How Naoki Hiroshima’s $50,000 Twitter Username was Stolen
Developer loses @N twitter account and domains held hostage after PayPal, GoDaddy scam – The following story is an important read for any business or brand. The vulnerability detailed below should be the impetus for a detailed discussion with your teams – are you vulnerable, how do you know if you’re protected, and what is your plan if compromised?
As detailed in a post on Medium, developer Naoki Hiroshima relates:
“I had a rare Twitter username, @N. Yep, just one letter. I’ve been offered as much as $50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my email inbox. As of today, I no longer control @N. I was extorted into giving it up.
While eating lunch on January 20, 2014, I received a text message from PayPal for one-time validation code. Somebody was trying to steal my PayPal account. I ignored it and continued eating.
Later in the day, I checked my email which uses my personal domain name (registered with GoDaddy) through Google Apps. I found the last message I had received was from GoDaddy with the subject “Account Settings Change Confirmation.” There was a good reason why that was the last one.”
Hiroshima then describes how he tried to log in to his GoDaddy account with no success. He called GoDaddy and explained the situation. The representative asked him for the last 6 digits of his credit card number as a method of verification. This didn’t work because the credit card information had already been changed by an attacker. In fact, all of his account information had been changed. He had no way to prove he was the real owner of the domain name.
The GoDaddy representative suggested that Hiroshima fill out a case report on GoDaddy’s website using his government identification. He did that and was told a response could take up to 48 hours. He expected that this would be sufficient to prove his identity and ownership of the account.
Hiroshima then details a nightmare experience:
Let The Extortion Begin
“Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites. By taking control of my domain name at GoDaddy, my attacker was able to control my email.
I soon realized, based on my previous experiences being attacked, that my coveted Twitter username was the target. Strangely, someone I don’t know sent me a Facebook message encouraging me to change my Twitter email address. I assumed this was sent from the attacker but I changed it regardless. The Twitter account email address was now one which the attacker could not access.
The attacker tried to reset my Twitter password several times and found he couldn’t receive any of the reset emails because it took time for the change of my domain’s MX record, which controls the email domain server. The attacker opened issue #16134409 at Twitter’s Zendesk support page.”
Twitter required the attacker to provide more information to proceed and the attacker gave up on this route.
I later learned that the attacker had compromised my Facebook account in order to bargain with me. I was horrified to learn what had happened when friends began asking me about strange behavior on my Facebook account.
I received an email from my attacker at last. The attacker attempted to extort me with the following message.
I’ve seen you spoke with an accomplice of mine, I would just like to inform you that you were correct, @N was the target. it appears extremely inactive, I would also like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again D:
I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5minutes while I swap the handle in exchange for your godaddy, and help securing your data?
Shortly thereafter, I received a response from GoDaddy.
Unfortunately, Domain Services will not be able to assist you with your change request as you are not the current registrant of the domain name. As the registrar we can only make this type of change after verifying the consent of the registrant. You may wish to pursue one or more of the following options should you decide
to pursue this matter further:
1. Visit http://who.godaddy.com/ to locate the Whois record for the domain name and resolve the issue with the registrant directly.
2. Go to http://www.icann.org/dndr/udrp/approved-providers.htm to find an ICANN approved arbitration provider.
3. Provide the following link to your legal counsel for information on submitting legal documents to GoDaddy: http://www.godaddy.com/agreements/showdoc.aspx?pageid=CIVIL_SUBPOENA GoDaddy now considers this matter closed.
My claim was refused because I am not the “current registrant.” GoDaddy asked the attacker if it was ok to change account information, while they didn’t bother asking me if it was ok when the attacker did it. I was infuriated that GoDaddy had put the burden on the true owner.
A coworker of mine was able to connect me to a GoDaddy executive. The executive attempted to get the security team involved, but nothing has happened. Perhaps because of the Martin Luther King Jr. holiday.
Then I received this follow-up from the attacker.
Are you going to swap the handle? the godaddy account is ready to go. Password changed and a neutral email is linked to it.
I asked a friend of mine at Twitter what the chances of recovering the Twitter account were if the attacker took ownership. I remembered what had happened to @mat and concluded that giving up the account right away would be the only way to avoid an irreversible disaster. So I told the attacker:
I released @N. Take it right away.
I changed my username @N to @N_is_stolen for the first time since I registered it in early 2007. Goodbye to my problematic username, for now.
I received this response.
Thank you very much, your godaddy password is: ——————
if you’d like I can go into detail about how I was able to gain access to your godaddy, and how you can secure yourself
The attacker quickly took control of the username and I regained access to my GoDaddy account. (Read more here)
Since the attack, GoDaddy has acknowledged that one of its employees fell victim to a social engineering attack allowing a hacker to take over a customer’s domain names and eventually extort a coveted Twitter user name from him. PayPal, which the victim claimed also played a role in the attack, denied the accusations.
“Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy,” the company said in a statement on its website. “The hacker then socially engineered an employee to provide the remaining information needed to access the customer account.”
“The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers,” the company said. “We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.”
PayPal dismissed the claims that its employees released personal information or credit card details from Hiroshima’s account.
“We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer’s information by contacting PayPal,” the company said in a statement Wednesday on its website.
“Our customer service agents are well trained to prevent social hacking attempts like the ones detailed in this blog post,” PayPal said. “We are personally reaching out to the customer to see if we can assist him in any way.”
To truly add insult to injury, there was a brief moment in time during Mr. Hiroshima’s attempts to reclaim his properties, when the @N Twitter handle was deleted by the hacker, released – and someone else grabbed it.
“The practice of verifying customer identity by using the last several digits of the credit card on record is unacceptable,” Hiroshima said. “Users should not let companies like PayPal and GoDaddy store their credit card information,” he said, adding that he will terminate his accounts with the two companies as soon as possible.