
I Lost My $50k Twitter Username (2014) - slowhand09
https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd
======
geofft
This is from 2014, and [https://twitter.com/N](https://twitter.com/N) appears
to be back in the hands of Naoki Hiroshima. I'm curious

a) how the account got transferred back (did Twitter support do it)?

b) whether these specific attacks are still possible.

~~~
delfinom
>b) whether these specific attacks are still possible.

Why not? It's been proven over and over again that customer support can be
manipulated easily. Most companies want their customer support to help the
average user. The average user isn't being hacked but instead loses their
passwords and access in a variety of ways. The cost of screwing over one
customer compared to aiding the rest is nothing to them (because nobody has
sued them for it yet and won)

~~~
geofft
One of the specific attacks was getting the last four digits of a credit card
from one company's CSR and using it to authenticate to another company's CSR -
I think that happened in a couple of other high-profile attacks around the
same time frame and major companies decided that the last four digits wasn't
actually a meaningful authenticator.

------
Eric_WVGG
> If you are using your Google Apps email address to log into various
> websites, I strongly suggest you stop doing so. Use an @gmail.com for
> logins.

This strikes me as bad advice. Getting access to a hijacked Google account is
about as hopeless as everything else he got put through.

The point of failure wasn't "using a non-gmail address," it was "using an
untrustworthy registrar."

And I know it's not a silver bullet, but it's unclear from the article that he
was using MFA for his GoDaddy account.

~~~
s_dev
> MFA for his GoDaddy account.

Sim Hacking is now a thing to get around MFA but it wasn't as popular in 2014.
Call up the telecom provider and use the same approach. Leverage Googleable
info of the target person and use that as answers to the customer support reps
questions.

~~~
jwr
> Sim Hacking is now a thing to get around MFA

SMS is not a second factor, despite many companies pretending that it is. I am
alarmed at the number of large companies (especially banks!) that just blindly
and stupidly follow the outdated advice of using SMS messages as 2FA.

So, MFA is great, if it is really multi-factor: TOTP through Authy or Google
Authenticator, U2F or WebAuthn through a hardware key like a YubiKey.

------
theomega
I never had a good feeling with GoDaddy, their managment console is bad, they
are spamming you constantly with offers and their pricing is not transparent.
And now this story. What are good alternatives for Domain registration and DNS
hosting?

~~~
zaphod4prez
I like namecheap as the like similarly-large-scale competitor. There's also
[https://porkbun.com/](https://porkbun.com/) and
[https://www.nearlyfreespeech.net/](https://www.nearlyfreespeech.net/) which
are both awesome.

~~~
js2
+1 for nearlyfreespeech for privacy, registrar and DNS hosting, although for
one of my domains I'm using cloudflare for DNS.

------
mtmail
From 2014.

The article reads "As of today, I no longer control @N. I was extorted into
giving it up." I see he controls it again
[https://twitter.com/N](https://twitter.com/N)

~~~
pfalafel
> I tried to log in to my GoDaddy account, but it didn’t work. I called
> GoDaddy and explained the situation. The representative asked me the last 6
> digits of my credit card number as a method of verification. This didn’t
> work because the credit card information had already been changed by an
> attacker. In fact, all of my information had been changed. I had no way to
> prove I was the real owner of the domain name.

It's a little odd that GoDaddy didn't have the credit card number from before
the change.

~~~
wcoenen
PCI rules limit credit card data retention.

------
jchw
I can’t say enough negative things about GoDaddy, and that is even not
considering anything in this story. Please don’t use GoDaddy. If you have
domains you really care about, consider Gandi.

------
whym
Previous HN thread (386 comments)
[https://news.ycombinator.com/item?id=7141532](https://news.ycombinator.com/item?id=7141532)

------
docker_up
There MUST be some sort of ISO certification for support people.

Giving first line, poorly trained support people access to people's PII and
the ability to change passwords is something that needs to be stopped. Social
engineers are completely exploiting poorly trained, minimum wage workers for
huge gains.

We need to have some sort of ISO certification so that front line support
people must hand over any security information to highly trained second-tier
staff. If EVERY company used the same subset of information to verify, under
the guidance of well-trained staff with a consistent methodology across all
companies, and didn't expose various bits and pieces of info (some use last
for of SSN, some use credit card info, address, date of birth, etc) then it
would extremely hard for social engineers to do hacks like this.

~~~
CiPHPerCoder
> There MUST be some sort of ISO certification for support people.

Would it matter if there was?

You have to pay money _to even read what the ISO standards say_. The lack of
ISO certification is not an impediment for most people or businesses.

~~~
docker_up
Yes. If there was some uniform standard on how support workers were trained,
what data they have access to, then social engineering attacks would drop
dramatically. The leaking of data would not be as prevalent and it would be
standardized.

------
dmitryminkovsky
Assuming Twitter TOS prohibit trading in usernames, I'm not sure how you can
value a username.

"Strangely, someone I don’t know sent me a Facebook message encouraging me to
change my Twitter email address. I assumed this was sent from the attacker but
I changed it regardless." – what?

~~~
Scirra_Tom
It says he was offered $50k USD for it, so that's how he's valuing it. They
can prohibit transfer in writing, but not much they can do about it.

------
kylehotchkiss
Biggest lesson I learned here: Long-lived TTLs for MX records seem ideal to
prevent an custom-domain email takeover.

The bigger risk these days is how easy it is to lose your phone number, which
seems to be the trendy way to break into accounts. Using Google Voice for SMS
2FA seems like an OK workaround until companies get a clue that phone numbers
are barely tied to their user if access to the user's account is desired.

Welp, I wish Cloudflare would add Yubikey support now too to make it easier to
lock down account.

------
joering2
> however if you’d like me to recommend a more secure registrar i recommend:
> NameCheap

Please don't. NameCheap is horrible at security of your account and at
customer support in general; I personally had a battle with my ex (who just
happened to know my name and DOB, very easy to find online anyways) and she
was able to start transfer of all my domains. I was able to get involved but
it was he say / she say battle for days during which all my domains were
suspended so no traffic and no sales online (loss of about $80,000). The big
problem was to cut cost NameCheap hires cheap helpers from Eastern European
block (just login to their chat you can quickly see by name of CS) and each
helper was telling me (and her) different story. Eventually it got "solved"
after about five days where my ex just agreed to cancel the transfer
altogether. This was circa 2016, unsure if anything changed, but I gradually
moved out most of my domains (I prefer NameSilo and DynaDot these days - much
more robust verification process)

Edit: to clarify: the domains have stayed with my ex and that was final
decision of NameCheap since she was the one to answer security questions
correctly. As I indicated, what solved the issue is she eventually decided to
drop it and return them to me. A change of heart if you will.

~~~
listenallyall
You sell about $80,000 every 5 days (nearly $6 million annually) and you
registered your domain with NameCHEAP? And your surprised that NameCHEAP hires
CHEAP eastern european help? And you didn't pick a registrar with token-based
2FA? Or any security beyond knowing your name and DOB to start transferring
domains out (which I don't believe).

~~~
joering2
The domain was registered many years before, but I agree I should have never
gone with NameCheap in the first place. Another one much more reliable
registrar is Marcaria, which went down price-wise since just few years ago.

------
listenallyall
Anyone else's BS detector sounding off right now? This is certainly the most
helpful "attacker" I've ever heard of, politely answering all kinds of
detailed questions AFTER he got what he wanted. This story states the attacker
was able to register a Twitter handle just minutes after the author changed
his. Does Twitter actually allow this, it doesn't lock up the old handle for a
period of time?Seems like a basic security measure for Twitter to implement.

And what does the Facebook account have to do with anything -- why would the
attacker want it, and further, how did he steal that without already knowing
the password (if the attacker couldn't receive Twitter's reset emails, he
couldn't have received Facebook's either)? And if the attacker "was able to
control my email" then how did the author continue to communicate, by email?
There's just a lot to unravel here.

~~~
judge2020
Yes, you can instantly take a handle that someone just-recently let go of, as
long as it was a username change and not a suspension or deletion.

------
simonebrunozzi
I lost @simon in May 2019 [0], and I am now (hopefully) very close to getting
it back to me, after countless tickets, emails, back and forth, etc.

[0]: [https://medium.com/@simon/mobile-twitter-hacked-please-
help-...](https://medium.com/@simon/mobile-twitter-hacked-please-
help-2f65c691edf8)

------
joelx
Crazy story. Paypal and GoDaddy are not known as good businesses.

------
taborj
At least the attacker was willing to answer questions about how they were able
to gain control.

~~~
moate
That's a "yikes take" from me dawg.

That's what's called "Self-justification". Helping your victim after
victimizing them allows you to say "I'm not that bad, I'm helping make sure
this doesn't happen again".

This is a terrible person doing bad things to other people. He could donate
all the money he makes selling the user name to orphans and it still doesn't
really justify the behavior.

~~~
leftyted
If I steal some old lady's purse, is it "self-justification" if I find some
medication in it and return it to her while keeping the purse?

I don't see any overt attempt at "justification" in these emails. The attacker
wanted a very specific thing and, after he got it, he didn't do anything
further. He even gave the victim some helpful information. That doesn't
justify his actions but his behavior is clearly less reprehensible than it
might have been.

You seem to be saying, somewhat paradoxically, that the perpetrator wouldn't
have committed the crime at all if he had been _more malicious_ because then
he would have had to truly reckon with the consequences of his actions. Maybe.
Maybe theft would be less common if all thieves were compelled by some magical
force to kill their victims. But that's not realistic and, besides, people
commit far more malicious crimes than this without being deterred by the
damage they're doing.

~~~
moate
>>If I steal some old lady's purse, is it "self-justification" if I find some
medication in it and return it to her while keeping the purse?

Yes.

What I'm saying is trying to say "well at least he was nice enough to explain
the security problems after extorting this man" isn't a helpful comment. It
seems to imply that this isn't the worst thing this guy could have done. So
what? Who cares? A bad thing was done and pointing out that a worse thing
could have been done doesn't help anyone or anything. It's a bad take on the
situation.

>>You seem to be saying...

No. IDK what that was, but that wasn't what I was saying at all. I don't think
you really seem to be grasping the concept of what self-justification is, and
how it's an enabling behavior to allow bad people to do bad things. The whole
idea behind it is that the "clearly less reprehensible than it could have
been" thought allows you to justify whatever bad things you do.

~~~
UnFleshedOne
Um, I'm not sure people doing crimes need much additional self justification
-- they are already heroes of their own stories, taking what is due to them,
punishing the oppressor, harvesting from the marks, what have you.

From society's point of view, allowing some leniency of judgement is probably
beneficial on the net -- you don't get much more purses stolen, but you do get
more pill bottles returned. (this is an empirical question actually, maybe
there are social studies on the topic?)

Consequences and intent matter. First because duh, second because it lets you
predict (and therefore influence) the future.

~~~
moate
Would love to see some studies on this if someone can pull them on that
specific style of law.

>>Um, I'm not sure people doing crimes need much additional self
justification...

It doesn't work this way. They do need the additional self-justification. It's
a constant stream of reinforcement. "Yea, I don't feel bad that I stole this
rich asshole's twitter account because I used the money to feed some orphans
and told him how to fix these problems in the future" is the self-
justification. It's a constant establishment of why you're good in a relative
fashion.

It's something everyone does on all sorts of things, it's how everyone builds
their worldview, and it's normal but that doesn't mean we should join in on it
as outsiders and say things like "well at least he gave the guy some
precautions for the future".

>>From society's point of view, allowing some leniency of judgement is
probably beneficial on the net...

Maybe? I mean as a general statement, sure. But there are going to be specific
situations where it isn't helpful. Also, there's a whole school of thought
that says that it's more important that you minimize situations that would
encourage criminal behavior rather than providing leniency in punishment after
the fact. Better to eliminate the need to steal in order to provide for your
family rather than create uneven enforcement by judges deciding where leniency
should be exercised.

~~~
UnFleshedOne
>> but that doesn't mean we should join in on it as outsiders and say things
like "well at least he gave the guy some precautions for the future".

An extreme version of this, where social approval is expected by perpetrators
(sometimes justifiably) is vigilantism. It is illegal, and society is worse
off for it in a general sense, and yet...

Compare a blackhat who takes over all the routers and sells the botnet to
organized crime ring vs a grayhat who does the same but instead patches the
vulnerabilities on the devices or uses them to do internet census and puts the
data in public domain. Both are illegal acts and both have victims (maybe some
devices are bricked in the process), but one is definitely worse. And that is
true even if in both scenarios all the devices got bricked so consequences are
exactly the same.

>> rather than providing leniency in punishment after the fact

I meant judgement more in social disapproval sense. As for actual judges, they
already have some leeway and often use it. There is a reason politicians who
want to be seen as being tough on crime like to introduce mandatory minimums.

I agree that crimes are better prevented by reducing a need to commit them,
but taking into account intent and mitigating circumstances is one of the ways
to do that. Mandatory minimums just make sure criminals leave prisons with a
Phd in crime instead of a mere Bachelor's.

~~~
moate
Let's wind this back. I can come up with any sort of scenario to justify a
philosophical point. But the discussion didn't start there. You've presumably
read the article this thread is on, and saw the comment I was responding to.

Your blackhat vs grayhat is a false equivalency. We know that this is a bad
actor, and the mitigating factor isn't what why he did what he did or what he
did with his ill-gotten gains, it's (according to op) that after he did an
objectively bad thing (extortion), he did an objectively good thing(pointed
out security flaws). I feel that's cold comfort at best, and problematic
thinking at worst.

This whole thread seems to be me misunderstanding people or people
misunderstanding me and it isn't fun anymore. Wish you the best, we're not
really having the same discussion though.

------
dpcan
Sounds like he didn't have 2-factor authentication turned on anywhere.

~~~
t0astbread
2FA was mentioned in the article. The attacker used a recovery option to gain
access to his account.

------
foobarbecue
Reminds me of [https://gimletmedia.com/shows/reply-
all/v4he6k](https://gimletmedia.com/shows/reply-all/v4he6k)

------
sureste
Should be marked as a story from 2014

~~~
slowhand09
Thanks for that. I'm relatively new to HN and still learning the protocols. I
don't see an [edit] link on the post. Can I go back and fix it?

~~~
theandrewbailey
The edit link is visible for only an hour or so after posting.

------
magashna
Unfortunately some domain registrars still don't work with less common TLDs.
I'm stuck with GoDaddy unless someone knows a better registrar for .boston
domains

~~~
Null-Set
Gandi is pretty respected and they support .boston
[https://www.gandi.net/en/domain/tld/boston](https://www.gandi.net/en/domain/tld/boston)

------
riffic
Just a regular reminder that Twitter's namespace is solely the property of
Twitter the company.

------
aasasd
I now also wonder if there's a domain registrar better than Godaddy, and
better than Namecheap and Gandi. One where I can have a cryptographic
guarantee of my control over domains.

------
peterwwillis
> I’ve been offered as much as $50,000 for it.

What was he doing with it that it wasn't worth taking the money?

------
IGotThroughIt
Funny, I never thought of a longer TTL as one solution to this kind of
security problem. Interesting.

------
CoolGuySteve
I used to have a 7 digit ICQ number of mostly 3s, like 3335133 or something
like that. It totally wasn't worth the hassle of random Russians trying to
buy/scam it from me.

Same thing happened on a smaller scale when I had the apparently rare 'white
earbuds' in my Steam account.

The easiest thing is just to give it away and find something better to do with
your time.

~~~
dole
I also had a 7 digit ICQ number, were the lower ones actually (relatively
speaking) valuable in this regard?

I had a <1M Twitter UserID# and lost the account after self-suspending it and
someone squatted the name.

~~~
chupasaurus
If only it's easy to remember/type. 5 or 6 digits had the real value.

As for account protection, S in ICQ stands for security.

~~~
sashk
..and they refuse to change password (last time checked about a year ago) for
my 6 digit id. That's secure.

~~~
chupasaurus
Current owner of the messenger has always had open door policy for russian law
enforcement organizations, so any changes since 2010 couldn't be counted as
secure.

edit: Also, the recently published analysis of the data on available in-the-
wild (authentication isn't supported! firewall rules were deleted due to
requests for it of the end users! some of the data is on shodan.io!!!)
mandatory for ISPs traffic tampers made "to help russian police with
investigations" showed that it has client's IP - ICQ UIN mapping.

------
pimlottc
(2014)

------
carlchenet
2014

