Hacker News new | past | comments | ask | show | jobs | submit login
How I Lost My $50,000 Twitter Username (medium.com/p)
1043 points by micahgoulart on Jan 29, 2014 | hide | past | favorite | 386 comments

Why would a company ever ever ever accept 6 digits of a credit card number as a way to authenticate an identity??

Credit card numbers are not secure. Therefore, they should not ever be accepted as authentication. Especially only 6 digits of it! This is by far the most shocking part of this story. As if I needed another reason to despise GoDaddy.

[Edited to add] I would sure love to see a scarlet letter list of companies which allow such practices, so I can never use them.

When a customer calls into the GoDaddy call center, they are supposed to provide a 4 digit pin in order to gain access to their account.

I don't work in that department, but I'll forward the page to the CEO and make sure it gets read and addressed.

UPDATE: GoDaddy's CEO let me know that they contacted the affected party, the internal security team, and Twitter security. I'd hope they are also looking at policy/training changes for customer support, but that wasn't mentioned.

While you're at it, tell him to stop shooting elephants, donating money to Mitt Romney, decorating your web site with scantily clad women, and acting like a sexist pig.

Edit: I see you got a new CEO since I and so many other customers left in disgust about your company's support of SOPA and all those other issues. I'm sure you still have binders full of scantily clad women to decorate your booths at trade shows. Your company is permanently tainted, one of the worst examples of what's wrong with the computer industry, and I'm never coming back.

I get it. I came on 2 years ago after Bob had already left. GoDaddy has also officially stopped doing "GoDaddy Girls", which is a relief. Those old commercials were awful.

Credit card #s and social security #s are not secure. But what should companies use instead? We're a long way from everyone having fingerprint scanners, and I'm sure there will be a way to break that too.

Isn't the solution more around recovering from when the break-ins inevitably happen?

Fingerprint scanners sound worse than credit cards to me... Why would you want a password that you can't ever change and leave copies of everywhere you go?

Because fingerprints should be used as usernames, not passwords.


That's probably not a great idea for anything other than very secure systems where users aren't concerned with privacy, flexibility of identity or anonymity.

well, http://plaintextoffenders.com exists - someone should make creditcardoffenders.com .

Now there needs to be a browser plugin, which warns you when you are about to create an account on such a website.

That's an awesome idea!

The problem with services like that is that they aren't likely to be updated, if the company improve their measures.

You'd have to check in regularly to confirm this is still the way they do things.

That’s definitely a potential issue. Would be cool if the users’ incentives could be set up in a way that prevent the information from getting outdated.

Kind of off topic but that site also shows sites that email users their password when they create the account. That does not necessarily mean they store it plain text. Though the kind of devs that would send the password in email are likely to store it in plain text, but it's not necessary.

If you send the password in email, that's at least one instance where it was readable in clear text to everyone on the network between you and the server (and probably things like packet sniffers on the local network, right?). It's not as bad as storing it in the clear, but it removes some of the value of (e.g.) hosting a login page via SSL.

Shouldn't email plaintext passwords, ever. Email is not a secure way of communication. Users wouldn't delete their email. Admins can read their email from the server.

Email is rarely secure though.

A password reset link that emails a temporary password is OK in my opinion (not ideal, but a tradeoff for password resets, and perfectly fine if the site actually forces a change on logging in with it), but "Thanks for registering, your password is foo" is not, as then the user has to change it (and some exceptionally bad sites may then email them that password as well).

It does mean that passwords aren't properly hashed. They may be encrypted, but that still leaves open the possibility for an engineer or attacker to have access to plain text passwords.

No, it does not. You can receive the password, email it to creator, hash it, and then store it. It's not ideal because you now expose it in plaintext in the original email, but you aren't storing plaintext.

You're right. I missed the "when they create their account" part.

No it doesn't, the registration email can be sent before the password is hashed.

The reason for the 6 digits is probably linked to PCI DSS compliance where agents are allowed to view the first 2 and last 4 of stored card numbers.

The first digit of a credit card number identifies the type of company the issuer is, e.g. 1 is an airline, 3 is a travel agency, 4 and 5 are credit card companies, 7 is an oil company. The final digit is a checksum. Two things about this baffle me: 1) that websites feel the need to have a dropdown to identify what sort of card you have instead of just figuring it out and 2) why they need to ping it off the issuer's servers to detect you've entered an invalid number e.g. a typo.

Back when I was doing payment code, I built several sites which didn't prompt for the card type, since (a) the first digit identifies the association [1] and (b) the processor doesn't usually care anyway, i.e., you don't need to submit a card type value along with the rest of the transaction data. Most of the clients for whom I built these sites complained about the lack of a dropdown, and were not terribly receptive to my explanations on points (a) and (b) above; their line of thinking on the matter was that people expect to see a card type dropdown, and will complain in its absence. I rather doubt that's true, but I have also never considered it really my place to argue too strenuously against a client who refuses to let me save them money, so more often not I ended up adding the dropdown anyway.

[1] 3 = AmEx; 4 = Visa; 5 = Mastercard; 6 = Discover.

During my time working on websites for a retail company the imagery of the credit cards accepted were considered important. They would even be on pages that just mentioned taking payments before you get to the actual input page.

One reasoning is that it is a sort of reassurance, much like the stickers you see on doors of retail locations that show which cards they accept. It's a reassurance in the idea that if you're deciding if you want to make the purchase or not, that the site will have no problems in accepting the payment option you would like to use. Plus, in a strange sort of way, it implies the site is a valid on-the-level company because surely a credit card company would come down hard on a scam site for using their copyrighted visual identity.

There's not much valid reasons other than it's a visual thing for customers. Although I always suggested using the method of displaying the type of card after starting the number, that goes against the reassurance thing. If a customer has two different branded credit cards, they know up front if one or both will be accepted. Otherwise they have to start typing to find out, which is work for the customer. You always want it to be easy for the customer to spend money, no second guessing.

All of what you say is true, but I was referring to a dropdown or radio button set for choice of card type, and not the card type images themselves, which I always included unless the client preferred otherwise -- something I don't remember ever happening, now I think back.

One simple solution that I like:

- You have a row of credit card icons. By default they are in full color.

- These icons react like buttons (hover shows clickability) and act like radio buttons if clicked -- all the others gray out.

- When a user starts typing a credit card number, it selects the appropriate icon if not already selected (graying out the others).

Because they aren't radio buttons (or a dropdown), it doesn't force people through the step, but because they can act like radio buttons (providing only visual feedback), they don't confuse anybody who thought they were supposed to be there.

The forms I've used that feel the most natural do something like this.

I may be talking out of my ass, but if I recall correctly back when I had a merchant account I may have been required to add that drop-down even if it was meaningless.

Images were preferred, but the names themselves would suffice for much the same reasons.

You should have given them an read only box with javascript that automatically populates it and REALLY knocked their socks off.

I agree- there's no need to get people to choose the type of card however for 2), that's not always the case.

Pretty much all cards can be validated with the Luhn algorithm in js. See http://stackoverflow.com/questions/20725761/validate-credit-...

The card number can be validated, that doesn't make it a valid card. You still have to ask the issuing bank whether the card is an active account, whether it has the funds for the purchase, etc

Yes - things such as two transposed digits can easily and should be trapped on the client side.

Does Go Daddy require recurring payments or can you pay for a couple years up front? If so you could have generated a one time card number OR had been issued a new card since you paid you you might not even know your card number. How would this even work for everyone?

https://www.namecheap.com/ accepts bitcoin as payment to avoid this situation.

You can pay up to 20 years in advance on a domain with GoDaddy if I recall.

I actually think it was 4.

GoDaddy requires 6 digits, but the agent let the attacker guess 2 of them (repeatedly, until he got it right). That's truly awful.

I thought everyone knew not to use GoDaddy after the SOPA incident. Hopefully this will convince more people to move their domains to a domain registrar that cares about its customers.

SOPA was from one person (in-house counsel) and was not and is not the sentiment of c-level management or any employees I've ever talked to.

totally off-topic, but because of the SOPA nonsense I've slowly moved my 40-or-so domains to namecheap during 2013 when their renewals came up. I was otherwise ambivalent about which DNS service/registrar to use before that incident...

but thank you for helping the guy get his twitter account back and fixing up the internal controls.

Sometimes you're forced to use godaddy.

I wanted a domain that had been registered with godaddy, so I needed to backorder it through them, and register it through them.

The attacked got the last 4 from Paypal and Godaddy asked him to guess two more digits.

Guess from a fairly limited set as well, it wasn't all numbers 00-99.


Something isn't right. They ask for the 2 digits before the last 4, and then let him guess the first two.

I'm really interested to see godaddy's response to this...I'm sure paypal records their interactions, I would imagine godaddy does as well. Hell, I called Avis about something 2 months later with a dispute and they pulled the recording to make sure I wasn't BS'ing them.

I feel bad for this guy, and twitter needs to do the right thing and return to him his handle.

Then I can come back here and post nasty comments about squatters.

Yes, absolutely.

The guy has given a clear and convincing story of what happened. I'm sure that it would be pretty easy for someone on Twitter's security team (assuming that they have one) to verify that the username was taken when he said it was.

I don't know what I find more shocking -- that PayPal would actually give the last four digits of a credit-card number to a complete stranger, that GoDaddy would let someone guess a two-digit number, or that a credit-card number is all you need to identify yourself. (In Israel, it's common for companies to ask for the last four digits of your credit card number in addition to other details, but never on its own.)

Actually, I'm willing to believe just about anything about GoDaddy. But PayPal is known for being surprisingly harsh and paranoid about security, shutting down accounts and holding money when they suspect problems. It's sad and rather surprising to me that they're willing to give out such information so easily, unless you specifically ask them not to. Shouldn't it be the other way around, that they refuse to provide such details unless you allow them to?

I really hope that Twitter and PayPal apologize profusely to this author, and undo the damage they've done as best as possible.

Do you mean Godaddy and Paypal should apologize? I don't think twitter did anything wrong yet. They are just looking into what happened.

Yes, I meant that GoDaddy and PayPal should apologize.

Twitter should look into what happened in this specific case, and somehow (if the posting is right) return the username to its original owner.

But there does seem to be something terribly broken here if it's possible for someone to get another person's Twitter account, and for it to take a full investigation to get it back to the original owner. And for not having better procedures in place, I think that an apology wouldn't be unreasonable.

In general, it seems to me that demonstrating empathy for your customers is a pretty reasonable strategy. Even if they didn't do anything wrong, and before they have finished this investigation, they can show that they care about the people using their system.

I don't think that Twitter could go wrong by saying, "We now see that we need to make it harder for scammers to switch the ownership of a Twitter account, and are looking into how to do so without hurting our legitimate users."

The Twitter account wasn't actually compromised. The guy was blackmailed to hand it over. It would be pretty nice of Twitter to hand it back, but it's really hard to fault them, and it's especially hard to fault them for not just reassigning the account without a very careful investigation - what if the writer of this article is actually the guy trying to steal the account from someone else, using this article to bully Twitter into a swift response?

This sounds relatively easy to verify, as the guy seems to be well known and the founder of an SF-based startup.

It's not about his identity, it's about the legitimacy of his claim to the account.

Just for the record, I have no reason to believe he's saying anything less than the truth - but I can't fault Twitter for basically presuming malice until they have conclusively documented the opposite.

Exactly, they're doing the opposite of what PayPal and GoDaddy did, which is correct.

The problem is stealing @N is, someone will have to use it one day. How can they hope not to be traced?

The hacker sells it anonymously to someone who isn't aware of the controversy or who doesn't care. It will probably shrink the value of the username but I bet it's still worth something.

Selling is prohibited by the TOS, so if the buyer does their due diligence they know what risk they're taking

So is selling accounts in MMOs etc. Doesn't mean it doesn't happen.

Might piss off the attacker pretty bad, though. Not saying that's wrong, just that resulting shenanigans might be a little asymmetric.

"that resulting shenanigans might be a little asymmetric. " - What does this statement even mean? You should think before you just throw a load of cliches into a sentence.

As in the attacker would be able to pop up and attack the original user of @N at will for what might very well be a vicious attempt to take over or destroy as much of his digital holdings as possible.

The grandfather post is referencing asymmetric warfare[0] which would be a pretty decent name for what could happen. I don't think he just threw some cliches into a sentence.

[0] http://en.wikipedia.org/wiki/Assymetrical_warfare

Naoki has already made changes to prevent this type of attack from working again (e.g., removing credit cards from Paypal, moving his domains from GoDaddy, etc.)

Hopefully the attacker didn't back up a decades' worth of his emails.

The attacker never got access to the victim's email accounts. He changed dns records to point to a different server. So he would have gotten some new email emails during the time he had the MX records pointed at his server (and he could have used that time to gather additional information), but he couldn't get to any existing emails.

Where there is a will there is a way. It's easier for an attacker for find a way in than it is for you to secure everything. The point is the attacker has the edge when the name of the game is, for lack of a better word, terrorism.

That is a perfectly reasonable comment and it makes total sense. You are being needlessly rude and obtuse.

Any thoughts why the attacker would tell the guy how he did it if this is the obvious solution?

I guess it's that "security researcher god complex" many security people show. They come around, fuck up your daily routine and expect you to be thankful for making your day hell.

This is correct. "Let me explain to you how smart I am"

The attacker was hired and once he finished the job he had no reason to be mean to the guy or not help him to improve his security. Maybe he even is a security expert that was in need of a bit extra cash and picked up this job.

Reminds me of this Seinfeld episode where Jerry calls a car thief :)


Narcissism. Ooh look at how clever I am! I'm so smart! Please victim, will you validate my cleverness?

An attempt to induce Stokholm Syndrome?

Yeah why is that attacker so nice and kind? No joking, it's bad for their business.

Maybe just 'pride' of what he accomplished.

Or an axe to grind.

Perhaps he has something against GoDaddy (many do) and/or PayPal (again, many do) so took the opportunity to make them look bad by making sure that their effective complicity in the hack is well known.

Heads really ought to start rolling at PayPal. Their general approach to security is, quite frankly, appalling.

Is there any possible rational for Paypal to give the last four digits of his card number to "him" over the phone? Given that they're routinely used for verification, it's as if they've never heard of social engineering. It's simply inexcusable.

And it's almost as bad as the ridiculous "Log In Without Your PayPal Security Key" option that lets you bypass 2-factor auth and head straight to the ultra-secure world of the ridiculous security questions such as the ever-popular "what city were you born [that's also listed on Facebook]" and what not. I still can't believe they think that's a good idea.

Ironically, PayPal's core business _is_ security.

The founder's interview [1] describe the beginning as a constant race against fraud, which no other bank was willing to compete in: "You're going to go bankrupt when the chargebacks start".

The was a locked room with a screen-and-keyboard-only computer where you could research about transactions and find suspicious and fraudulent ones. According to the founder, it became PayPal's core asset.

[1] in the book Founders At Work, which I recommend.

The attacker was posing as a PayPal employee, not the card owner. Of course, PayPal still needs better security, but posing as an employee of the same company is a classic social engineering exploit.

And that part was never really answered either. How can he pose as an employee calling in from an outside line? Does PayPal not tell you when an extension from PayPal is calling you?

Who cares what number the call was coming from. Security 101 for these phone techs should say something like "don't give out any information over the phone, even if the CEO calls and threatens to fire you if you don't." Or better yet, have much stricter protocols that deny the phone tech access to the information, so even if the caller threatens the tech personally, the information is safe.

he was probably posing as an employee of the account holder, not paypal

Ohh, good point. I never thought of that. I assumed employee of Twitter as well.

Seems like Twitter could easily verify the story based on their own logs and then restore access to his N account. He doesn't mention pursuing that, though.

Have just been talking with him. He first asked Twitter for it back on the 20th of Jan. 8 days ago.

(I work at twitter but don't have anything to do with account security, etc)

I think something is in the works...

Let me know if you need a copy of emails :)

This thread could be renamed "How I Lost My Job at Twitter"

He said he wasn't using it much. Thus, isn't he basically a squatter?

He's definitely a squatter. If you own something and you don't use it, you're a squatter. I own an old original Nintendo that I haven't used all year. That's why if someone comes into my house and takes it, it's my own fault.

He has 15,000 tweets, but basically stopped tweeting in 2013. I wouldn't call him a squatter.

I tend to disagree:

The right of ownership includes to right to use what you own in your own way.

The ownership of twitter namespace is Twitter's alone, not the user's

IIRC, Twitter officially doesn't allow you to sell your handle.

I did not know that but I'm not surprised.

There's an agreement between Twitter and each user. And depending on the name used, Twitter users have own rights too, trade marks and of course domain names are examples.

I'm not using my home tomorrow morning. Is it alright for just anyone to go in and take ownership of it?

In a naturalistic sense? Yes. You only have a "right" to anything you can defend.

In which case, once I return in the afternoon I will be entitled to shoot whomever is there for trying to steal my home. I'll be 'naturalisticaly' defending it. Sounds like a great way to run a society. I better make sure I have a bigger gun than the rest then. (edit-language)

Is shooting people your first go-to for defense? I prefer arguments and evidence presented to institutions who have both been given permission to shoot people and are willing to do it on my behalf pending their judgements of my arguments and evidence.

Of course, if the institution's judgement is that people can take things that I'm not using at that exact moment, and it is not interested in intervening, then it's not my 'right' to leave my house alone for the day.

Turns out my rights are entirely dependent on the amount of guns I can bring to bear vs. the amount of guns somebody challenging my claim can bring to bear.

When an armed intruder is breaking into my house? Yes shooting them is in fact my first go-to defense. When someone else is intending to do harm to me or someone I love I'm not going to wait around for the police to get there 30 minutes later. All the police are going to find is my dead body by then.

He was talking in a 'naturalistic' way so I responded in kind. In reality if I found someone has stolen my home I'd call the authorities unless of course I feel a danger to my life in which case, had I not lived in the UK where guns are illegal, yes - shooting them would have been the first course of action. That is nothing to do with law or ethics, and lots to do with survival instinct.

Actually, castle doctrine does give you the right shoot someone breaking into your home in almost every state. It is exactly the way our current society is run.

chmars, I think he was being sarcastic.

Let's not confuse digital "property" with physical property. It's disingenuous at best, flat out wrong at worst. On top of that, you don't own a Twitter handle, or for that matter a domain, you rent it.

I understand it was a sarcasm, but there's one difference between the two. A Twitter handle or a domain name is something unique as opposed to a game console of which there were millions of copies.

So if I have a unique object that I don't use or look at or whatever one does with unique objects (say, a piece of art or something), I'm a squatter and its perfectly ok for someone to take it away from me?

Too bad then for the company named "N." They'll have to go with N_company or N_inc or N_co or get really creative if those are taken. There's probably only like 500 names they can choose from relating to "N."

If the username was worthless, no one would have stolen it in the first place or offered $50,000 for it.

... and it still involves the right of selling the account at the price he wants, even if he's squatting.

Twitter's official policy is that an account becomes inactive after 6 months - at that point, they reserve the right to release the account (in practice they rarely do this, though - there isn't an automated job releasing inactive accounts or anything)


@N (now @N_is_stolen)'s last post was 4 months ago, so he is still technically considered an active user.

Activity doesn't require the creation of a tweet though. There are plenty of active accounts where the users just read.

And there's nothing wrong with "just reading". Plenty of people post 100+ times per day and say nothing interesting at all.

Most of the userbase.

That is what I do.

Less than 10 tweets in 3 years and all I do is read other tweets

Doesn't using Medium also coutn as accoutn activity?

Not logging in for months or years at a stretch counts, IMHO.

No one said he didn't "log in" for years. You can log in every day and leave no trace.

He tweeted pretty heavily previously. Was one of the small team who made @echofon. He'd reduced his tweeting, but was still using the account in other ways.

It depends. I know of several people who have Twitter accounts so they can follow other people, but they don't tweet much (or at all) themselves.

But you can use your twitter account to log into some websites now.

Not using something much is not the same as not using it at all, nor is it the same as not planning to use it in future.

It doesn't appear that he is trying to sell it, which is the usual behaviour of an account/name squatter.

I have several domains that I plan to use for little projects over the coming year (though given my lack of free time right now that may not happen like it didn't last year...). Am I a squatter for having paid for something I intend to use but have not got around to doing anything with yet? A couple of them are password/credentials related, for an example of a squatter talk to the person who owns password.net and sends me unsolicited email regularly trying to get me to offer to buy it as it will "help my brand" (the names I've got are the intended "brand", the generic short name is worth no more to me than standard registration fees - who slaps short names into their address bar instead of using a search engine these days?).

No. A squattor who takes over something that is abandoned or little used. Someone who does the abandoning or little uses the thing they own is the one being squatted upon.

Now I reread that, it sounds a little... sexual.

If he was trying to shake down someone who had a legitimate claim to it, yeah. Otherwise he's just a speculator, not a squatter. Or an opportunist maybe.

Ya, the fact that he tweeted a grand total of twice in 2013 (see https://twitter.com/N_is_stolen) makes me have a little less sympathy.

I'm a very casual and infrequent tweeter, and I can't fathom how that makes my username 'up for grabs'. Sorry you have such a twisted view of username ownership :/

Oh it definitely doesn't make your username 'up for grabs'. What happened to you totally sucks and I hope you manage to get your account back.

That being said if you're not actually going to use your account you might want to at least consider giving it to someone who would put it to more active use. Just a thought.

I've been actively using the account for other purpose than tweeting, and had a vague plan to start using it for tweeting again. Should I have mentioned the plan publicly so that the attacker would have refrained from blackmailing me? I don't think so.

Someone offered him 50 grand for it, and he turned them down. I would be surprised if he hadn't considered it at that point, if not previously.

This COULD make sense. Are all other names taken up on twitter? Is it difficult to tweet without using the @N name? I never used twitter before.

Maybe google.com should have built their web site on kljasdklfjnaksdfn.com instead. That would have worked out just as well for them right? I haven't used the web very much.

While sympathetic - I'm also slightly amused at your twisted view about twitter name/account "ownership"…

Just how much of the "real world" law you're alluding to by using the term "ownership" do you suppose applies to Twitter handles? (or Gmail addresses, or Facebook pages, or even domain names?)

I don't think the user 'owns' it at all. I mean, it's pretty obvious that you're just laying claim to some set of bits in somebody else's system. I'm not confused about that :)

I just don't quite see how a username is 'owed' to other people who would use it more, either.

The twitter namespace is property of Twitter alone. It's cute that there are those who think the "owners" of these names would be each user.

Well, OK, but a certain level of assured "ownership" is beneficial to everybody. Twitter handles, email addresses, mailing addresses, phone numbers, etc., would not be very useful if Twitter, ISP, postal service, telcos, etc. frequently exercised the right to deny access to previous users at any time.

Seeing how easily GoDaddy handed over the domain, it seems one can't even own a domain properly, and that is supposed to be a lot closer to an "ownership" right than Twitter handles.

I really don't understand why people still use goDaddy. i wouldn't recommend it to my arch-ennemy

The difference between some of those and twitter's namespace is that Twitter is not a public utility. It is a privately operated company with a defacto monopoly on short status updates (micro blogging).

We could look towards email and dns, though, as examples of a more fair distribution of namespace resources.

Organizations would do well to investigate what their options are to retain control over their namespace, lest it fall whim to a mishap such as this instance.

while it clearly doesn't, I wonder though if someone is using twitter so infrequently they would even care what their handle is. It's not like it has any intrinsic value or meaning. Why not just pick a random guid and use that as a handle (like I did) since I don't care one hoot what the handle is as I use twitter for exactly two things. Machine Learning datasets, and following a dozen or so people. I can do that from a guid as effectively as if I had @2600

If someone had a Mercedes and only drove it twice a year, is it OK for someone to steal it?

No. But I'd feel less bad for that person than someone who drove their Mercedes every day and had it stolen.

Also, a Mercedes and a twitter handle (or domain name) aren't exactly the same thing as a twitter handle is a unique owner of a particular pice of the namespace.

A better analogy would be an owner of a valuable piece of property who wasn't putting it to good use.

> A better analogy would be an owner of a valuable piece of property who wasn't putting it to good use.

So if you were not putting your backyard to good use you would not feel too bad if your neighbors decided to encroach on it?

I have a friend with family in Venezuela. A few years ago, Chavez decided that underutilized land is suddenly free for the poor to squat on. Their family member had bought the land after saving a long time, and was now saving for the funds to build a house on the land. Now the land is gone.

The GP's analogy is extremely weak.

Land is a bit different; there is a fixed supply, and you are not sovereign over it (unless you're the prince of a principality). Depending on the legal system of the country you're in, your ownership isn't really ownership to do with as you see fit - you normally can't pollute on it, can't build without permission, often don't own it all the way to the core of the earth, almost never own all the space above it, etc.

I think you're deliberately not hearing what I'm saying. Here's a good analogy:

Some rich guy buys an amazing house on a beautiful California beachfront. But then never even bothers to stay there because he's got 3 other vacation homes. It just sits there empty all year long.

Would it be ok for someone to break in and start living there? No, of course not.

But you do have to kind of dislike that guy right? If he doesn't want to use this limited and valuable resource he should maybe give it up so someone else can get good use out of it.

If I own it, it's none of your or anyone else's business what I do with it. One should neither pass judgement on how I use it, why I use it, or if I use it, because it's mine (provided what I do with it isn't criminal in nature). Dislike != ok to take my shit.

Did you even read what I wrote?

"Would it be ok for someone to break in and start living there? No, of course not."

Dislike != ok to take my shit but it's still dislike.

I am trying to understand what you are saying.

I understand that you have not said that the situation the OP faced is deserved, but you don't feel too bad about it.

Unfortunately your defense does make it seem that you are not completely opposed to a framework that would take back "limited resources" not being used well. Most likely this is not your intention at all.

I often come across businesses/store locations and most importantly domain names that are not using even a small fraction of true potential. I do feel sorry for them, but I can't say I dislike them, they might dislike themselves if they knew what I knew.

The only way I can fathom the minutest possibility of disliking them is if they knew how to thrive and did not do anything, if it was common knowledge on how to do it right, but they chose not too.

Unfortunately most people don't know how to use potential or don't recognize it at all, can't dislike them for trying though.

EXACTLY. Same thing happened to a friend of mine who was working overseas all year long.

Somebody just moved in and started living in his house. And just tossed all of his personal belongings out.

To be honest, I kind of disliked my friend for a while.

> If he doesn't want to use this limited and valuable resource he should maybe give it up so someone else can get good use out of it.

You mean Communism?

No! We aren't talking about every property ever. Not your backyard, not your car and not your water bottles. Valuable properties. Nobody cares about @d7a8df74a98d or www.fe5461d77vvc.com. We're talking about crumbling buildings near a national monument, or in the technology field, m.com or @N. Domain squatting is awful. Is it genuinely that unintuitive to you?!

And if seizing it is too "communist" for you, then enormous taxes should be close enough to socialism.

Communism would be suggesting that the government should force him to give it up.

There's nothing wrong with advocating the concept of sharing when a person obviously has more resources than he could actually use.

So a minute ago you're saying that a Mercedes can't really compare to a unique Internet handle but somehow owning 4 houses is comparable? I'm really not following your analogy.

Twitter handles are free and multiple tweets are free.

There is no reason he should have to give up @H just because he isn't utilizing it enough. The person that got it better not send a single tweet shorter than the maximum to fit your logic.

As far as I'm concerned, yes, it would be okay for someone to start living there, and some jurisdictions at some times have had squatting laws that recognize this. Land is essentially a public resource; unlike manufactured goods, I can't create land, and if I claim ownership of a piece thereof, I can only do so by denying use of it to everyone else; the "it's mine and I'll do anything I want with it" property rights that correctly apply to manufactured goods, don't entirely apply to land. A case could be made for saying the same thing of public namespaces.

What's funny about this discussion is that many states in the US have laws for this very purpose - known as Adverse Possession. If you occupy a piece of land unchallenged for a period of time (often long, like 10+ years), it becomes yours.

Yes. This is the point of adverse possession: http://en.wikipedia.org/wiki/Adverse_possession

Land should not remain unused.

Why shouldn't it remain unused?

"They paved paradise, put up a parking lot." Joni Mitchell

IANAL, but I have a hard time believing that a court of law is going to issue a judgement of adverse possession where the perpetrator used fraud/identity theft, extortion and blackmail to come into possession of it.

Good analogy. Another one is email. If you used an email address for personal conversations and commercial transactions, that should not entitle you to keep the email address. You should give your email address to another person that wants it.

For example, I used one email for most of my life. But recently, I stopped using that email address, and have used another one due to wanting to boycott that company. Since I no longer use that email address, I should have to give the password to another person. This is just the right thing to do in all cases.

That would FREE UP a lot of email addresses. If you have any email addresses that you do not need, you are obligated to give your password to another person. If you don't, then they can't use email.

Just make sure that if you use that email to sign in to other websites using that email and password combination, go to all of those websites and notify your friends that you are giving your email to someone else and you are not the same person if you see future comments using that name.

I'd have a hard problem going to every single website where I ever made an account and changing the email preferences.. Assuming I'm a normal human being, there are bound to be sites that I forget about and someone dedicated enough could then get access to my accounts on those sites.

Not a security risk I'm willing to take, when I could simply leave that email address dormant. There's not really a huge shortage of good email addresses if you're willing to pay $10 a year for your own domain.

You might want to mark up your sarcasm slightly better as people are already falling for it in other posts you made.

Poe's law and all that.

Some email providers actually already free up dormant email addresses for the public to register again. This poses a problem for exactly the reasons you described. I believe hotmail does, for example.

To use Twitter, one does not have to tweet.

If you're not interested in creating tweets then you don't really need to be taking up such a valuable piece of the namespace.

Why is it valuable? What amazing things are other single character handles being used for?

Or is it just vaguely notable?

harry works around people that pine for vanity usernames. vanity = big deal in those circles. who knows why. not bad in itself.

places like foursquare, people know people at twitter. if your outside the valley twitter won't even help you when the autosuspender mistakenly pops your account but valley/connected people call an investor or executive and get their vanity handle in hours. seen it happen twice.

it's all who you know and never forget it. when i dealt with twitter support as a normal the disparity between insider service and official was pretty amazing. they are the worst of the valley backscratchers.

bet they would have taken @n if the right person called. what would you do, sue?

Twitter never would have taken @n if the right person called.

Up until maybe 18-24 months ago if you knew the right folks you could generally get an inactive account released but even that is pretty much off the table at this point.

All industries have insiders. In some you can get a twitter handle, in others hard to get concert tickets, in others I bet it's early access to the latest in air ventilation equipment. It's not malicious. It's just personal relationships.

Apparently (according to the author of this blog post) it's worth 50k. That's at least moderately valuable.


So if I don't really use my $50k collection car, it's as bad if it gets stolen?

This story is horrifying because PayPal was the enabler.

PayPal gave the attacker the last four digits of my credit card number over the phone

That person should lose their job if it is not PayPal policy.

I really hope by some small chance the person that did this gets some serious prison time, if not for this then anything else prior or down the road. Then maybe one of those mornings they wake up in prison they can ponder if it was all worth it.

It's possible that this was gross negligence on part of the employee and that the thief just got really, really lucky - but that seems unlikely.

This is a systemic fault of PayPal and firing a lowly phone-jockey will not solve that. There are computer system protections that were clearly not in place (the representative was able to see this data on the screen, rather than having to enter it blind and have it validated - or, if they did, they had infinite re-tries which is also bad. Three wrong attempts, and the account should be locked and have to be escalated) but there are also culture/training problems: Until otherwise satisfactorily proven, anyone calling must be assumed to be in bad faith when they call. A representative with this mindset would not let a caller start guessing the "password".

See, that "account should be locked" is what got people to hate Paypal in the first place - they used to be quick on the trigger, wrong IP = locked account; transfer to new account = locked account, etc. And it took 1-2 weeks to restore.

Now they laxed the security somewhat and people give them sheet for that... There's no winning for them, is there?

But really, the employees should not give away any user information, ever. It should be a one way street here. That would have stopped the attacker in this case, as well, I believe...

I didn't mean locked from transactions or logins using existing good credentials - I meant locked from front line customer service reps accessing its details.

If you loose your credentials and the token that you can use to recover your credentials with (credit card number), it's fine, even preferable, that it takes 1-2 weeks to recover them.

Also, people don't seem to be up in arms over PayPal freezing funds on suspicious activity for 1-2 weeks. They seem to be up in arms over funds being indefinitely frozen with no recourse for the unambiguously legitimate account owner.

They're never indefinitely frozen - you can transfer them to your bank account after 6 months, that was always the case.

People have a problem with sending their credit card scans, driver's license, birth certificate, marriage certificate and their first born in order to remove those dreaded limits that seem to be imposed for little reason :-).

I gotta say that's not the case anymore, at the very least they don't limit the account for paying too much on eBay or logging in from a different IP in my experience (and that's a good thing).

I wonder if David Marcus can help here.

This wasn't paypal's fault. I mean entirely. The problem was with goDaddy. The last 4 digits of credit cards show's up everywhere. Check your receipts. Related question in stackexchange: http://security.stackexchange.com/questions/37758/safety-of-...

GoDaddy should not use the 4 last digits as a way to confirm identity, exactly for the reason I mentioned above

PayPal gives out info to someone completely unverified and it is not their fault?

It would be one thing if this was a spouse or someone intercepting their physical mail. It's not. It's someone out of the blue who called PayPal to get the last four of a complete stranger.

GoDaddy's verification is bad too but at least they had some kind of attempt.

Why oh why do people support GoDaddy?

I find their TV Commercials the worst and makes us as a community go back to the 1950s stereo types????

Love it when I help churches with their websites and it has a GoDaddy account :(

I believe that it is ISO 9001 (quality assurance) that states that a company must be able to audit any stored data and data changes dating back some time. Judging by Paypal (specially for being a financial company), Twitter (for being an open capital company), and GoDaddy's size they may all comply to ISO 9001, but I'm just guessing.

Anyhow, if any of them actually comply to ISO 9001, it is possible to audit previous data to establish the true identity of the owner in some arbitrary date before any of this happened.

Quite possibly, to avoid unnecessary user annoyance, these companies will only subject themselves to the effort of analyzing that data under court order, so it's fair to suppose there is need to open a judicial process. Therefore, I believe it's possible to regain access to everything that was supposedly stolen, even though it may take quite some time.

Everyone looks bad here, but I want to focus on Twitter. For me this case is yet another demonstration that Twitter sees its customers as advertisers and places low priority on the community.

I pay Twitter nothing, and yet the service is valuable to me. So instead of continuously crippling the service in the name of goodness knows what, why not actually charge users for a premium experience. Things like customer service that works, a gold member status flag, controls on swapping account ownership, analytics and so on. Offer 3 paid levels - personal, business and corporate, and obviously keep the free level forever. Once revenue comes from customers, then perhaps it will help in understanding that while other revenue night be larger, the true value of Twitter is derived from the community.

> So instead of continuously crippling the service in the name of goodness knows what, why not actually charge users for a premium experience.

Because then they couldn't justify their $50 Billion valuation. They'd "just" be a $1 billion company or something.

Sites like Twitter or Facebook could be perfectly fine profitable ventures that worked in their users' interests. But instead they got unobtainable market values, so they have to look like they're on track to meet them, and the easiest way to do that is to exploit their users.

I constantly think this about free services. There are a lot of things I'd love to pay a small monthly fee for that would give me peace of mind that the company is actually going to try and do things in my best interests and not in the interests of it's real 'customers', the advertisers.

Just today I got a notification from Facebook saying that videos are going to play silently automatically in my feed on my phone, meaning that if I'm on mobile data, my cap will be used quicker. This is the kind of thing I'd like to be able to pay to avoid.

Or look into alternatives in the microblogging space. What ever happened to Status.net/ostatus?

But the problem with alternatives is the fact that they're alternatives. Not what other people are using. If it's a social app, it's important.

I dug a little deeper, and ostatus is a currently working group committee within the w3c.

If I was the cio at oh, say an org in the public realm (generic government agency for example), I'd rather have control over the publishing and namespace of its tweet-like messages rather than putting every egg into the single-basket solution. Who knows if twitter will be around 20 years from now?

The nice thing about standards is that there are so many to choose from.

They started pump.io instead. Which is a much more low-level project than StatusNet. Trying to build a federation-server that other people can make services on top of.

Trying to win a market that way. If only one popular site starts to use it, -- you might be getting some network effect out of it.

I think it was a better level to work on. Let others help with the network.

An interesting point made was to avoid using custom domains for the login emails, since a DNS takeover would compromise your accounts tied to that email.

I think that's missing the point a bit. Using gmail as your primary address will make you vulnerable to Google arbitrarily (or even justified) shutting down your access. We all heard stories about that.

What you should do, is make sure that you trust your registrar. Paypal sure have some questionable practises, but the real culprit in this story is clearly GoDaddy.

An interesting point made was to avoid using custom domains for the login emails

That's horrible advice. That sort of attitude taken to the extreme means we shouldn't be using DNS for anything ourselves and put everything in Google's (or Amazon's) big bag.

Should I redirect my customers to facebook.com/company as well in fear of someone taking over my DNS?

The lesson from this whole charade is to not trust something as crucial your DNS to untrustworthy companies like Godaddy. We've heard the horror stories before and we keep on hearing them again.

Relying on Google, a company with no direct end-user support and no emergency hotline to secure the most important thing you have, DNS, is even bigger madness. I've been locked out from a Gmail account before. It took me weeks to get it back, because Google has no support.

So yeah. Get a proper DNS-provider, and don't dig yourself deeper into the hellhole you're currently setting up.

The counterargument is that Google's notoriously poor customer care team could ignore your plea when they deny you access to your own gmail address for god-only-knows-what reason. But it's still probably safer to go the gmail two-factor authentication route.

Or maybe DNS should be secured with something besides the honor system.

Agree - never thought of that before!

This is quite frustrating. I don't use Gmail or Google Apps mail, so that I can't be compromised by a malicious insider (however unlikely) or a flaw in their authentication systems. Instead my security is exactly as weak as my registrar's authentication.

Yes. This seems like his final conclusion. Gave me something to think about.

Wild story coming out today because I was just setting up a couple domains/emails today on Google Apps. There's actually a section in the process in which they suggest setting the MX TTL to 1 Week.

Wonder how would you prevent or detect this hack attempt early. Are there services that monitor for DNS changes? Could you up the TTLs on the MX records so if you did notice a breach, you would have adequate time to resolve it?

Ditch GoDaddy - They are a terrible company.

Also considering closing my paypal account now.

I'm consistently surprised at the number of complaints against GoDaddy. They are a horrible company! You get what you pay for...

Just a side note here, GoDaddy has been under new management for a little under two years. There's a lot internal changes happening specifically aimed at improving usability and infrastructure.

(I didn't know that). That's fine, but there are just SO many other companies that provide the same service...

Do it. Paypal is a terrible company who doesn't give a shit about its users.

What are the alternatives for for non-Americans?


PayPal is the only way I can get paid by my American client (in Canada) other than waiting a week for a cheque to mail, walking to the bank to deposit it, then another week or two for it to clear.

I closed my Paypal account after the whole Wikileaks fiasco. I was expecting to be a burden, but it really hasn't been at all.

One thing that people should realize in why Twitter may not respond to these kinds of issues, or may be slow to respond, is that it's probably true that lots of people buy and sell Twitter accounts, and people may report them stolen when in fact they've already sold them to someone.

This kind of thing happened a lot in MMO games which is why they try to push account security into your hands so they don't have to attempt to arbitrate in deals that may or may not have happened outside of their sphere of control.

So what? If Twitter returned control of a handle if someone could prove that they had recently controlled the handle, that would quickly make the handles market dry up.

Twitter has no interest in there being a handles market. In fact, I wouldn't be surprised if their T&Cs expressly forbids it.

Why is anyone still using GoDaddy?

Payment channel option is one reason. Linode/DigitalOcean for example are not available in India, due to restrictions on Debit Cards of Indian users. Credit cards are very uncommon here, compared to Debit Cards.

Btw, I personally use Bigrock instead. They have a very a good customer support.


I have been using a debit card (Visa Electron) for both Linode and DigitalOcean. Works fine.

and Network Solutions.

The 99c domain names.

Guess these still have their price...

Why did someone not sell a Twitter username for $50k?

It's against Twitter's terms of service to sell usernames. Technically. Lots of people get away with it I'm sure.


Abuse and Spam > Selling usernames: You may not buy or sell Twitter usernames.

What happens if you do, surely it's caveat emptor?

The rules only say:

"If such permission is not granted, there is no (zero) market value or worth to this account."

If you walk away, cash in hand, are you liable for any punishment other than the banhammer from Twitter?

I doubt that the $50k offer was serious. Probably some feeble attempt to scam the guy or something.

Affordable pricing. If you are used to GoDaddy, you simply ignore all the, ehmmm, special offers …

The pricing isn't even that good though

I felt very angry and uncomfortable reading that. I can't imagine being in a helpless position like that.

I lost a nice handle (@Houselogic) a few years back. Sent Twitter all the proof and email trail and everything, but they were useless. Every time I email their support, it's a new ticket and I have to explain the whole situation again and again. I gave up after two years.

Slightly OT, but someone registered a Twitter account with my primary e-mail address. I received a "Confirm your e-mail account" email with a link "Not My Account". That link brings me to a page that says "Sorry, that page doesn’t exist!".

There doesn't appear to be any way to contact Twitter about this.

Shortly after, I received a second email "Welcome to Twitter, <username>"

Going to: https://support.twitter.com/forms/impersonation

..and selecting "Someone is using my email address without my permission." tells me to submit a general support ticket. That's fine except none of the general categories has anything to do with this problem and choosing "My issue is not in the list" simply redirects me immediately to the root support page. I submitted a ticket with a different topic and have not heard back from them in a week and expect I never will.

Doesn't this mean your email account is compromised?

I doubt it. I have two factor auth set up on my email. Looking at the timestamps, the Welcome email was sent the same minute as the "Please confirm" email, so it's possible the Twitter account is not live and this was just an automatic welcome e-mail. Still, it would be nice if the "Not My Account" link actually worked properly or there was some way to contact support about it.

Maybe the "Please confirm" mail was fake and actually meant to get you to click on the "Not My Account" link ...

I found it interesting how open the attacker was about how they did it.

He probably wanted to brag to someone about how he did it. It just so happened to be his victim.

Or he felt a bit remorseful about the whole thing and figured that at least he could help the guy not getting caught in the same net again.

Don't use GoDaddy. Simple as that.

If that hadn't happened, he'd still have his twitter account.

>If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.

Just google and the NSA then. Also, Gmail has an exposed password reset and social-engineerable support. A server running Postfix/Exim doesn't.

I'd consider a domain with a good registrar far more secure than google.

And we all know how this would end. GoDaddy and Paypal will try to make this right because of the negative publicity. Why does it always take a post like this to call for help?

GoDaddy and Paypal have every incentive to bury their shoddy security practices and deny everything that the OP is claiming, to avoid a PR disaster. They might quietly return to the issue later and perhaps address some of their security issues... maybe.

I don't understand why Twitter doesn't have the standard 30 day wait period on handle changes that most sites have. For a while it was a standard to not let old usernames be available until 30/60/90 days after a change, so that in the event that this kind of thing happened, it could be reclaimed with ease as soon as the GoDaddy account is in his possession.

This is a terrifying story, and I'm very glad Hiroshima wrote it, because I didn't have two factor auth turned on with my domain provider. Now I do!

It seems like if he'd had 2FA turned on with GoDaddy, this may not have happened. So rather than use @gmail.com addresses to register for things, as he recommends, just turn on 2FA with your provider. And if your provider doesn't support it, leave them and tell them why.

The admonition to use a @gmail.com address was annoying enough that I actually put up a response blog post just on this point: https://konklone.com/post/protect-your-domain-name-with-two-...

No lawyer? Any reason why none was mentioned? Extortion is serious federal crime (across state lines, multiple companies, even clear admission of guilt). At the least it would get GoDaddy's attention vs. just asking nicely.

I was surprised that the victim didn't get an attorney involved. This is an example of a situation in which a court could very swiftly (same day, usually) issue an injunction to preserve the status quo while the merits get sorted out in court. Most domain providers I've dealt with will freeze a disputed account pending legal resolution of ownership, which can be decided via the court system or a WIPO arbitration.

It is a long shot, and would take ton of money in fees mainly for a very skilled private investigator but you are absolutely correct this is one route to go.

>Using my Google Apps email address with a custom domain feels nice but it has a chance of being stolen if the domain server is compromised.

Sigh I use Google Apps exactly so that I have control over the domain and aren't subject to the good will of Google. I had never thought of this particular problem. Now I don't know what to do.

This really boils down to who is a better sysadmin-- you or the Google SREs. Choose reliable and paranoid providers that actually verify your identity before shenanigans and you can mitigate the entry vector.

Yeah, I disagree with Naoki's conclusion. I'm pretty sure he just didn't have 2FA turned on with GoDaddy (which I understand - I didn't think to turn 2FA on with my provider until I read his story).

The admonition to use a @gmail.com address was annoying enough to me that I responded with a blog post: https://konklone.com/post/protect-your-domain-name-with-two-...

The real solution is to use a DNS registrar and DNS hosting that properly verifies your identity before allowing changes. Google Apps has nothing to do with it, and in fact has enabled 2-factor auth for a long time. Everyone should be using it.

Reminds me of harvesting ICQ numbers. There was a time when you could search 6-digit ICQ numbers for expired freemail addresses like Hotmail (they deleted your account after a while), register that freemail address and reset your ICQ number password to get a brand "new" 6-digit number. I think this doesn't work anymore, since most freemail hosters don't "free" expired email addresses but keep them locked.

It still works if you find an expired domain name, register the domain name and then do the whole password-reset procedure. Might be cheaper to buy a 6 digit number on eBay though :)

Maybe I'm missing something, but who uses ICQ still? And why not focus on 3-digit numbers? There's a million 6-digit ICQ numbers; not that unique.

This was ~10 years ago. 3-digit numbers were all gone. Having a million 6 digit numbers increases chances to actually get one by registering an expired domain/email address.

In times of 9 digit numbers, 6 digit numbers were still sufficiently unique :)

I still use my ICQ account.... Mind you it's combined into trillian.

This is a scary story!

Focusing on the Twitter handle sale part: I have the twitter handle @jetsetter, and have been offered multiple thousands of dollars for it (guess who!).

Unfortunately, selling a twitter handle is against TOS. Only @israel has been officially allowed to transfer hands for money, that I'm aware of.

So trying to broker the sale of a twitter account can allow the buyer to report your 'behavior' to twitter. They can seize the account and make it so no one has it, which may be what the buyer prefers to you having it.

So no matter the price you could command, it isn't like you could just list @n up for sale and make it rain.

> Only @israel has been officially allowed to transfer hands for money, that I'm aware of.

Twitter: "I'm sorry, you can't do that."

Israel: "What are you, some kind of Anti-semite!?!"

Twitter: "OK, OK, go ahead and do what you want. See, we're not anti-semite :)"

Well at least you didn't make some bad pun involving Israel, jews and money....

If you're refering to this: http://www.theguardian.com/technology/2010/sep/14/twitter-us...

at the bottom a twitter representative is quoted as saying that as long as they give you permission to sell/buy a handle they won't block/lock the account.

Also apparently CNN also purchased a handle[1].

[1] http://www.businessinsider.com/cnn-acquires-cnnbrk-twitter-a...

I wrote in 2009 describing the situation and asked for approval. I was turned down. Reviewing the support ticket now, I think I could have handled the sale more professionally. Maybe that's why.

How about setting up a company, GIVING the handle to the company, then selling the company?

Unless you are talking on the actual twitter account about selling it you should be fine.

If not I could just make fake email logs and report you.

actually several twitter handles have been "sold" although the transaction was done in such a way that it was not as straightforward to get around the TOS

the most famous is the CNNbrk handle

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact