Naoki Hiroshima says he was eating lunch when he received a
test message from PayPal asking for a validation code to reset his account. He
was about to find out that a hacker used a small amout of information to gain access to his PayPal and GoDaddy accounts, which ultimately led to Hiroshima losing his highly-coveted Twitter handle to an unidentified hacker.
Hiroshima, the CEO of N Methods, had the Twitter handle @N and says he’s had
offers for up to $50,000 to purchase the name. He describes the series of events that caused him to lose his Twitter account on his blog.
Hiroshima uses Google Apps as an email client. After receiving the text from PayPal, he noticed that the
last email he received was from his website domain registrar GoDaddy with the
subject line, “Account Settings Change Confirmation.”
Hiroshima tried to log in to his GoDaddy account, but was
rejected. He called to have his account reset. But when the customer service
representative asked for the last six digits of the credit card associated with
the account, his credit card didn’t match.
"In fact, all of my information had been changed. I had no way to prove I was the real owner of the domain name," Hiroshima wrote on his blog.
Hiroshima says he was later tipped off by stranger on Facebook to change the email address on his Twitter account. He says that because of a delay caused by changing the domain’s records, the hacker did not receive password retrieval emails from Twitter.
Later, an anonymous email from a person going by the name “Social Media King” told Hiroshima that the Twitter account was the target and the GoDaddy account would be released in exchange for the Twitter name.
Hiroshima says that he was unable to reset his GoDaddy account because he was not the current registrar.
Unsure of how to move forward, Hiroshima says he relented and changed the name of his Twitter account from @N to @N_is_stolen -- giving the hacker an opportunity to take the username. The hacker, in exchange, sent him the new GoDaddy password and added: “If you’d like I can go into detail about how I was able to gain access to your godaddy, and how you can secure yourself.”
The hacker claimed to use “simple engineering tactics” to obtain the last four digits of Hiroshima’s card from PayPal, then used those same numbers to gain control of Hiroshima’s GoDaddy account.
“It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification,” Hiroshima wrote.
Similar types of attacks have targeted “Super Troopers” actor Erik Stolhanske and technology journalist Mat Honen in the past.
PayPal responded to the allegations by posting a statement that said:
- We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer’s information by contacting PayPal.
- PayPal did not divulge any credit card details related to this account.
- PayPal did not divulge any personal or financial information related to this account.
- This individual's PayPal account was not compromised.
GoDaddy did not discuss the details of Hiroshima’s claims and emailed CBS News this statement: “We take customer security very seriously and are investigating this issue.”
It’s unclear if Hiroshima will regain control of his account. When asked if an investigation was underway, Twitter spokesperson Jim Prosser told CBS News via email, “While we don't comment on individual accounts, we are investigating the report.”