Naoki Hiroshima talks of how PayPal and GoDaddy caused him to lose a Twitter username once valued at $50,000. January 29, 2014 6:27 AM PST A coveted Twitter username, @N, was once owned by Naoki Hiroshima and valued at $50,000. But after a prolonged battle with an unidentified person, he has officially lost it. The trouble started last week when Naoki Hiroshima, head of mobile at Lark Technologies and CEO of N Methods, attempted to log in to his GoDaddy account, which houses both his domain names and vanity e-mail address, and was unable. Soon after, he called GoDaddy to find out why he couldn't log in, and was asked to verify his account. He couldn't. It wasn't long before Hiroshima received an e-mail from an attacker who said that he had accessed Hiroshima's GoDaddy account, changed all of the personal information so it was inaccessible to him, and said he wanted full control over the @N Twitter username. Related stories Evan Williams' media startup Medium raises $25M Google Glass adds prescription lenses, frames Twitter for Android better for cropping pics, killing time Twitter adds analytics for Cards Twitter suspends Hamas' armed wing account, report says "I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact," the attacker reportedly wrote to Hiroshima. "Would you be willing to compromise? access to @N for about 5 minutes while I swap the handle in exchange for your godaddy, and help securing your data?" As time went on and the communications became clearer, Hiroshima realized he had no choice but to hand over his @N username or face losing his domains and all other Web sites. Upon making the trade (and changing his Twitter username to @N_is_Stolen, the attacker gave him back his GoDaddy account and provided tips on how to secure it. More interestingly, the attacker explained how he had accessed the account. He claims that he called PayPal to "obtain the last four [digits] of our card." From there, the person called GoDaddy, and was allowed to guess numerous times at the last four digits of the card on file in order to "verify" that he had access to the account. "It's hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification," Hiroshima said in a blog post on Wednesday. The attacker then provided Hiroshima with some tips on overcoming such issues in the future, including not using vanity URLs for e-mail addresses on certain sites and not allowing call agents to share information with just anyone on the phone. "Stupid companies may give out your personal information (like part of your credit card number) to the wrong person," Hiroshima wrote. "Some of those companies are still employing the unacceptable practice of verifying you with the last some digits of your credit card."
Naoki Hiroshima talks of how PayPal and GoDaddy caused him to lose a Twitter username once valued at $50,000.
A coveted Twitter username, @N, was once owned by Naoki Hiroshima and valued at $50,000. But after a prolonged battle with an unidentified person, he has officially lost it.
The trouble started last week when Naoki Hiroshima, head of mobile at Lark Technologies and CEO of N Methods, attempted to log in to his GoDaddy account, which houses both his domain names and vanity e-mail address, and was unable. Soon after, he called GoDaddy to find out why he couldn't log in, and was asked to verify his account. He couldn't.
It wasn't long before Hiroshima received an e-mail from an attacker who said that he had accessed Hiroshima's GoDaddy account, changed all of the personal information so it was inaccessible to him, and said he wanted full control over the @N Twitter username.
Related stories
- Evan Williams' media startup Medium raises $25M
- Google Glass adds prescription lenses, frames
- Twitter for Android better for cropping pics, killing time
- Twitter adds analytics for Cards
- Twitter suspends Hamas' armed wing account, report says
"I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact," the attacker reportedly wrote to Hiroshima. "Would you be willing to compromise? access to @N for about 5 minutes while I swap the handle in exchange for your godaddy, and help securing your data?"
As time went on and the communications became clearer, Hiroshima realized he had no choice but to hand over his @N username or face losing his domains and all other Web sites. Upon making the trade (and changing his Twitter username to @N_is_Stolen, the attacker gave him back his GoDaddy account and provided tips on how to secure it.
More interestingly, the attacker explained how he had accessed the account. He claims that he called PayPal to "obtain the last four [digits] of our card." From there, the person called GoDaddy, and was allowed to guess numerous times at the last four digits of the card on file in order to "verify" that he had access to the account.
"It's hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification," Hiroshima said in a blog post on Wednesday.
The attacker then provided Hiroshima with some tips on overcoming such issues in the future, including not using vanity URLs for e-mail addresses on certain sites and not allowing call agents to share information with just anyone on the phone.
"Stupid companies may give out your personal information (like part of your credit card number) to the wrong person," Hiroshima wrote. "Some of those companies are still employing the unacceptable practice of verifying you with the last some digits of your credit card."
