Naoki Hiroshima recently published a distressing account of how he lost his desirable @N Twitter username to a hacker. But part of his story accuses PayPal of giving the last four numbers of Hiroshima's credit card to the perpetrator. "I called PayPal and used some very simple engineering tactics to obtain the last four of your card," the hacker reportedly revealed in an email — after Hiroshima had agreed to give up his Twitter account. "I was acting as an employee," he said. This first step was key in the sequence of events, but now PayPal is denying that it released any information on Hiroshima. After first denying the account via Twitter, the company has now issued an official statement.
"We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer’s information by contacting PayPal," the company says. But it steadfastly denies that any credit card details were given out. "Our customer service agents are well trained to prevent social hacking attempts like the ones detailed in this blog post." PayPal says it is reaching out to Hiroshima directly to see if it can somehow assist him in any way. Twitter has already said it is investigating the report, so Hiroshima may eventually regain access to the @N account after the ordeal.
Update: In a statement to TechCrunch, GoDaddy — which was also used as part of the attack — says that the hacker already had a "large portion" of the information the company typically requires to gain access to accounts. However the company also admitted that social engineering played a role in the hacker garnering enough extra personal information to gain control of Hiroshima's accounts:
Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy. The hacker then socially engineered an employee to provide the remaining information needed to access the customer account. The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers.
The company is also reportedly changing how its employees are trained to fend off similar efforts.