Skip to main content

Twitter user has @N account stolen after PayPal Scam

The downside to having a unique Twitter handle is that it could become a target for hackers.

That's what happened to California Web developer Naoki Hiroshima, who, over the years, has been offered as much as £25,000 for his @N Twitter account. He turned down those offers, and has thwarted several attacks, but was forced to hand over ownership of the account this week after a scammer took advantage of questionable security within PayPal and GoDaddy.

"As of today, I no longer control @N. I was extorted into giving it up," he wrote Wednesday in a lengthy blog post, which recounted the stranger-than-fiction plot—complete with email correspondence with his hacker.

The sordid tale began 20 January with a text message from PayPal, alerting Hiroshima that someone tried to hack into his account, then later via a GoDaddy email revealing an unauthorised change to his personal account settings.

"I soon realized, based on my previous experiences being attacked, that my coveted Twitter username was the target," he wrote.

Unable to verify his ownership of the domain name since the attacker changed his credit card information, Hiroshima followed protocol and filled out a GoDaddy case report, expecting a response within 48 hours. But GoDaddy denied his claim because he was not the "current registrant"—the hacker was.

"GoDaddy asked the attacker if it was ok to change account information, while they didn't bother asking me if it was ok when the attacker did it," his blog said. "I was infuriated that GoDaddy has put the burden on the true owner."

Hiroshima changed the email associated with his Twitter account, thwarting the hacker. In retaliation, this person contacted Hiroshima with a deal: Access to the @N account for five minutes, "while I swap the handle in exchange for your [GoDaddy], and help securing your data."

Memories of Wired writer Mat Honan's tale of his cloud-based data hack—prompted Hiroshima to hand over his precious Twitter title. He "concluded that giving up the account right away would be the only way to avoid an irreversible disaster," Hiroshima wrote.

With the switch complete, Hiroshima asked his hacker for details of how he pulled it off. Turns out, he used "some very simple engineering tactics" to get the last four digits of Hiroshima's credit card out of PayPal, which he then provided to GoDaddy to gain access to Hiroshima's account.

"It's hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification," Hiroshima wrote.

In a statement, GoDaddy said it is "making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques."

In a statement of its own, PayPal said there had been a failed attempt to gain access to Hiroshima's account.

"PayPal did not divulge any credit card details related to this account," it said. "PayPal did not divulge any personal or financial information related to this account. This individual's PayPal account was not compromised."

"Our customer service agents are well trained to prevent social hacking attempts like the ones detailed in this blog post," PayPal said. "We are personally reaching out to the customer to see if we can assist him in any way."

Hiroshima has already updated a number of web services to include a Gmail address, which he suggests people use instead of a Google Apps email account. Also, using two-factor authentication "is a must," he said, citing it as the best defense against his PayPal account being hacked.

Still, the developer vowed to leave GoDaddy and PayPal "as soon as possible."