How Hackers Held This Man's $50,000 Twitter Name For Ransom

Hackers claim they were able to obtain Naoki Hiroshima's credit card information from PayPal and GoDaddy—all in the name of snagging his Twitter username: @N.

Once upon a time, developer Naoki Hiroshima was lucky enough to score a coveted Twitter handle: @N. At one point he was offered $50,000 for it, but politely declined. Very recently, though, Hiroshima lost possession of @N; or rather, it was taken from him. And, harrowingly, how those events allegedly unfolded paints an alarming picture of some of the loopholes PayPal and GoDaddy use to safeguard ultra-sensitive user information.

Hiroshima details the specifics in a post on Medium, but the short story is that one day he received a message from GoDaddy that his account information had changed. In actuality, he hadn't touched a thing.

The representative asked me the last 6 digits of my credit card number as a method of verification. This didn't work because the credit card information had already been changed by an attacker. In fact, all of my information had been changed. I had no way to prove I was the real owner of the domain name.

After being asked to jump through several, befuddling hoops, eventually it was revealed that Hiroshima's GoDaddy accounts—which he uses to run multiple websites—were being held hostage by an anonymous hacker (or hackers), who simply wanted the reins to his single-digit Twitter handle. The hacker told Hiroshima that he took control of his GoDaddy properties by…

  1. Calling a PayPal representative and pretending to be him. In doing this, he got PayPal to reveal the last four digits of Hiroshima's credit card.
  2. The hacker then called GoDaddy and told a representative that his credit card had been stolen. While he remembered the last four digits, he said he couldn't remember the whole string. He says the GoDaddy agent allegedly let him guess the first two digits, and, voilà: He was verified as Hiroshima.

Essentially, Hiroshima was forced to reluctantly hand over his Twitter handle to regain control of his websites. He currently goes by @N_is_stolen, and it is unclear if Twitter will help him regain control of his original account.

Greg Galant, CEO of Sawhorse Media, which runs Muck Rack and the Shorty Awards, is a proud member of Twitter’s first-name club. (He goes by @Gregory.) He gave Fast Company some unique insight into the semi-exclusive world of coveted Twitter handles.

"I get a ton of password reset requests, so I'd turned on two-step (authentication) on every service possible, including Twitter, a while ago," he tells Fast Company in an email. "Never a serious hack, thankfully."

I've been made some small offers but have yet to have a five or six figure offer, which is a little disheartening, but even if I did get an offer like that I wouldn't take it since it's against Twitter's TOS. Also as my business partner Lee @Semel likes to point out, even if you have an expensive item such as a Richard Mille watch (like Tom Perkins) other people can buy the exact same thing.

He adds: "Twitter handles are one of a kind."

Update 1/30/2014: Both PayPal and GoDaddy have released statements. PayPal claims a company employee did not divulge credit card details related to Hiroshima's account. Meanwhile, GoDaddy chief information security officer Todd Redfoot issued a statement to TheNextWeb that "the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy," and that a GoDaddy employee was "socially engineered... to provide the remaining information needed to access the customer account." Hiroshima tweeted that he still hasn't received help from Twitter.

[Image: Twitter]

Add New Comment

1 Comments