Updated: Man Has $50,000 Twitter Stolen, Blames GoDaddy, PayPal

Updated: Man Has $50,000 Twitter Stolen, Blames GoDaddy, PayPal

naoki hiroshima twitter

Naoki Hiroshima was extorted into giving up his incredibly rare "@N" Twitter handle.

Update: PayPal has issued an official statement claiming that contrary to Hiroshima's claims, PayPay did not divulge credit card information to his hacker. They did acknowledge that there was a hacking attempt on his account, but assured us that "Our customer service agents are well trained to prevent social hacking attempts like the ones detailed in this blog post."

In this case, it looks like it's PayPal's word against the word of Hiroshima's hacker, and considering the former has much more of a reason to lie, I know which one i'm more inclined to believe.

Source: PayPal

Original Story:

Naoki Hiroshima is a blogger who, until very recently, owned the very rare 1-letter "@N" Twitter handle. The handle, which he had been offered up to $50,000 for in the past, was stolen after hackers abused security flaws in web hosting service GoDaddy and online payment gate PayPal to take control of Hiroshima's accounts, and extort him.

Hiroshima says that while hacking attempts on his rare username were something he deals with on a regular basis, this time, it was different. By the time he had realized he had lost access to his GoDaddy account, and by association, his email, his attacker had already changed all of the account's information, including the credit card info. He had no-way to prove to GoDaddy that he was the legitimate owner of the account.

Luckily, Hiroshima was able to change the email associated with his Twitter account just in time to stop the hacker gaining access, but that's when the extortion started. When the hacker realized he couldn't access the Twitter's email, he contacted Hiroshima, threatening to bring down all of his GoDaddy domains, unless he released the @N handle.

Hiroshima, rather than risk losing his domains, released the username, and the hacker, true to his word, restored Hiroshima's access to his GoDaddy account.

But it's what happened next that is the most interesting part. Hiroshima asked the hacker how he was able to gain such absolute control over his accounts so quickly, and the hacker obliged.

"I called PayPal and used some very simple engineering tactics to obtain the last four [digits] of your [credit] card," said the hacker. "I called GoDaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case)."

You read right - PayPal simply told the hacker the last four digits of Hiroshima's credit card because he was "acting as an employee," and then GoDaddy proceeded to let him "guess" the card's first two digits.

In conclusion, both Hiroshima and his hacker urge us to not let companies like PayPal and GoDaddy store credit card information, and to have different email addresses associated with different accounts.

Source: The Next Web

Permalink

i had the same issue with paypal giving out my last 4 digits like that which is why i never use it for anything

This whole event sounds strange. I wonder if the hacker did this simply to get the handle or whether he wanted to create such a stir that the problem would be forced into the public spotlight, putting companies under pressure to deal with it.

Saulkar:
This whole event sounds strange. I wonder if the hacker did this simply to get the handle or whether he wanted to create such a stir that the problem would be forced into the public spotlight, putting companies under pressure to deal with it.

It could be similar to the mat fiasco that happened a year or so back; which apparently was just two assholes wanting to cause problems. They claim it was to show vulnerabilities to help people, but torching someones online profile isn't help. Because what they did wasn't hacking, just social engineering.

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Or it could just be another asshole who wants to have a one letter twitter account. Either way, wouldn't mind taking a baseball bat to the groin of these kind of people.

Or alternatively, have nothing of value.
Hasn't failed me so far.

I don't get all the fuss over a twitter account. Sure having a single letter Twitter account would be neat, but, all that effort for it? I don't understand.

Kheapathic:
Either way, wouldn't mind taking a baseball bat to the groin of these kind of people.

Would a hockey or lacrosse stick do? I am pretty sure Canada has a stand you ground law when it comes to defending yourself from cyber-threats with national sports equipment.

Galen Marek:
Or alternatively, have nothing of value.
Hasn't failed me so far.

My thoughts when I read this - "lucky my life is worth about half a bag of crisps, cos I don't have the energy to guard against hackers".

Hopefully this becomes a big enough thing that Paypal is forced to take notice and shut their gaping (security) holes, because it's convenient and I plan to keep using it (even if that's dumb).

Galen Marek:
Or alternatively, have nothing of value.
Hasn't failed me so far.

I don't get all the fuss over a twitter account. Sure having a single letter Twitter account would be neat, but, all that effort for it? I don't understand.

Aren't you alarmed how he got his credit card information so easily?

I don't know much about this blogger, but if his income is based on working with the web, then all of the sudden a twitter profile is part of his livelihood.

OT: I was on the verge of getting a PayPal account but I am so glad I didn't after reading how inept their security is.

Mind you that as far as the article goes very little hacking was done, instead the security flaws lie with the customer support.

Okay, I'm going to have to consider stopping using Paypal if they're really that careless. Seriously, all you have to do is pretend to be an employee? That's fucked up.

As if PayPal's liberal seizure of people's accounts at their own discretion wasn't fraudulent business enough, now they're falling for anyone posing as an employee.

Fuck PayPal.

they do realise that the twitter name is practically worthless considering it has been stolen

anyone buying it would be extremely stupid

Galen Marek:
Or alternatively, have nothing of value.
Hasn't failed me so far.

I don't get all the fuss over a twitter account. Sure having a single letter Twitter account would be neat, but, all that effort for it? I don't understand.

Especially because you couldn't use it without people knowing you're an extortioning fuckwit hacker.

And thusly another reason to add to the "Why I dont use social sites or Paypal" list.

Mitnick did the same thing. Social engineering is a bitch. If you want to know more about how hackers usually manipulate companies, read Ghost in the Wires.

Not really a hack but more social engineering. I fail to understand why anyone would care this much about a twitter handle. It's a twitter handle FFS!

I do hope two people lose their jobs as a result from this at Paypal and GoDaddy. Because that's just utterly incompetent.

Apparently this has to be said again...

Never use GoDaddy. Not Even Once. They're the Comcast of registrars.

Just goes to show, you can have the most secure system in the world, but you can't make people hack-proof.

Steve the Pocket:
Just goes to show, you can have the most secure system in the world, but you can't make people hack-proof.

Because people don't want to be hack proof. Well, they do... but only up to the point where it becomes remotely inconvenient for them.

I've worked in customer service positions where every single day some customer would start bitching about having to answer basic security questions... and that was when it wasn't someone who wasn't even named on the account looking for access on the grounds that "I'm his wife/husband/son/daughter/secretary/personal assistant..." I've worked in a position where every customer had a password that they set themselves and at a guess from my experience I'd say over half of those people didn't even TRY to remember that password because fuck it, they can answer some other basic, easily discoverable 'security' questions anyway.

How do these people react when someone tells them they can't get this information? Do they recognise that these processes are in place for their protection? Do they fuck. They go nuts and start demanding to speak to a manager because god forbid they should have to look up some of their own personal information or get the right person to make the call.

DPA is not followed as strictly as it should be... because customers simply do not want it to be followed to the letter, so the people enforcing these processes are accustomed to being pressured to ignore those processes by the very people they are in place to protect.

In theory everyone wants perfect security. In practice it's too much inconvenience. At least until it turns around and bites them in the ass.

Oh wow, what a time do we live in where this can just happen.

And people wonder why universal passwords/emails/credit cards are a bad idea.

As much as I hate paypal, I notice very few people seem to be blaming GoDaddy for this as well. I've heard more than a few horror-stories about GoDaddy from people I trust, apparently they are just dreadful.

antidonkey:
Not really a hack but more social engineering. I fail to understand why anyone would care this much about a twitter handle. It's a twitter handle FFS!

Social Engineering = Hacking. It's one of the oldest forms, and it relies on human idiocy rather than brute forcing a server or trying to inject some faulty code somewhere. You are, after all, deceiving a system or group of systems in order to access information that you otherwise wouldn't have access to, without the person knowing until afterwards.

And re-read the article again. If you're so unwilling to remember, people have fired/quit their jobs simply because of something said over twitter. Entire fanbases have been worked into a rage because of a post on twitter. Anything that can be used as a public face for you has a worth, and for those who rely on the internet as a source of income it's nigh-essential to have one. So there is plenty of reason to care.

Plus, if you hadn't noticed, he relinquished the twitter handle in favor of keeping his much more necessary, much more important website domains. So while he cares about his handle, he was much more caring and protective of his domains that he uses.

This sounds exactly like the kind of incompetent shit PayPal would do.

This sounds almost exactly like what happened to Mat Honan (of Wired Magazine) a year and a half ago. It was Apple rather then PayPal, but the basic hack was almost identical. http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

i ahve registered a paypal account yesterday (because apparently bundle stars accept no other method and im sure as hell not going to use Google wallet). and now this story. i feel strange now. i need an adult.

Well who has it now? Shouldn't that be helpful in this case?

I use Paypal. And this is fucking ridiculous. What's wrong with the handle "NN"?

There was a hacking attempt, but they did not divulge information meaning yes the some info was stolen but not willingly.

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here