Hacker News new | past | comments | ask | show | jobs | submit login
I Lost My $50k Twitter Username (2014) (medium.com)
148 points by slowhand09 6 months ago | hide | past | web | favorite | 86 comments

This is from 2014, and https://twitter.com/N appears to be back in the hands of Naoki Hiroshima. I'm curious

a) how the account got transferred back (did Twitter support do it)?

b) whether these specific attacks are still possible.

>b) whether these specific attacks are still possible.

Why not? It's been proven over and over again that customer support can be manipulated easily. Most companies want their customer support to help the average user. The average user isn't being hacked but instead loses their passwords and access in a variety of ways. The cost of screwing over one customer compared to aiding the rest is nothing to them (because nobody has sued them for it yet and won)

One of the specific attacks was getting the last four digits of a credit card from one company's CSR and using it to authenticate to another company's CSR - I think that happened in a couple of other high-profile attacks around the same time frame and major companies decided that the last four digits wasn't actually a meaningful authenticator.

My guess for a) is, a Twitter employee found his blog post on HackerNews.

@mods or whoever we need (2014) added to the title.

It seems like he got his account back one month later:

Tweet: https://mobile.twitter.com/N/status/438426408721735680

The verge article: https://www.theverge.com/2014/2/25/5448392/victim-of-twitter...

> If you are using your Google Apps email address to log into various websites, I strongly suggest you stop doing so. Use an @gmail.com for logins.

This strikes me as bad advice. Getting access to a hijacked Google account is about as hopeless as everything else he got put through.

The point of failure wasn't "using a non-gmail address," it was "using an untrustworthy registrar."

And I know it's not a silver bullet, but it's unclear from the article that he was using MFA for his GoDaddy account.

> The point of failure wasn't "using a non-gmail address," it was "using an untrustworthy registrar."

But wasn't his point that gmail.com is much less likely to have its MX record compromised than any domain you could possibly register? So using your gmail.com address removes the issue of registrar trustworthiness completely.

You're trading registrar trustworthiness for email provider trustworthiness. I'm not sure what is better.

I suppose I should start actually paying for email, and go with protonmail or somebody like that. If they have decent and competent customer service, that would reduce the chances of getting hacked.

> MFA for his GoDaddy account.

Sim Hacking is now a thing to get around MFA but it wasn't as popular in 2014. Call up the telecom provider and use the same approach. Leverage Googleable info of the target person and use that as answers to the customer support reps questions.

> Sim Hacking is now a thing to get around MFA

SMS is not a second factor, despite many companies pretending that it is. I am alarmed at the number of large companies (especially banks!) that just blindly and stupidly follow the outdated advice of using SMS messages as 2FA.

So, MFA is great, if it is really multi-factor: TOTP through Authy or Google Authenticator, U2F or WebAuthn through a hardware key like a YubiKey.

I should have specified "MFA with an authentication app" I suppose.

Multiple accounts means more work for the attacker. E.g. using unique emails for Paypal, Godaddy, and Facebook would have made this harder.

Unfortunately MFA doesn’t help in this case if an attacker can just circumvent it by calling customer service to fairly easily bypass it.

I never had a good feeling with GoDaddy, their managment console is bad, they are spamming you constantly with offers and their pricing is not transparent. And now this story. What are good alternatives for Domain registration and DNS hosting?

I like namecheap as the like similarly-large-scale competitor. There's also https://porkbun.com/ and https://www.nearlyfreespeech.net/ which are both awesome.

+1 for nearlyfreespeech for privacy, registrar and DNS hosting, although for one of my domains I'm using cloudflare for DNS.

I am also very happy with namecheap. Also https://www.gandi.net/en is nice for some tlds that does not exist on namecheap.

NFS is great. Also gandi.net is pretty no-bullshit and works great.

Where are you from that you only have access to those few hosters? I think there are hundreds of hosters in Germany, at least somewhat like a dozen big ones which all do a pretty good job. Wonder why everybody seems to stick to GoDaddy, also in the tech scene.

For Germany, just for reference, there is Webhostlist [0], which gives me over 400 different hosting packages (obviously not 400 hosters) available with at least one domain and an included SSL certificate. Starting at 0.38 € per month (.de domain included) with a one-time setup of 0.99 €.

[0]: https://www.webhostlist.de

I've been very pleased with Google Domains.

They probably won't be the cheapest (most .com's are $12 a year), but they don't try to upsell much if at all, the pricing is really consistent and there are no surprises (no bullshit like the first year is $1 and the next year is $40 unless you remember to go do something), and their management UI is really nice.

I only have about 6 domains with them, so keep that in mind, but I've been extremely happy with the whole thing.

I'm also, like, 90% sure that when you are using your custom domain on Google, as a business user, the "recover my email via phone number" option goes away, because you are your own "administrator" and if your "users" lose their password they just have to go to you.

(Which closes that gaping hole in your email security.)

I'm not using the "Google Apps" part of their services, i'm just using their "domains" offering at domains.google.com

They can be the same thing if you want, but they don't have to be. You can use an externally hosted domain with google apps, and you can use Google domains without "google apps" (like I do).

Also, as of somewhat recently, I believe you can disable "recover by phone" as an option if you want for any google account.

I still use google domains, but am slightly irked by the fact that they recently redesigned their UI for no apparent reason--it's much worse now.

I use gandi and I love it. They have 2FA, good management systems, friendly support, etc.

I interviewed at GoDaddy - really weird place. I declined their offer.

Mind to extend your comment?

AWS. Competes on price, and you have full control of DNS rules via the management console.

Have you considered Cloudflare? They also provide domain registration services [1] in addition to DNS hosting.

[1] https://www.cloudflare.com/en-ca/products/registrar/

The (current, I've been told this is being worked on) problem with cloudflare's registrar is you MUST use their DNS if you buy a domain through them. Great if you already do and never intend to switch, useless if you don't or might need/want to switch in the future.

Godaddy kept messing with my fees, I dropped them once I found a suitable alternative.

gandi. really well-designed + clear interface.

I've never had issues with iwantmyname.

Domain registration: Gandi.net

DNS: CloudFlare

From 2014.

The article reads "As of today, I no longer control @N. I was extorted into giving it up." I see he controls it again https://twitter.com/N

> I tried to log in to my GoDaddy account, but it didn’t work. I called GoDaddy and explained the situation. The representative asked me the last 6 digits of my credit card number as a method of verification. This didn’t work because the credit card information had already been changed by an attacker. In fact, all of my information had been changed. I had no way to prove I was the real owner of the domain name.

It's a little odd that GoDaddy didn't have the credit card number from before the change.

PCI rules limit credit card data retention.

It's very surprising that he hasn't updated the blog entry to indicate that the handle has been recovered.

I can’t say enough negative things about GoDaddy, and that is even not considering anything in this story. Please don’t use GoDaddy. If you have domains you really care about, consider Gandi.

Previous HN thread (386 comments) https://news.ycombinator.com/item?id=7141532

There MUST be some sort of ISO certification for support people.

Giving first line, poorly trained support people access to people's PII and the ability to change passwords is something that needs to be stopped. Social engineers are completely exploiting poorly trained, minimum wage workers for huge gains.

We need to have some sort of ISO certification so that front line support people must hand over any security information to highly trained second-tier staff. If EVERY company used the same subset of information to verify, under the guidance of well-trained staff with a consistent methodology across all companies, and didn't expose various bits and pieces of info (some use last for of SSN, some use credit card info, address, date of birth, etc) then it would extremely hard for social engineers to do hacks like this.

> There MUST be some sort of ISO certification for support people.

Would it matter if there was?

You have to pay money to even read what the ISO standards say. The lack of ISO certification is not an impediment for most people or businesses.

Yes. If there was some uniform standard on how support workers were trained, what data they have access to, then social engineering attacks would drop dramatically. The leaking of data would not be as prevalent and it would be standardized.

Assuming Twitter TOS prohibit trading in usernames, I'm not sure how you can value a username.

"Strangely, someone I don’t know sent me a Facebook message encouraging me to change my Twitter email address. I assumed this was sent from the attacker but I changed it regardless." – what?

It says he was offered $50k USD for it, so that's how he's valuing it. They can prohibit transfer in writing, but not much they can do about it.

Biggest lesson I learned here: Long-lived TTLs for MX records seem ideal to prevent an custom-domain email takeover.

The bigger risk these days is how easy it is to lose your phone number, which seems to be the trendy way to break into accounts. Using Google Voice for SMS 2FA seems like an OK workaround until companies get a clue that phone numbers are barely tied to their user if access to the user's account is desired.

Welp, I wish Cloudflare would add Yubikey support now too to make it easier to lock down account.

> however if you’d like me to recommend a more secure registrar i recommend: NameCheap

Please don't. NameCheap is horrible at security of your account and at customer support in general; I personally had a battle with my ex (who just happened to know my name and DOB, very easy to find online anyways) and she was able to start transfer of all my domains. I was able to get involved but it was he say / she say battle for days during which all my domains were suspended so no traffic and no sales online (loss of about $80,000). The big problem was to cut cost NameCheap hires cheap helpers from Eastern European block (just login to their chat you can quickly see by name of CS) and each helper was telling me (and her) different story. Eventually it got "solved" after about five days where my ex just agreed to cancel the transfer altogether. This was circa 2016, unsure if anything changed, but I gradually moved out most of my domains (I prefer NameSilo and DynaDot these days - much more robust verification process)

Edit: to clarify: the domains have stayed with my ex and that was final decision of NameCheap since she was the one to answer security questions correctly. As I indicated, what solved the issue is she eventually decided to drop it and return them to me. A change of heart if you will.

Sounds like NameCheap actually did a pretty good job of resolving your issue.

You had a motivated attacker who knew all of your most personal details and you were able to resolve the issue in 5 days.

I use NameCheap for a few domains and have always found their customer service to be excellent.

You sell about $80,000 every 5 days (nearly $6 million annually) and you registered your domain with NameCHEAP? And your surprised that NameCHEAP hires CHEAP eastern european help? And you didn't pick a registrar with token-based 2FA? Or any security beyond knowing your name and DOB to start transferring domains out (which I don't believe).

The domain was registered many years before, but I agree I should have never gone with NameCheap in the first place. Another one much more reliable registrar is Marcaria, which went down price-wise since just few years ago.

I lost @simon in May 2019 [0], and I am now (hopefully) very close to getting it back to me, after countless tickets, emails, back and forth, etc.

[0]: https://medium.com/@simon/mobile-twitter-hacked-please-help-...

Anyone else's BS detector sounding off right now? This is certainly the most helpful "attacker" I've ever heard of, politely answering all kinds of detailed questions AFTER he got what he wanted. This story states the attacker was able to register a Twitter handle just minutes after the author changed his. Does Twitter actually allow this, it doesn't lock up the old handle for a period of time?Seems like a basic security measure for Twitter to implement.

And what does the Facebook account have to do with anything -- why would the attacker want it, and further, how did he steal that without already knowing the password (if the attacker couldn't receive Twitter's reset emails, he couldn't have received Facebook's either)? And if the attacker "was able to control my email" then how did the author continue to communicate, by email? There's just a lot to unravel here.

Yes, you can instantly take a handle that someone just-recently let go of, as long as it was a username change and not a suspension or deletion.

Crazy story. Paypal and GoDaddy are not known as good businesses.

At least the attacker was willing to answer questions about how they were able to gain control.

That's a "yikes take" from me dawg.

That's what's called "Self-justification". Helping your victim after victimizing them allows you to say "I'm not that bad, I'm helping make sure this doesn't happen again".

This is a terrible person doing bad things to other people. He could donate all the money he makes selling the user name to orphans and it still doesn't really justify the behavior.

If I steal some old lady's purse, is it "self-justification" if I find some medication in it and return it to her while keeping the purse?

I don't see any overt attempt at "justification" in these emails. The attacker wanted a very specific thing and, after he got it, he didn't do anything further. He even gave the victim some helpful information. That doesn't justify his actions but his behavior is clearly less reprehensible than it might have been.

You seem to be saying, somewhat paradoxically, that the perpetrator wouldn't have committed the crime at all if he had been more malicious because then he would have had to truly reckon with the consequences of his actions. Maybe. Maybe theft would be less common if all thieves were compelled by some magical force to kill their victims. But that's not realistic and, besides, people commit far more malicious crimes than this without being deterred by the damage they're doing.

>>If I steal some old lady's purse, is it "self-justification" if I find some medication in it and return it to her while keeping the purse?


What I'm saying is trying to say "well at least he was nice enough to explain the security problems after extorting this man" isn't a helpful comment. It seems to imply that this isn't the worst thing this guy could have done. So what? Who cares? A bad thing was done and pointing out that a worse thing could have been done doesn't help anyone or anything. It's a bad take on the situation.

>>You seem to be saying...

No. IDK what that was, but that wasn't what I was saying at all. I don't think you really seem to be grasping the concept of what self-justification is, and how it's an enabling behavior to allow bad people to do bad things. The whole idea behind it is that the "clearly less reprehensible than it could have been" thought allows you to justify whatever bad things you do.

Um, I'm not sure people doing crimes need much additional self justification -- they are already heroes of their own stories, taking what is due to them, punishing the oppressor, harvesting from the marks, what have you.

From society's point of view, allowing some leniency of judgement is probably beneficial on the net -- you don't get much more purses stolen, but you do get more pill bottles returned. (this is an empirical question actually, maybe there are social studies on the topic?)

Consequences and intent matter. First because duh, second because it lets you predict (and therefore influence) the future.

Would love to see some studies on this if someone can pull them on that specific style of law.

>>Um, I'm not sure people doing crimes need much additional self justification...

It doesn't work this way. They do need the additional self-justification. It's a constant stream of reinforcement. "Yea, I don't feel bad that I stole this rich asshole's twitter account because I used the money to feed some orphans and told him how to fix these problems in the future" is the self-justification. It's a constant establishment of why you're good in a relative fashion.

It's something everyone does on all sorts of things, it's how everyone builds their worldview, and it's normal but that doesn't mean we should join in on it as outsiders and say things like "well at least he gave the guy some precautions for the future".

>>From society's point of view, allowing some leniency of judgement is probably beneficial on the net...

Maybe? I mean as a general statement, sure. But there are going to be specific situations where it isn't helpful. Also, there's a whole school of thought that says that it's more important that you minimize situations that would encourage criminal behavior rather than providing leniency in punishment after the fact. Better to eliminate the need to steal in order to provide for your family rather than create uneven enforcement by judges deciding where leniency should be exercised.

>> but that doesn't mean we should join in on it as outsiders and say things like "well at least he gave the guy some precautions for the future".

An extreme version of this, where social approval is expected by perpetrators (sometimes justifiably) is vigilantism. It is illegal, and society is worse off for it in a general sense, and yet...

Compare a blackhat who takes over all the routers and sells the botnet to organized crime ring vs a grayhat who does the same but instead patches the vulnerabilities on the devices or uses them to do internet census and puts the data in public domain. Both are illegal acts and both have victims (maybe some devices are bricked in the process), but one is definitely worse. And that is true even if in both scenarios all the devices got bricked so consequences are exactly the same.

>> rather than providing leniency in punishment after the fact

I meant judgement more in social disapproval sense. As for actual judges, they already have some leeway and often use it. There is a reason politicians who want to be seen as being tough on crime like to introduce mandatory minimums.

I agree that crimes are better prevented by reducing a need to commit them, but taking into account intent and mitigating circumstances is one of the ways to do that. Mandatory minimums just make sure criminals leave prisons with a Phd in crime instead of a mere Bachelor's.

Let's wind this back. I can come up with any sort of scenario to justify a philosophical point. But the discussion didn't start there. You've presumably read the article this thread is on, and saw the comment I was responding to.

Your blackhat vs grayhat is a false equivalency. We know that this is a bad actor, and the mitigating factor isn't what why he did what he did or what he did with his ill-gotten gains, it's (according to op) that after he did an objectively bad thing (extortion), he did an objectively good thing(pointed out security flaws). I feel that's cold comfort at best, and problematic thinking at worst.

This whole thread seems to be me misunderstanding people or people misunderstanding me and it isn't fun anymore. Wish you the best, we're not really having the same discussion though.

> I don't think you really seem to be grasping the concept of what self-justification is

I don't think you seem to be grasping your own argument very well and I'll leave it at that.

Seems best

Sounds like he didn't have 2-factor authentication turned on anywhere.

2FA was mentioned in the article. The attacker used a recovery option to gain access to his account.

Should be marked as a story from 2014

Thanks for that. I'm relatively new to HN and still learning the protocols. I don't see an [edit] link on the post. Can I go back and fix it?

The edit link is visible for only an hour or so after posting.

Unfortunately some domain registrars still don't work with less common TLDs. I'm stuck with GoDaddy unless someone knows a better registrar for .boston domains

Gandi is pretty respected and they support .boston https://www.gandi.net/en/domain/tld/boston

https://www.gandi.net works with .boston domains.

There seem to be quite a few: https://tld-list.com/tld/boston

I've used NameSilo and had no complaints. They offer 2FA. And they are a lot cheaper than GoDaddy.

Just a regular reminder that Twitter's namespace is solely the property of Twitter the company.

I now also wonder if there's a domain registrar better than Godaddy, and better than Namecheap and Gandi. One where I can have a cryptographic guarantee of my control over domains.

> I’ve been offered as much as $50,000 for it.

What was he doing with it that it wasn't worth taking the money?

Funny, I never thought of a longer TTL as one solution to this kind of security problem. Interesting.

I used to have a 7 digit ICQ number of mostly 3s, like 3335133 or something like that. It totally wasn't worth the hassle of random Russians trying to buy/scam it from me.

Same thing happened on a smaller scale when I had the apparently rare 'white earbuds' in my Steam account.

The easiest thing is just to give it away and find something better to do with your time.

I got into ICQ when it was really new so I had an ICQ number in the 15,000s. I changed my password once and it broke.

I reached out to ICQ support and they sent me an email saying "Thanks for reaching out, your current password is:

Have a nice day!"

Gave up after that. lol.

I also had a 7 digit ICQ number, were the lower ones actually (relatively speaking) valuable in this regard?

I had a <1M Twitter UserID# and lost the account after self-suspending it and someone squatted the name.

If only it's easy to remember/type. 5 or 6 digits had the real value.

As for account protection, S in ICQ stands for security.

..and they refuse to change password (last time checked about a year ago) for my 6 digit id. That's secure.

Current owner of the messenger has always had open door policy for russian law enforcement organizations, so any changes since 2010 couldn't be counted as secure.

edit: Also, the recently published analysis of the data on available in-the-wild (authentication isn't supported! firewall rules were deleted due to requests for it of the end users! some of the data is on shodan.io!!!) mandatory for ISPs traffic tampers made "to help russian police with investigations" showed that it has client's IP - ICQ UIN mapping.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact