Hacked off: how GoDaddy and PayPal cost one man his prized ‘@N’ Twitter handle


Until last week, Naoki Hiroshima was the proud owner of one of the coolest usernames on Twitter: the “@N” handle. With only 26 letters in the alphabet, one-letter Twitter handles are extremely rare, making them highly valuable and susceptible to numerous purchase offers and hack attempts.

According to Hiroshima, he was once offered $50,000 to sell the @N handle, but he refused. Not everyone has been so generous, and many attempts were made to steal the hande until finally, one hacker actually managed to pull it off. And the successful hack was all thanks to the helping hand provided by GoDaddy and PayPal.

Hiroshima reveals in a lengthy blog post just how the hacker pulled it off. If true, there’s cause for concern. He relates how hackers had made dozens of half-assed attempts over the years to steal his Twitter handle, mostly by requesting a simple password reset, which would land in his email inbox. That was until last week, when he fell victim to a cunning extortionist who blackmailed him into giving up his Twitter handle.

“While eating lunch on January 20th, 2014, I received a text message from PayPal for one-time validation code,” wrote Hiroshima. “Somebody was trying to steal my PayPal account. I ignored it and continued eating.”

This was the first hint of the nightmare that would follow. The hacker was unable to gain access to Hiroshima’s PayPal account, but instead resorted to posing as a PayPal employee to obtain the last four digits of his credit card over the phone. Somewhat incredibly, PayPal willingly gave out this information, which on its own is normally pretty useless. Unfortunately for Hiroshima, those last four digits aren’t so useless when someone is trying to verify identity to GoDaddy over the phone, which is exactly what the hacker did next. Somehow, the hacker worked out that Hiroshima uses GoDaddy to host his email and web domain accounts, and by using the credit card details, the hacker was able to gain control of these and access his email.

“It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification,” complained Hiroshima.

When he discovered this, Hiroshima guessed that the @N Twitter handle was the target, so he moved fast, changing the email address associated with the account. But it was too late, as the hacker altered the DNS entries for his domain names, gaining full control over them. GoDaddy refused to help Hiroshima, claiming that he was not the registered owner of his domain names, and Hiroshima had no way of proving this.

Having gained full control of Hiroshima’s domains, the hacker’s next move was to compromise his Facebook account, and used this to contact him directly.

“I’ve seen you spoke with an accomplice of mine, I would just like to inform you that you were correct, @N was the target. it appears extremely inactive, I would also like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again D:” said the hacker in an email to Hiroshima.

“I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5minutes while I swap the handle in exchange for your godaddy, and help securing your data?”

With no option but to give up his @N Twitter handle or lose all of his domains for good, Hiroshima caved into the hacker’s demands and gave up the @N login details in exchange for his GoDaddy account. Luckily for him, the hacker did keep his word, handing back over control of his domains again and explaining in detail how he’d managed to infiltrate both PayPal and GoDaddy.

There’s no reason not to believe Hiroshima’s account of what transpired, and it should serve as a warning of just how easy it is for determined hackers to breach web security in order to obtain small details. Those small details can do a huge amount of damage if the hacker knows how to use them.

In conclusion, Hiroshima warns against using PayPal or GoDaddy, or letting them store your credit card details.

“Stupid companies may give out your personal information (like part of your credit card number) to the wrong person,” he writes. “Some of those companies are still employing the unacceptable practice of verifying you with the last some [sic] digits of your credit card.”

“To avoid their imprudence from destroying your digital life, don’t let companies such as PayPal and GoDaddy store your credit card information. I just removed mine. I’ll also be leaving GoDaddy and PayPal as soon as possible.”