Coveted $50,000 Twitter username swiped in tale of woe
Naoki Hiroshima talks of how security practices at PayPal and GoDaddy led to him losing his coveted Twitter handle.
N Methods CEO Naoki Hiroshima, who once owned the Twitter handle @N and had been offered as much as $50,000 for it, has lost his coveted username to an unidentified hacker.
The trouble started last week when Hiroshima, who is also head of mobile at Lark Technologies, was unable to log in to his GoDaddy account, which houses both his domain names and vanity e-mail address. Soon after, Hiroshima called GoDaddy to find out why he couldn't log in and was asked to verify his account. He couldn't.
It wasn't long before Hiroshima received an e-mail from a hacker who said that he had accessed Hiroshima's GoDaddy account and changed all of the personal information so it was inaccessible to him. The attacker also said he wanted full control over the @N Twitter username.
"I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact," the attacker reportedly wrote to Hiroshima. "Would you be willing to compromise? access to @N for about 5 minutes while I swap the handle in exchange for your godaddy, and help securing your data?"
As time went on and the communications became clearer, Hiroshima realized he had no choice but to hand over his handle or face losing his domains and all other Web sites. Upon making the trade (and creating his new Twitter username, @N_is_Stolen), Hiroshima was given back his GoDaddy account. The hacker also provided tips on how to secure it.
More interestingly, the attacker explained how he had accessed the account. He claims that he called PayPal to "obtain the last four [digits] of our card." From there, the person called GoDaddy and was allowed to guess numerous times at the last four digits of the card on file to "verify" that he had access to the account.
"It's hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification," Hiroshima said in a blog post on Wednesday.
The attacker then provided Hiroshima with some tips on overcoming such issues in the future, including not using vanity URLs for e-mail addresses on certain sites and not allowing call agents to share information with just anyone on the phone.
"Stupid companies may give out your personal information (like part of your credit card number) to the wrong person," Hiroshima wrote. "Some of those companies are still employing the unacceptable practice of verifying you with the last some digits of your credit card."
Update 1:31 p.m. PT: PayPal said emphatically in a blog post Wednesday afternoon that it did not divulge any of Hiroshima's credit card details or any personal or financial information related to his account, and that his PayPal account "was not compromised."
"Our customer service agents are well trained to prevent social hacking attempts like the ones detailed in this blog post," PayPal said. "We are personally reaching out to the customer to see if we can assist him in any way."