Updated: Man Has $50,000 Twitter Stolen, Blames GoDaddy, PayPal

Steven Bogos

The Taco Man
Jan 17, 2013
9,354
0
0
Updated: Man Has $50,000 Twitter Stolen, Blames GoDaddy, PayPal


Naoki Hiroshima was extorted into giving up his incredibly rare "@N" Twitter handle.

Update: PayPal has issued an official statement [https://www.paypal-forward.com/leadership/paypal-takes-your-security-seriously/] claiming that contrary to Hiroshima's claims, PayPay did not divulge credit card information to his hacker. They did acknowledge that there was a hacking attempt on his account, but assured us that "Our customer service agents are well trained to prevent social hacking attempts like the ones detailed in this blog post."

In this case, it looks like it's PayPal's word against the word of Hiroshima's hacker, and considering the former has much more of a reason to lie, I know which one i'm more inclined to believe.

Source: PayPal [https://www.paypal-forward.com/leadership/paypal-takes-your-security-seriously/]

Original Story:

Naoki Hiroshima is a blogger who, until very recently, owned the very rare 1-letter "@N" Twitter handle. The handle, which he had been offered up to $50,000 for in the past, was stolen after hackers abused security flaws in web hosting service GoDaddy and online payment gate PayPal to take control of Hiroshima's accounts, and extort him.

Hiroshima says that while hacking attempts on his rare username were something he deals with on a regular basis, this time, it was different. By the time he had realized he had lost access to his GoDaddy account, and by association, his email, his attacker had already changed all of the account's information, including the credit card info. He had no-way to prove to GoDaddy that he was the legitimate owner of the account.

Luckily, Hiroshima was able to change the email associated with his Twitter account just in time to stop the hacker gaining access, but that's when the extortion started. When the hacker realized he couldn't access the Twitter's email, he contacted Hiroshima, threatening to bring down all of his GoDaddy domains, unless he released the @N handle.

Hiroshima, rather than risk losing his domains, released the username, and the hacker, true to his word, restored Hiroshima's access to his GoDaddy account.

But it's what happened next that is the most interesting part. Hiroshima asked the hacker how he was able to gain such absolute control over his accounts so quickly, and the hacker obliged.

"I called PayPal and used some very simple engineering tactics to obtain the last four [digits] of your [credit] card," said the hacker. "I called GoDaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case)."

You read right - PayPal simply told the hacker the last four digits of Hiroshima's credit card because he was "acting as an employee," and then GoDaddy proceeded to let him "guess" the card's first two digits.

In conclusion, both Hiroshima and his hacker urge us to not let companies like PayPal and GoDaddy store credit card information, and to have different email addresses associated with different accounts.

Source: The Next Web [http://thenextweb.com/socialmedia/2014/01/29/lost-50000-twitter-username/#!tKs76]

Permalink
 

Saulkar

Regular Member
Legacy
Aug 25, 2010
3,142
2
13
Country
Canuckistan
This whole event sounds strange. I wonder if the hacker did this simply to get the handle or whether he wanted to create such a stir that the problem would be forced into the public spotlight, putting companies under pressure to deal with it.
 

Galen Marek

New member
Dec 5, 2011
78
0
0
Or alternatively, have nothing of value.
Hasn't failed me so far.

I don't get all the fuss over a twitter account. Sure having a single letter Twitter account would be neat, but, all that effort for it? I don't understand.
 

Saulkar

Regular Member
Legacy
Aug 25, 2010
3,142
2
13
Country
Canuckistan
Kheapathic said:
Either way, wouldn't mind taking a baseball bat to the groin of these kind of people.
Would a hockey or lacrosse stick do? I am pretty sure Canada has a stand you ground law when it comes to defending yourself from cyber-threats with national sports equipment.
 

moggett88

New member
May 2, 2013
184
0
0
Galen Marek said:
Or alternatively, have nothing of value.
Hasn't failed me so far.
My thoughts when I read this - "lucky my life is worth about half a bag of crisps, cos I don't have the energy to guard against hackers".

Hopefully this becomes a big enough thing that Paypal is forced to take notice and shut their gaping (security) holes, because it's convenient and I plan to keep using it (even if that's dumb).
 

O maestre

New member
Nov 19, 2008
882
0
0
Galen Marek said:
Or alternatively, have nothing of value.
Hasn't failed me so far.

I don't get all the fuss over a twitter account. Sure having a single letter Twitter account would be neat, but, all that effort for it? I don't understand.
Aren't you alarmed how he got his credit card information so easily?

I don't know much about this blogger, but if his income is based on working with the web, then all of the sudden a twitter profile is part of his livelihood.


OT: I was on the verge of getting a PayPal account but I am so glad I didn't after reading how inept their security is.

Mind you that as far as the article goes very little hacking was done, instead the security flaws lie with the customer support.
 

Infernal Lawyer

New member
Jan 28, 2013
611
0
0
Okay, I'm going to have to consider stopping using Paypal if they're really that careless. Seriously, all you have to do is pretend to be an employee? That's fucked up.
 

Cid Silverwing

Paladin of The Light
Jul 27, 2008
3,134
0
0
As if PayPal's liberal seizure of people's accounts at their own discretion wasn't fraudulent business enough, now they're falling for anyone posing as an employee.

Fuck PayPal.
 

Riotguards

New member
Feb 1, 2013
219
0
0
they do realise that the twitter name is practically worthless considering it has been stolen

anyone buying it would be extremely stupid
 

Flatfrog

New member
Dec 29, 2010
885
0
0
Galen Marek said:
Or alternatively, have nothing of value.
Hasn't failed me so far.

I don't get all the fuss over a twitter account. Sure having a single letter Twitter account would be neat, but, all that effort for it? I don't understand.
Especially because you couldn't use it without people knowing you're an extortioning fuckwit hacker.
 

EHKOS

Madness to my Methods
Feb 28, 2010
4,815
0
0
Mitnick did the same thing. Social engineering is a *****. If you want to know more about how hackers usually manipulate companies, read Ghost in the Wires.
 

antidonkey

New member
Dec 10, 2009
1,724
0
0
Not really a hack but more social engineering. I fail to understand why anyone would care this much about a twitter handle. It's a twitter handle FFS!
 

Hagi

New member
Apr 10, 2011
2,741
0
0
I do hope two people lose their jobs as a result from this at Paypal and GoDaddy. Because that's just utterly incompetent.
 

oldtaku

New member
Jan 7, 2011
639
0
0
Apparently this has to be said again...

Never use GoDaddy. Not Even Once. They're the Comcast of registrars.
 

Sixcess

New member
Feb 27, 2010
2,719
0
0
Steve the Pocket said:
Just goes to show, you can have the most secure system in the world, but you can't make people hack-proof.
Because people don't want to be hack proof. Well, they do... but only up to the point where it becomes remotely inconvenient for them.

I've worked in customer service positions where every single day some customer would start bitching about having to answer basic security questions... and that was when it wasn't someone who wasn't even named on the account looking for access on the grounds that "I'm his wife/husband/son/daughter/secretary/personal assistant..." I've worked in a position where every customer had a password that they set themselves and at a guess from my experience I'd say over half of those people didn't even TRY to remember that password because fuck it, they can answer some other basic, easily discoverable 'security' questions anyway.

How do these people react when someone tells them they can't get this information? Do they recognise that these processes are in place for their protection? Do they fuck. They go nuts and start demanding to speak to a manager because god forbid they should have to look up some of their own personal information or get the right person to make the call.

DPA is not followed as strictly as it should be... because customers simply do not want it to be followed to the letter, so the people enforcing these processes are accustomed to being pressured to ignore those processes by the very people they are in place to protect.

In theory everyone wants perfect security. In practice it's too much inconvenience. At least until it turns around and bites them in the ass.
 

Sigmund Av Volsung

Hella noided
Dec 11, 2009
2,999
0
0

Oh wow, what a time do we live in where this can just happen.

And people wonder why universal passwords/emails/credit cards are a bad idea.