Naoki Hiroshima had owned a rare Twitter account for around seven years. It was one that someone allegedly wanted to purchase for $50,000. Despite numerous attempts by attackers to steal his @N handle over the years, Hiroshima had managed to prevent anyone from gaining access to the account. That was until just over a week ago. "While eating lunch on January 20th, 2014, I received a text message from PayPal for a one-time validation code," explains Hiroshima. "Somebody was trying to steal my PayPal account. I ignored it and continued eating." That was the first sign of what would become a painful experience.
While the attacker didn’t gain access to Hiroshima’s PayPal account directly, they did manage to pose as a PayPal employee and convince the payments firm to release the last four digits of Hiroshima’s credit card over the phone. Those numbers are usually fairly useless on their own, but the attacker then used them as verification on the phone to GoDaddy. Hiroshima uses GoDaddy to host his own domain and email accounts, so the attacker assumed control over the domain and was able to access Hiroshima’s email address. "It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification," says Hiroshima.
The rare @N Twitter account was the focus of the attack
Hiroshima realized quickly that his @N Twitter account was the focus of the attack, and managed to change the email address associated with the account before the attacker changed the DNS entries for his domain name. But the damage was already done. The attacker compromised Hiroshima’s Facebook account, but failed to gain access to the @N Twitter handle due to the stealthy email swap. With full control over all of Hiroshima’s GoDaddy domains, and the domain registrar refusing to assist because the registrant information had all been swapped, Hiroshima was stuck. "I would also like to inform you that your GoDaddy domains are in my possession," reads an email from the attacker to Hiroshima, with a menacing threat that they could be repossessed by GoDaddy and "never seen again."
Faced with the prospect of losing all his domains, and the history of a similar attack on Wired reporter Mat Honan, Hiroshima gave in to the extortion and provided the @N login details in exchange for his GoDaddy account. The attacker then detailed his methods over email, and quickly assumed control of the Twitter account.
It’s another worrisome case of how hackers can easily breach services with small amounts of personal details to obtain desirable Twitter handles. Hiroshima warns others not to let companies like PayPal or GoDaddy store your credit card information. "I just removed mine. I’ll also be leaving GoDaddy and PayPal as soon as possible." We’ve reached out to Twitter to see whether the company is helping Hiroshima regain access to his @N account, and we’ll update you accordingly.
Update: Paypal has released a brief statement relating to this hack on Twitter, saying that "our investigation confirmed PayPal did NOT disclose any credit card details. More info soon." This would be in direct conflict to the original story posted by Hiroshima which said that Paypal released the last four digits of his credit card to hackers, allowing them to gain access to his GoDaddy account. We'll be keeping an eye to see what else Paypal has to say about its involvement in this hack.
Update 2: Twitter says it's "investigating the report," but a spokesperson notes the company doesn't comment on individual accounts.
Re: this incident http://t.co/bOiuzqvFep, our investigation confirmed PayPal did NOT disclose any credit card details. More info soon.
— Ask PayPal (@AskPayPal) January 29, 2014