In my opinion, the hacker who hijacked this guy's Twitter account didn't have had ANY interest in explaining how he got to it, besides creating a hoax to confuse and divert attention. Just think about it, in just one email he puts the blame on both GoDaddy, for doing phone validation over unsecure criteria (like credit card numbers), and PayPal (for giving out the last digits of the card number to a complete stranger). There might be some truth to it (GoDaddy's phone validation sucks and GoDaddy sucks altogether), but I've read the original HN thread and the majority of comments are directed against GoDaddy or PayPal, rather than the real perpetrator. There are a million ways to hijack someone's account - including but not necessary by exploiting flaws of GoDaddy / PayPal - but I wouldn't trust the hijacker to kindly explain to me how he actually did it.
> didn't have had ANY interest in explaining how he got to it, besides creating a hoax to confuse and divert attention.
Would the story have gone viral, though, had he just said, "I'm not going to say anything about how I did it."? The story would have just been another "I got hacked" story.
If the hacker were really clever enough to fabricate such an elaborate hoax, I think he would have been clever enough to realize the best way to divert attention from the story, would have been to just keep quiet.
My argument is, this attention wouldn't even be here had he just kept quiet.
I don't think he was clever enough to have foresight that a) this would get this much attention, and b) he would need to deflect said attention by fabricating an elaborate hoax.
The guy was simply wanting to brag about what he did in the excitement of him actually pulling it off. I think this is much more believable than him fabricating this story.
One issue to be thought of is if he tells how he hacked the accounts, it would become difficult for him to hack some other accounts in the future. But I have found out that he has a habit of giving out advice to people. I have done some searching and found out (hopefully) who he is.
I could be wrong, but wasn't there a story a while back where someone explained how they could hack into any apple ID account with a similar process? Didn't linode's servers get hacked and the hacker explained the whole process?
I guess we'll never know, but last 4 digits are not difficult to get (they're on every single one of my receipts... and for all we know, this guy could be in close vicinity of him...), and making up that PayPal gave the hacker those 4 digits is a good diversion.
Clearly you've never watched a single Bond movie. The only thing a villain enjoys more than committing a crime, is revealing the intricate plan by which he will get away with it.
