "I had it for three weeks before they could get it back," Juvi said, pride in his voice. "They couldn't do anything."

"Why target SteelSeries?" I asked.

"I don't like their headsets."

"You don't like their headsets?"

"I had one, I think it was a year ago, and it broke and they wouldn't give me a refund," Juvi said. "That simple."

I asked if they had any way of knowing that he did it for revenge. "Nope -- I was emailing them but they never responded."

Juvi also took over YouTube accounts for a dubstep artist named Caspa, a Kim Kardashian video page, and a wrestler named Raven. (The victims were all able to recover their accounts later.) He defaced a website called Forum Revolution because the guy who owned it scammed one of his friends for $100.

Juvi says he still "jacks" accounts on AOL Instant Messenger, particularly the ones with valuable, original handles. He says he's made thousands of dollars selling them on the internet. And he says he only takes the inactive ones -- in fact, Juvi says, he took an AIM account recently and its original owner messaged him, so he gave it right back.

So why did he break into those celebrity YouTube accounts?

"I dunno," Juvi said. "Just seemed fun."

The Arrest

Juvi says in late August, he was arrested and put in jail for three days. Although I've been able to verify the majority of his other claims, I could not completely confirm the veracity of the following story. Juvi sent over parts of a court document, but he did not want to share specifics about his name and location, so we could not verify this with a police department.

About two months ago, Juvi was asleep at his mom's house in Spain when he heard someone pounding at the door. He woke up, got dressed, and went downstairs. Policemen were standing there with an arrest warrant, ready to put him in cuffs and drag him to prison. Juvi was charged with "unauthorized access and DDOS," he says.

"I was kept in prison for three days," Juvi told me. "I was in court and then I was on bail and I went back to court and I got let off because they couldn't tie me to the alias of Juvi... I was using a VPN that they could get logs from, and so they logged it back to my IP address, but obviously a lot of people are connected to that VPN so that's not really solid proof. "

A VPN, or a virtual private network, allows people to mask their info so their real IP addresses -- identification numbers assigned to every person's internet connection -- can't be found. If not for that VPN, if the cops did figure out that Juvi was Juvi, the hacker thinks he'd be in jail for a while.

"I was kinda scared 'cause I didn't know the outcome, I didn't know what evidence they had," Juvi said. "If they actually had my IP address -- my solid IP address, not the VPN -- that was pretty much...

"I always use a VPN and then I go on a Tor browser. They couldn't really track it connecting to websites or logging into the accounts."

I asked why he had to stay in jail for three days. Shouldn't he have been able to get out on bail? "I think I could've... but I dunno. My mum -- maybe she was punishing me.

"She was shocked," Juvi said. "But I was -- I'm 18. So I guess she just lets me get on with what I do."

Juvi says his parents have gotten used to his activities. They can't do much now that he's out on his own. And he says he's going to keep hacking, keep breaking into people's accounts. He's still snagging accounts and websites from enemies and people who piss off his friends. He's still defacing websites. Sometimes it's just for money. Other times it's just for "the lulz," as he put it in an email to me.

"I don't hack peoples accounts as requests any longer," he said, "mostly because I'm not online as much as I was.

"But if someone was to f**k with my friends online then they would get what they deserve."


Comments

    "It was frighteningly simple; all Juvi needed was the email address of his target — easy to find on AIM, YouTube or any other social network — and a full name, which anyone can get by entering an email into Spokeo, an online phone book."

    This is precisely why I think Google's new plan to get everyone to use their real names on Youtube (forgetting the original push on Google+ for now) is so misguided.. we have usernames/handles for a reason and it's not just to be "cool".

      Yep I like the whole anonymity thing on the internet where I don't really wish to share my real name.

    This is why they should ban that hackers movie

      Haha yes! I am always also wary of people on rollerblades!

    that reference pic looks like a creeper...
    just sayin is all....

    and nobody can say anything negative about him on this article because he'll feel justified in targeting them.

    Could also be retitled "Confessions Of A Teenage Arsehole"

      Like last time I made a comment similar, only being honest about what I thought , on one of these articles and my Facebook account was hacked and redirected, like he says in the interview, He'd do it for LULZ
      Say goodbye to your "digital life" my friend

        Wow, you think of these people of gods of the Internet but really anybody can do this. Rocket is most likely safe because he doesn't have any info for him to get.

    Good story, really brings to light the other major part of hacking, the social engineering aspect. You can break all the systems you want but its faster and a lot easier to trick people on the phone into giving you the information. A great read, thanks, Jason

    Fascinating article, and a frightening indictment on an unexpected fallibility of internet security: the human agency. A system is only as secure as its worst customer service rep.

    Just want to say your article is as astonishing.

    The clarity for your submit is simply spectacular and that i can think you
    are an expert in this subject. Fine along with your permission allow me to grab
    your feed to keep up to date with coming near near post.
    Thanks one million and please carry on the gratifying work.

    Granted people who have stupidly basic security on accounts are not helping themselves, but it frustrates me when people like "Juvi" don't understand how much they can be screwing over people, just for a cheap laugh.
    None the less, I appreciate the info in the article. A good reminder to check/update some of my accounts...

      I think you'll find a lot of them do understand how much they're screwing people over. They don't really care.

      i went through my important accounts a few weeks ago. got an alert from csidentity (the service that psn payed for us to have after the breach). scared the shit out of me. i logged in and all it said was, my email address had been compromised. i went through and changed the passwords on all my email addresses and banks plus anything that has my email as a login. i honestly thought my shit would be safe. my passwords are always pretty complex, not so far that i cant remember them, but pretty jumbled. and no 2 are the same. dont have a fb acct to leach my details from either.

    So, the average teenager is a tattoo artist that lives in Spain with their girlfriend?

    Huh

    If it were me, I would've asked him of his morality or whether he felt any remorse for he did. Of course he may have done it for 'the lulz', but those 'lulz' are at the expense for people's dedication and work on their channels or accounts (companies, celebrities).
    You never know someone's truly unless you've been in their shoes.

    It's also shocking on how easy and simple it is to gain access to someone's account.

    We're a group of volunteers and starting a brand new scheme in our community. Your website offered us with helpful info to work on. You have performed a formidable process and our entire group shall be thankful to you.

    My coder is trying to convince me to move to .net from PHP.
    I have always disliked the idea because of the costs. But he's tryiong none the less. I've been using Movable-type on
    a number of websites for about a year and am
    worried about switching to another platform. I have heard very good things about blogengine.
    net. Is there a way I can import all my wordpress content into it?
    Any kind of help would be greatly appreciated!

    Thanks for finally writing about >Confessions Of
    A Teenage Xbox Hacker | Kotaku Australia

Join the discussion!