
How I Lost My $50,000 Twitter Username - micahgoulart
https://medium.com/p/24eb09e026dd
======
chavesn
Why would a company _ever ever ever_ accept 6 digits of a credit card number
as a way to authenticate an identity??

Credit card numbers are not secure. Therefore, they should not _ever_ be
accepted as authentication. Especially only 6 digits of it! This is by far the
most shocking part of this story. As if I needed another reason to despise
GoDaddy.

[Edited to add] I would sure love to see a scarlet letter list of companies
which allow such practices, so I can never use them.

~~~
Osiris
When a customer calls into the GoDaddy call center, they are supposed to
provide a 4 digit pin in order to gain access to their account.

I don't work in that department, but I'll forward the page to the CEO and make
sure it gets read and addressed.

~~~
SimHacker
While you're at it, tell him to stop shooting elephants, donating money to
Mitt Romney, decorating your web site with scantily clad women, and acting
like a sexist pig.

Edit: I see you got a new CEO since I and so many other customers left in
disgust about your company's support of SOPA and all those other issues. I'm
sure you still have binders full of scantily clad women to decorate your
booths at trade shows. Your company is permanently tainted, one of the worst
examples of what's wrong with the computer industry, and I'm never coming
back.

~~~
Osiris
I get it. I came on 2 years ago after Bob had already left. GoDaddy has also
officially stopped doing "GoDaddy Girls", which is a relief. Those old
commercials were awful.

------
markdown
I feel bad for this guy, and twitter needs to do the right thing and return to
him his handle.

Then I can come back here and post nasty comments about squatters.

~~~
apl002
Any thoughts why the attacker would tell the guy how he did it if this is the
obvious solution?

~~~
aragot
Yeah why is that attacker so nice and kind? No joking, it's bad for their
business.

~~~
sdk16420
Maybe just 'pride' of what he accomplished.

~~~
dspillett
Or an axe to grind.

Perhaps he has something against GoDaddy (many do) and/or PayPal (again, many
do) so took the opportunity to make them look bad by making sure that their
effective complicity in the hack is well known.

------
Bluestrike2
Heads really ought to start rolling at PayPal. Their general approach to
security is, quite frankly, appalling.

Is there any possible rational for Paypal to give the last four digits of his
card number to "him" over the phone? Given that they're routinely used for
verification, it's as if they've never heard of social engineering. It's
simply inexcusable.

And it's almost as bad as the ridiculous "Log In Without Your PayPal Security
Key" option that lets you bypass 2-factor auth and head straight to the ultra-
secure world of the ridiculous security questions such as the ever-popular
"what city were you born [that's also listed on Facebook]" and what not. I
still can't believe they think that's a good idea.

~~~
autarch
The attacker was posing as a PayPal employee, not the card owner. Of course,
PayPal still needs better security, but posing as an employee of the same
company is a classic social engineering exploit.

~~~
Aqueous
And that part was never really answered either. How can he pose as an employee
calling in from an outside line? Does PayPal not tell you when an extension
from PayPal is calling you?

~~~
phpnode
he was probably posing as an employee of the account holder, not paypal

~~~
xauronx
Ohh, good point. I never thought of that. I assumed employee of Twitter as
well.

------
georgemcbay
Seems like Twitter could easily verify the story based on their own logs and
then restore access to his N account. He doesn't mention pursuing that,
though.

~~~
brador
He said he wasn't using it much. Thus, isn't he basically a squatter?

~~~
jrs99
He's definitely a squatter. If you own something and you don't use it, you're
a squatter. I own an old original Nintendo that I haven't used all year.
That's why if someone comes into my house and takes it, it's my own fault.

~~~
chmars
I tend to disagree:

The right of ownership includes to right to use what you own in your own way.

~~~
riffic
The ownership of twitter namespace is Twitter's alone, not the user's

~~~
sdk16420
IIRC, Twitter officially doesn't allow you to sell your handle.

~~~
riffic
I did not know that but I'm not surprised.

------
ck2
This story is horrifying because PayPal was the enabler.

 _PayPal gave the attacker the last four digits of my credit card number over
the phone_

That person should lose their job if it is not PayPal policy.

I really hope by some small chance the person that did this gets some serious
prison time, if not for this then anything else prior or down the road. Then
maybe one of those mornings they wake up in prison they can ponder if it was
all worth it.

~~~
fuj
This wasn't paypal's fault. I mean entirely. The problem was with goDaddy. The
last 4 digits of credit cards show's up everywhere. Check your receipts.
Related question in stackexchange:
[http://security.stackexchange.com/questions/37758/safety-
of-...](http://security.stackexchange.com/questions/37758/safety-of-
publishing-last-4-credit-card-digits-in-age-of-fast-computing)

GoDaddy should not use the 4 last digits as a way to confirm identity, exactly
for the reason I mentioned above

~~~
ck2
PayPal gives out info to someone completely unverified and it is not their
fault?

It would be one thing if this was a spouse or someone intercepting their
physical mail. It's not. It's someone out of the blue who called PayPal to get
the last four of a complete stranger.

GoDaddy's verification is bad too but at least they had some kind of attempt.

------
fjcaetano
I believe that it is ISO 9001 (quality assurance) that states that a company
must be able to audit any stored data and data changes dating back some time.
Judging by Paypal (specially for being a financial company), Twitter (for
being an open capital company), and GoDaddy's size they may all comply to ISO
9001, but I'm just guessing.

Anyhow, if any of them actually comply to ISO 9001, it is possible to audit
previous data to establish the true identity of the owner in some arbitrary
date before any of this happened.

Quite possibly, to avoid unnecessary user annoyance, these companies will only
subject themselves to the effort of analyzing that data under court order, so
it's fair to suppose there is need to open a judicial process. Therefore, I
believe it's possible to regain access to everything that was supposedly
stolen, even though it may take quite some time.

------
lancewiggs
Everyone looks bad here, but I want to focus on Twitter. For me this case is
yet another demonstration that Twitter sees its customers as advertisers and
places low priority on the community.

I pay Twitter nothing, and yet the service is valuable to me. So instead of
continuously crippling the service in the name of goodness knows what, why not
actually charge users for a premium experience. Things like customer service
that works, a gold member status flag, controls on swapping account ownership,
analytics and so on. Offer 3 paid levels - personal, business and corporate,
and obviously keep the free level forever. Once revenue comes from customers,
then perhaps it will help in understanding that while other revenue night be
larger, the true value of Twitter is derived from the community.

~~~
riffic
Or look into alternatives in the microblogging space. What ever happened to
Status.net/ostatus?

~~~
slazaro
But the problem with alternatives is the fact that they're alternatives. Not
what other people are using. If it's a social app, it's important.

~~~
riffic
I dug a little deeper, and ostatus is a currently working group committee
within the w3c.

If I was the cio at oh, say an org in the public realm (generic government
agency for example), I'd rather have control over the publishing and namespace
of its tweet-like messages rather than putting every egg into the single-
basket solution. Who knows if twitter will be around 20 years from now?

The nice thing about standards is that there are so many to choose from.

------
micahgoulart
An interesting point made was to avoid using custom domains for the login
emails, since a DNS takeover would compromise your accounts tied to that
email.

~~~
troels
I think that's missing the point a bit. Using gmail as your primary address
will make you vulnerable to Google arbitrarily (or even justified) shutting
down your access. We all heard stories about that.

What you should do, is make sure that you trust your registrar. Paypal sure
have some questionable practises, but the real culprit in this story is
clearly GoDaddy.

------
philliphaydon
Ditch GoDaddy - They are a terrible company.

Also considering closing my paypal account now.

~~~
cpayne
I'm consistently surprised at the number of complaints against GoDaddy. They
are a horrible company! You get what you pay for...

~~~
Osiris
Just a side note here, GoDaddy has been under new management for a little
under two years. There's a lot internal changes happening specifically aimed
at improving usability and infrastructure.

~~~
cpayne
(I didn't know that). That's fine, but there are just SO many other companies
that provide the same service...

------
codezero
One thing that people should realize in why Twitter may not respond to these
kinds of issues, or may be slow to respond, is that it's probably true that
lots of people buy and sell Twitter accounts, and people may report them
stolen when in fact they've already sold them to someone.

This kind of thing happened a lot in MMO games which is why they try to push
account security into your hands so they don't have to attempt to arbitrate in
deals that may or may not have happened outside of their sphere of control.

~~~
baddox
So what? If Twitter returned control of a handle if someone could prove that
they had recently controlled the handle, that would quickly make the handles
market dry up.

~~~
Herald_MJ
Twitter has no interest in there being a handles market. In fact, I wouldn't
be surprised if their T&Cs expressly forbids it.

------
brown9-2
Why is anyone still using GoDaddy?

~~~
prawn
Why did someone not sell a Twitter username for $50k?

~~~
adventured
It's against Twitter's terms of service to sell usernames. Technically. Lots
of people get away with it I'm sure.

[https://support.twitter.com/articles/18311-the-twitter-
rules](https://support.twitter.com/articles/18311-the-twitter-rules)

Abuse and Spam > Selling usernames: You may not buy or sell Twitter usernames.

~~~
joshvm
What happens if you do, surely it's caveat emptor?

The rules only say:

"If such permission is not granted, there is no (zero) market value or worth
to this account."

If you walk away, cash in hand, are you liable for any punishment other than
the banhammer from Twitter?

------
650REDHAIR
I felt very angry and uncomfortable reading that. I can't imagine being in a
helpless position like that.

------
Dnguyen
I lost a nice handle (@Houselogic) a few years back. Sent Twitter all the
proof and email trail and everything, but they were useless. Every time I
email their support, it's a new ticket and I have to explain the whole
situation again and again. I gave up after two years.

------
nogridbag
Slightly OT, but someone registered a Twitter account with my primary e-mail
address. I received a "Confirm your e-mail account" email with a link "Not My
Account". That link brings me to a page that says "Sorry, that page doesn’t
exist!".

There doesn't appear to be any way to contact Twitter about this.

Shortly after, I received a second email "Welcome to Twitter, <username>"

Going to:
[https://support.twitter.com/forms/impersonation](https://support.twitter.com/forms/impersonation)

..and selecting "Someone is using my email address without my permission."
tells me to submit a general support ticket. That's fine except none of the
general categories has anything to do with this problem and choosing "My issue
is not in the list" simply redirects me immediately to the root support page.
I submitted a ticket with a different topic and have not heard back from them
in a week and expect I never will.

~~~
vehementi
Doesn't this mean your email account is compromised?

~~~
nogridbag
I doubt it. I have two factor auth set up on my email. Looking at the
timestamps, the Welcome email was sent the same minute as the "Please confirm"
email, so it's possible the Twitter account is not live and this was just an
automatic welcome e-mail. Still, it would be nice if the "Not My Account" link
actually worked properly or there was some way to contact support about it.

~~~
andreasvc
Maybe the "Please confirm" mail was fake and actually meant to get you to
click on the "Not My Account" link ...

------
seniorsassycat
I found it interesting how open the attacker was about how they did it.

~~~
scott_s
He probably wanted to brag to _someone_ about how he did it. It just so
happened to be his victim.

~~~
troels
Or he felt a bit remorseful about the whole thing and figured that _at least_
he could help the guy not getting caught in the same net again.

------
blueskin_
Don't use GoDaddy. Simple as that.

If that hadn't happened, he'd still have his twitter account.

>If I were using an @gmail.com email address for my Facebook login, the
attacker would not have been able to access my Facebook account.

Just google and the NSA then. Also, Gmail has an exposed password reset and
social-engineerable support. A server running Postfix/Exim doesn't.

I'd consider a domain with a _good_ registrar far more secure than google.

------
dmak
And we all know how this would end. GoDaddy and Paypal will try to make this
right because of the negative publicity. Why does it always take a post like
this to call for help?

~~~
eplumlee
GoDaddy and Paypal have every incentive to bury their shoddy security
practices and deny everything that the OP is claiming, to avoid a PR disaster.
They _might_ quietly return to the issue later and perhaps address some of
their security issues... maybe.

------
Shank
I don't understand why Twitter doesn't have the standard 30 day wait period on
handle changes that most sites have. For a while it was a standard to not let
old usernames be available until 30/60/90 days after a change, so that in the
event that this kind of thing happened, it could be reclaimed with ease as
soon as the GoDaddy account is in his possession.

------
konklone
This is a terrifying story, and I'm very glad Hiroshima wrote it, because I
didn't have two factor auth turned on with my domain provider. Now I do!

It seems like if he'd had 2FA turned on with GoDaddy, this may not have
happened. So rather than use @gmail.com addresses to register for things, as
he recommends, just turn on 2FA with your provider. And if your provider
doesn't support it, leave them and tell them why.

The admonition to use a @gmail.com address was annoying enough that I actually
put up a response blog post just on this point:
[https://konklone.com/post/protect-your-domain-name-with-
two-...](https://konklone.com/post/protect-your-domain-name-with-two-factor-
authentication)

------
maxk42
Someone tracked down the hacker:
[http://www.reddit.com/r/hacking/comments/1whk3a/tracking_the...](http://www.reddit.com/r/hacking/comments/1whk3a/tracking_the_hacker_of_the_50000_twitter_handle/)

------
pyk
No lawyer? Any reason why none was mentioned? Extortion is serious federal
crime (across state lines, multiple companies, even clear admission of guilt).
At the least it would get GoDaddy's attention vs. just asking nicely.

~~~
nroach
I was surprised that the victim didn't get an attorney involved. This is an
example of a situation in which a court could very swiftly (same day, usually)
issue an injunction to preserve the status quo while the merits get sorted out
in court. Most domain providers I've dealt with will freeze a disputed account
pending legal resolution of ownership, which can be decided via the court
system or a WIPO arbitration.

------
kristiandupont
>Using my Google Apps email address with a custom domain feels nice but it has
a chance of being stolen if the domain server is compromised.

 _Sigh_ I use Google Apps _exactly_ so that I have control over the domain and
aren't subject to the good will of Google. I had never thought of this
particular problem. Now I don't know what to do.

~~~
cbhl
This really boils down to who is a better sysadmin-- you or the Google SREs.
Choose reliable and paranoid providers that actually verify your identity
before shenanigans and you can mitigate the entry vector.

------
WA
Reminds me of harvesting ICQ numbers. There was a time when you could search
6-digit ICQ numbers for expired freemail addresses like Hotmail (they deleted
your account after a while), register that freemail address and reset your ICQ
number password to get a brand "new" 6-digit number. I think this doesn't work
anymore, since most freemail hosters don't "free" expired email addresses but
keep them locked.

It still works if you find an expired domain name, register the domain name
and then do the whole password-reset procedure. Might be cheaper to buy a 6
digit number on eBay though :)

~~~
fredsted
Maybe I'm missing something, but who uses ICQ still? And why not focus on
3-digit numbers? There's a million 6-digit ICQ numbers; not that unique.

~~~
WA
This was ~10 years ago. 3-digit numbers were all gone. Having a million 6
digit numbers increases chances to actually get one by registering an expired
domain/email address.

In times of 9 digit numbers, 6 digit numbers were still sufficiently unique :)

------
bredren
This is a scary story!

Focusing on the Twitter handle sale part: I have the twitter handle
@jetsetter, and have been offered multiple thousands of dollars for it (guess
who!).

Unfortunately, selling a twitter handle is against TOS. Only @israel has been
officially allowed to transfer hands for money, that I'm aware of.

So trying to broker the sale of a twitter account can allow the buyer to
report your 'behavior' to twitter. They can seize the account and make it so
no one has it, which may be what the buyer prefers to you having it.

So no matter the price you could command, it isn't like you could just list @n
up for sale and make it rain.

~~~
vxNsr
If you're refering to this:
[http://www.theguardian.com/technology/2010/sep/14/twitter-
us...](http://www.theguardian.com/technology/2010/sep/14/twitter-user-sells-
israel-username)

at the bottom a twitter representative is quoted as saying that as long as
they give you permission to sell/buy a handle they won't block/lock the
account.

Also apparently CNN also purchased a handle[1].

[1] [http://www.businessinsider.com/cnn-acquires-cnnbrk-
twitter-a...](http://www.businessinsider.com/cnn-acquires-cnnbrk-twitter-
account-with-nearly-1-million-followers-2009-4)

~~~
bredren
I wrote in 2009 describing the situation and asked for approval. I was turned
down. Reviewing the support ticket now, I think I could have handled the sale
more professionally. Maybe that's why.

------
benatkin
It's sad, but twitter's not transferring it back in a week's time gives me
more confidence in twitter, not less. There isn't any evidence of the stealing
of the domain names and the extortion available besides OP's copies of the
email messages and information that GoDaddy won't provide. With the value
twitter ID has, twitter shouldn't do anything without clear evidence.

He might have been able to get it back if it was his trademark or even name
that he lost and not some witty username.

~~~
xauronx
I was thinking how witty that would be if THIS was the actually hacker, and he
was using us to create a shitstorm in order to rush Twitter into giving him
the account. I'm sure there is sufficient data to support that he was the
original owner though.

~~~
benatkin
True. I believe the original poster, no question about that. I hope twitter
reverses it, but I can see why they haven't yet.

------
patrickwiseman
Have you reported it to someone with prosecution powers?

[http://www.fbi.gov/about-us/investigate/cyber](http://www.fbi.gov/about-
us/investigate/cyber)

[http://www.ic3.gov/default.aspx](http://www.ic3.gov/default.aspx)

------
harryh
Who are people's current favorite domain registrars? I've been with name.com
for the last year or so and have been happy, but I'm always curios to hear
from others.

~~~
nthj
[http://DNSimple.com](http://DNSimple.com) for us. Their template system and
support is fantastic.

~~~
patio11
I've heard good things about them from friends. This article was the last
straw for me -- I just migrated my 90 domains off of GoDaddy. Actually, I
didn't. I just told DNSimple to do all the work, via their (brilliant)
concierge onboarding option: [http://blog.dnsimple.com/2014/01/domain-
transfer-concierge-s...](http://blog.dnsimple.com/2014/01/domain-transfer-
concierge-service/)

"Here's my credit card and GoDaddy creds, guys, and here's a technical note
about my DNS settings that I want you to pay extra special attention to. Tell
me when I should expect to start getting the GoDaddy confirmation emails.
Other than that, have fun playing with DNS settings -- I never want to even
think about them again."

This post is 5% "Here's my recommendation for a DNS service" and 95% "Notice
how in return for an hour or two of grunt work a SaaS company just made it
very easy for me to award them $2,000 of high-margin recurring revenue a year
despite being twice as expensive as my pre-existing option by successfully
overcoming my 'I would love to move off my existing solution but it requires
grunt work so I think I'll punt on that decision for, oh, eight years'
objection? That's a really good trade. You should consider offering it in your
SaaS business, too, in any way that makes sense for it."

~~~
agwa
That does sound really good.

On the other hand, we're talking about security here, and, sadly, a company
that has extra helpful support may be more easily socially engineered. The
author's advice to use gmail.com addresses only works because Google basically
has no customer support for gmail.com, so there's no one to social engineer!

~~~
patio11
This is, ironically, one of the reasons I feel more secure with their 3-man
firm than with GoDaddy. GoDaddy has all the resources to put in place a well-
architected ISOwhatever procedure with flow-charts, custom software, and
government document review... and then fail at their one job. These guys, on
the other hand, pretty much will be forced to having an actual human who knows
me decide "Is this chap claiming to be Patrick really Patrick?" I feel really
secure that a smart geek who has standing orders from me "I DON'T TRANSFER
DOMAIN NAMES EVER." can reason out an ad hoc verification process which is
much, much more likely to reject a fraudster than the GoDaddy CSR following
the manual will be. (I mean, since they're two degrees of separation from me
and our mutual friend is a business acquaintance well known to both of us,
they could literally just call the friend and say "Someone is claiming to be
Patrick and wants to transfer all his domains. You know that's a thermonuclear
change since you're in this industry too. Call him and ask whether he knows
about this. We'd both appreciate the favor. If he does we're good, if he
doesn't, we're blocking this chump.")

~~~
agwa
Those are excellent points. Some of it only applies to you (being a large
customer and having 2 degrees of separation), but I too would feel a lot more
comfortable with 3 decent- and competent-sounding guys like them than with a
larger company like GoDaddy.

------
owenwil
Wow, this is both interesting and terrifying. I have a two character Twitter
handle that I use actively and it makes me worry that one day I might be
targeted too using a similar method, although so far I've had no problems.

~~~
andre
I have a two character twitter handle also, and am active on it. Used to
receive several "reset" emails per day before two-factor authentication.

------
Oculus
If the author is reading, did you end up getting back your @n username? If so,
did you simply go to Twitter and explain to them the whole story?

~~~
owenwil
I don't think you realize how unresponsive and poor Twitter's support is. I
was once locked out of my Twitter account via anything but Tweetdeck (due to
two-factor authentication suddenly breaking and not sending SMS') for four
weeks before I wound up accidentally finding a PC that I hadn't signed out of
previously and was able to disable. I logged a ticket on the first day it
happened and never even received a response.

~~~
rickyc091
I can concur with their shitty support. I guess iOS 7 autoupdated my Vine app
and somehow logged me out. I tried password resetting every email I could
think of, I tried to connect via my social network. No dice. My account
couldn't be found. I email their support team with my username asking them if
they could provide me with my email, do a forgot password to the email. I even
linked them to a few direct vines I had created and saved the URL to. Their
response was unless I could provide them with the Vine ID number of my user
account they could not locate my account.

Seems I emailed them back and forth six times and I kept getting this canned
message from them. Needless to say, I've given up and deleted Vine from my
phone.

"Unfortunately, we are unable to locate the Vine account in question. If you
can still log in to your Vine account, go to your profile settings and select
either "Invite via text" or "Invite via email." From there you will see your
Vine account ID number. Can you reply to this message with the Vine ID number?

If you no longer have access to this account, but can see the account in Vine
search, press the more icon (three dots) on the top right of the profile.
After that, tap on "Share this profile" and from there you will see your Vine
account ID number."

------
hoektoe
Just find it interesting to see how different the conversation on the same
topic is over at reddit,
[http://www.reddit.com/r/technology/comments/1wfwfp/how_i_los...](http://www.reddit.com/r/technology/comments/1wfwfp/how_i_lost_my_50000_twitter_username/)

~~~
unreal37
Sad to say, reddit sounds more human today than HN. So many people here
saying, "He only tweeted 3 times in 2013, he deserves to lose it". Have some
empathy!

You think the hacker who tricked Paypal and Godaddy is in the right here to
steal it? I can't believe it.

~~~
rangibaby
I found this story interesting for the social engineering aspect. The lack of
"outrage" is actually quite refreshing.

------
nevi-me
My custom domain address was stolen with the Dropbox data leak, got so much
spam that I set my Gmail to pull my mails via POP3. Then I changed everything
to use my Gmail, and locked down my Gmail account.

I've heard people go on about how Google (and I suppose other corporations)
are evil, and how they are rolling their own custom mail solutions etc. It's
times like these that people lose important things.

Also, I really don't understand why US companies must store credit card
details. I understand the convenience, but there's been a lot of security
compromises to let this practice continue. In South Africa online retailers
don't store CC info, yet we aren't being brought to our knees by
inconvenience.

At least the attacker mentioned his methods, so GoDaddy and PayPal can educate
their staff better.

~~~
TwoBit
What do you mean by Dropbox data leak?

~~~
_ikke_
A project document with e-mail addresses was retrieved through the account of
a dropbox employee[1].

Some people noticed they got e-mail through unique non-disclosed e-mail
addresses.

[1]: [http://lifehacker.com/5930706/dropbox-confirms-user-email-
le...](http://lifehacker.com/5930706/dropbox-confirms-user-email-leaks-offers-
new-security-features)

------
zzzeek
what's more likely, someone hacks your domain name / DNS gaining control of
your MX records or someone hacks your username @gmail.com?

~~~
dabernathy89
possibly depends on whether you are using 2-factor auth with gmail.

~~~
gcp
Just Google's notification "why are you suddenly using your accounts from a
different country" can be life-saving.

(As well as not putting any important stuff there)

------
zaidf
I have a four letter twitter handle(zaid) and I probably average a half dozen
forgot-password requests daily...many of them people in the middle east with
the same name as me trying to take over my account.

I've had two users offer to buy my username.

------
mrbill
It's not a $50K Twitter username unless someone actually paid $50K for it at
one point, is it?

"Not accepting an offer of $50K for a twitter username I didn't use" doesn't
really count...

~~~
Buge
It's worth what people are willing to pay for it. If people are willing to pay
$50k then it is worth $50k. Of course it might have gone down in value since
the offer.

~~~
stanleydrew
That logic only works once an actual payment is made. Claiming you are willing
to pay and actually paying are two very different things.

------
vysakh0
Since medium also depends on Twitter, his page is no longer available. I
checked @N_is_stolen page, it is fresh. So, all his posts in medium is gone,
just because there is a change in username?

------
lucaspiller
> But guessing 2 digits correctly isn’t that easy, right?

The first few digits of card numbers refer to the provider (Visa, Amex, etc)
[0]. Given that Paypal gave the last four digits of the card, I'm surprised
they wouldn't give out the provider as well, so guessing this would be even
easier.

[0]
[https://github.com/stripe/jquery.payment/blob/master/src/jqu...](https://github.com/stripe/jquery.payment/blob/master/src/jquery.payment.coffee#L11)

~~~
eridius
It wasn't the first 2 digits that were guessed, it was the 2 digits prior to
the final 4.

------
rdl
The advice to use @gmail.com vs. a custom domain name seems kind of
questionable if you use a reasonably secure registrar. Not GoDaddy.

Using an unusual/unknown address for account validation mails (maybe with
forwarding of other communications) probably would make sense, though. And/or
sites coming up with a better account-recovery procedure, perhaps outsourced
to a startup.

There's probably a market for a super-secure email address for account login
mails, but that isn't a free gmail account.

------
rodrigocoelho
Namecheap posted a tweet[1] with an offer to move domains out of GoDaddy:

 _How we make sure that you don 't lose your $50,000 Twitter username:
[http://ow.ly/t4yR8](http://ow.ly/t4yR8) $5.99 domain transfers with code
BYEBYEGD_

[1]
[https://twitter.com/Namecheap/status/428555697882935296](https://twitter.com/Namecheap/status/428555697882935296)

------
yaeger
What I take away from this is that:

a) Two Factor should be mandatory and as soon as it is, any representative of
the company MUST insist that a reset cannot be done over the phone. It should
be highly suspicious if someone comes up and says "Hi, I lost my email account
access AND my phone so could you please reset my password via phone now?"

b) If not Two Factor, the security questions should also be mandatory. No
other "data" like past addresses or cc numbers should suffice to reset over
the phone if the person doesn't know the answers to all security questions.

And, speaking of these questions, of course they should be stuff that _you_
know and cannot be "guessed" by anyone who is able to read your facebook page
or similar. Maybe even some non nonsensical thing like "Favorite Food" \-
"Horse Droppings". As long as you remember this, nobody should be able to
"hack" that over the phone. Even if you go on and on on facebook about how you
"could eat your way through a giant bowl of pasta you love it so much"

~~~
aestra
>As long as you remember this

I would NEVER remember this. EVER.

------
abus
Why does anyone believe the hacker's story of how he did it? It's possible he
told the truth but it's likely he did not.

------
jdrenterprises
I'm not a programming expert, nor a process expert, but the way I see it...

... there has got to be a multi-stage process for authentication that does NOT
use any CC or SSN. Of course, the responsibility lies with the account owner
for maintaining passwords/authentication information.

If you lose the information, no way to recover it.

I say this because it seems (again, I'm not an expert) that these thieves use
social engineering mostly in the "data recovery" stage of the process.

The only way to tighten that from my perspective is to put maximum
responsibility on the account owner to keep their logins, passwords (again,
for multi-stage authentication), and such on hand. Don't have a need to
recover your info, and others can't use the recovery process to get to your
account.

I guess it wouldn't be a perfect scenario but... this, or lose @N.

I am sorry to hear there are companies allowing these practices, though...
sad.

------
erikb
Is it not possible to use the last bills as verification of who you are?
screenshot of the bank statements and asking GoDaddy to verify their bank data
and you've shown that it is in fact you who paid the bills.

Also if account data is changed they MUST keep a log of what your data was
before. At least anything beside passwords.

------
joshmlewis
I could be wrong but what is the value of a stolen Twitter handle? Just like a
stolen car or phone if someone starts using it won't it be obvious that it's
the thief or the thieves buyer? That's like stealing a Porsche and then
showing it off downtown in front of everyone.

~~~
obiterdictum
Comparatively few people will read this story. Even fewer will care enough to
continue the crusade against the attacker for any prolonged period of time to
raise awareness among the potential future audience that this account was
stolen.

High chance the story will be quickly forgotten and the account will be re-
used.

~~~
scott_karana
Or resold, even more sensibly...

------
smartician
That reminds me, a few months ago I had a weird Twitter experience. Someone
gained access to my rarely used Twitter account @smartician and started
posting spam. Somehow Twitter noticed, reset the password and notified me via
email. I have no idea how that was possible.

~~~
westi
> Somehow Twitter noticed, reset the password and notified me via email. I
> have no idea how that was possible.

This sounds like pretty normal automated monitoring for what looks like
compromised account behaviour.

------
EA
Up until late 2013, it was very easy to social engineer your way past Customer
Sales Rep call screens to gain access to an AT&T account once you put together
a few pieces of personal data (which was even easier to obtain) of the account
owner. You didn't need to know the account password to gain access if you had
other pieces of information. Those bits of information leak out through other
service providers and are sometimes available through State and Federal
Government systems.

That meant that anyone using SMS via AT&T for two-factor auth was vulnerable.

The extra layer of security is only enabled if you call AT&T and ask them to
further protect your account from future changes.

------
Brandork
I have seen great articles that document the best practices, patterns and
anti-patterns for authentication within an application or storing passwords
etc. But where is the gold standard for authenticating people over the phone?

Good Developers understand how critical it is to handle authentication and
password storage well. It can be complicated thing and is very easy to screw
up.

But all that goes out the window when somebody calls the support line. There
needs to be just as much scrutiny placed on over the phone authentication as
there is within an application. The problem is likely that those over the
phone patterns/anti-patterns are not well documented and available.

------
Tepix
I read the article. Sounds like an epic fail by GoDaddy, I blame them for 99%
of what happened. Glad I'm not a customers of theirs... Oh btw, try to find a
registrar that does 2factor authentication!

~~~
bjpirt
Try Gandi:

[http://wiki.gandi.net/en/contacts/login/2-factor-
activation](http://wiki.gandi.net/en/contacts/login/2-factor-activation)

(note to self: activate 2FA)

------
RawData
So who are you planning on suing? PayPal, godaddy, twitter, or all three?

~~~
TwoBit
The Terms of Service agreements for those companies probably all allow them to
get away with it.

~~~
jkrems
Terms of service normally don't override law. So, if there is something
unlawful about their behavior, it doesn't matter what they wrote in their TOS.
At least in many countries, not sure about US.

------
seanlinmt
Interesting that GoDaddy does not keep an audit trail for account detail
changes that might help detect malicious activity. I guess they'll rather lose
customers and reputation than do this.

~~~
hackmiester
They don't have much to lose reputation-wise...

~~~
aestra
I am surprised anyone can take them seriously as a company after their
Superbowl commercials.

------
outericky
Regardless of how this all went down, and is responsible... It is still theft
right? Falsifying ones identity and taking possession of @n is stealing and
should be covered under some law, no?

------
quackerhacker
I feel so bad for Naoki that he was compromised in this scary manner. While
the hacker did con his way on the phone for personal information, at the
minimum, it's...hmmm....not nice...but "informative/narcissistic," of the
hacker to describe his method to the victim.

Makes me happy that companies are moving towards text authentication since
emails are easy (or at least well practiced) to compromise.

Note: Time to change my Time To Lives on my MX records and up my security.

------
benjamta
Crumbs, this makes interesting reading - clearly lots of failings by the
companies involved here.

However. If someone were to steal a physical asset in order to extort
something else out of me I would go immediately to the police. I'd have
thought I'd do the same if the assets involved were digital.

I've no idea if a criminal offence was committed in what ever jurisdiction
this happened. But I'd have thought extortion is illegal is many parts of the
world?

------
ksk
The "we take X seriously at Y company" line is so tired. These companies are
so incompetent that it would be funny if not for people getting screwed IRL.

------
betenoire
What was up with the part with the facebook message? Why would the attacker
tip him off rather than just take what he came for? Or did I read that wrong?

~~~
Zancarius
Never underestimate the enticing nature of boasting. I can think of more than
a few would be anonymous attackers who were caught _precisely_ because they
wanted to brag about their achievements.

I'm not really sure I understand the psychology behind it and whether it's a
juvenile attempt to demonstrate relative power (e.g. "I did this to you, ergo
I'm more powerful/smarter/whatever") or something else entirely.

------
pistle
You can sell twitter @'s now? #itsNotWorth50k

Follow us at @N on twitter.

Looks like a typo. Imparts zero cred since 99.999% of people will not take
your ability to "possess" a short twitter account name as helpful for whatever
else you may be trying to do.

As far as the "Sorry I am so technically gifted. Let me tell you what you
should do to prevent me next time..." thing, what kind of cartoon caper is
this?

------
enscr
Can't you sue paypal or godaddy ? Or better yet, both. Shouldn't be hard to
track down the attacker either if you report the crime.

------
ChrisArchitect
pretty freaky stuff. Also, what was the attacker so interested in the @N for
anyways? future investment in case some big company/celeb comes along wanting
the username? Seems so crazy to go after it...... if Twitter can't sort this
out, can't we all just shame the acct into inactivity... Is squatting on it
worth all this Mitnick-attack-work?

~~~
bryan_rasmussen
Well, if this story is true ( I put the if because it seems silly to have that
account be the target ) then access to the account is proof of a crime (this
is why it seems silly)

If they sell it to someone I guess that is a reason to take it, but it also
seems like some enterprising DA would want to use it as an example of
receiving stolen property ( because News! Hacking! Fame!) So if anyone buys
this name they might be in trouble at some unspecified point in the future.

~~~
ericcumbee
And in this case I would be pulling for the DA to tear this hacker a new one.

------
nitinag
No domain registrar should be taking the last four of your credit card number
as proof of account identity or ownership. We certainly don't. Have you
confirmed they reset the password based on just the last four of the credit
card OR was your account's email address itself comprised, allowing them to
reset the password via your email address?

------
sdaityari
Serious lapses on the parts of PayPal and GoDaddy. Ironically, there are sites
which even refuse to identify the real person - like this one posted on HN a
few days back([http://kevinchen.co/blog/square-identity-
verification/](http://kevinchen.co/blog/square-identity-verification/))

------
downandout
Was @n private before? It is now. If this kid is trying to sell the handle to
someone, the buyer is likely in for a rude awakening if and when Twitter does
the right thing and returns it.

------
mannat
Woah ! What a story. You can trust nobody. Well hope that twitter people are
reading this and can understand how badly they are trolled. All the best
buddy. All the best.

------
Ryel
I'm still wondering WHY the hacker took a twitter handle and why he didn't
blackmail his victim into keeping quiet.

$50k is hardly worth such a bold crime with no exit strategy.

~~~
unreal37
Who's going to pay $50K for a stolen twitter handle? The value has surely
dropped quite a bit.

------
klapinat0r
In case OP reads HN: If your websites are hosted with GoDaddy, I would
consider them compromised aswel.

He may say that he has left them alone, but you have no chance of knowing.

------
edem
This was the last straw. I'm moving away from GoDaddy.

------
jimwalsh
Yet another example of a compromised GoDaddy account and someone potentially
losing their domain. Yet people continue to use GoDaddy time and time again.

~~~
lurkinggrue
It was worth ditching GoDaddy just so I wouldn't have to use that horrible
interface ever again.

------
vladtaltos
besides the obvious stupidity of the parties involved, why would anyone pay
for such an uninformative handle 50k ? @N ? seriously -- doesn't spam occur
for twitter feeds yet ? I remember when google started off they didn't allow
you to have email addresses less than 6 characters to avoid spam...

btw, @! google search returns 0 results. interesting... hmm, twitter
apparently allows alphanumeric handles only...

------
amrita1306
Thats awful.. I use both GoDaddy and Paypal for my website and this has
certainly made me a more cautious of securing sensitive information

------
barlescabbage
What if this whole story was a lie? What if it was the hacker's final attempt
to steal the @n twitter name.

~~~
wallzz
you need to stop watching movies!

------
bevacqua
[http://xkcd.com/1279/](http://xkcd.com/1279/)

------
callesgg
Don't use godady is what I would take away from the story.

------
ivanbrussik
story archived here in case it did/does go down:

[http://pastebin.com/g7R6Ren2](http://pastebin.com/g7R6Ren2)

------
GunlogAlm
Why on earth are people still using GoDaddy?

------
owens99
I hope Twitter can help this guy somehow.

------
twice
This is quite frustrating even to read!

------
ests
It was like I read some scary book.

------
poopsintub
$50,000 twitter username. Sigh...

------
metaphorm
this story reeks of fake to me.

what sane person doesn't call the FBI when an attacker blatantly commits fraud
against them, admits to it, and then commits extortion based on the successful
fraud? Furthermore, what kind of attacker explains how they attacked? Thats
ludicrous.

this has got to be some kind of roundabout way of advertising for the various
competitors of godaddy mentioned in the post.

------
pmorici
Another reason to use Bitcoin. No credit card number to give away to the
attacker and identity can be verified by signing a message with a private key
instead of guessing at personal information.

~~~
OafTobark
Did you even bother to read the damn article or are you throwing blind shit on
the wall here.

~~~
pmorici
Yes, did you? The Attacker got Paypal to give up the last 4 digits of the
victim's credit card number. Then he called GoDaddy which allowed him to
verify his identity by giving them the last 4 of his credit card number though
the attacker said they would have let him guess multiple times.

If GoDaddy accepted Bitcoin PayPal wouldn't even be involved and GoDaddy
instead of asking for information which is apparently easily pilfered could
have requested the caller sign a message with their private key Bitcoin key
corresponding to the public key from which they paid GoDaddy for the domain
services to begin with.

~~~
dragonwriter
> If GoDaddy accepted Bitcoin PayPal wouldn't even be involved and GoDaddy
> instead of asking for information which is apparently easily pilfered could
> have requested the caller sign a message with their private key

If GoDaddy separated authentication of requests from payment information and
had any of a wide number of different authentication methods, this wouldn't
have been an issue, either. Using PayPal -- or accepting credit card payments
by other means -- does not imply (or normally involve) using the last four
digits of CC number as if it were a PIN for authentication. (In fact, since CC
numbers are widely exposed information, doing so is insane -- especially the
last four digits, which are frequently used without the rest as a reference to
identify a credit card to the owner of the card in contexts like receipts
where the information is expected to be particularly public.)

Payment methods are really largely irrelevant here, GoDaddy could easily have
adopted an equally stupid and brain dead authentication method if they took
bitcoin as payment.

