Go Daddy Account Hacked to gain access to @N Twitter Handle

twittertpic

 

In a post on Medium Naoki Hiroshima explains how his account was hacked, how he got no help from Go Daddy, and the topper THE HACKER told him how he compromised his account.

This was one wild story to read, like the fact that Naoki Hiroshima says he has turned down $50,000 for the Twitter handle @N which he registered in 2007, that his Go Daddy account was hacked and then the hacker offered a deal, his Go Daddy account for @N.

From the article:

I had a rare Twitter username, @N. Yep, just one letter. I’ve been offered as much as $50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my email inbox. As of today, I no longer control @N. I was extorted into giving it up.

While eating lunch on January 20, 2014, I received a text message from PayPal for one-time validation code. Somebody was trying to steal my PayPal account. I ignored it and continued eating.

Also from the article:

PayPal and GoDaddy Facilitated The Attack

I asked the attacker how my GoDaddy account was compromised and received this response:

From: <swiped@live.com> SOCIAL MEDIA KING
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 19:53:52 -0800
Subject: RE: …hello

– I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)

– I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you’d like me to
recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but enom.com)

Go Daddy and Paypal have some serious explaining to do if everything laid out here is true. Paypal should never be telling the card owner the last four digits of their own credit card.

Read the full story here

{ 9 comments… add one }

  • Viljami January 29, 2014, 5:13 am

    Disturbing. Social engineering is a b%”#¤. Kind of depressing to know that your super cryptic pw isn’t enough. Hopefully Medium’s front page coverage of the story enforces BigDaddy and PayPal to make some much needed changes to their authentication practices.

    Reply
  • Nick January 29, 2014, 5:51 am

    Someone needs to find out the person behind swiped@live.com, locate them, and send them to prison for dozens of years. 90% of the reason this and other crimes continue to happen is that the punishment of slapping on the wrist is a joke. If some kid in someone’s basement know that he wouldnt see the light of day until he was 70, he might think twice about it. All nations also need to agree to this sort of crime and prosecute too or else this stuff will never end.

    Reply
  • Nuno January 29, 2014, 6:35 am

    I contacted Godaddy for clarification. How could you know the 4 digits of a CC and not any other info (full cc, user, pin and password)? It doesn’t make any sense who could fall for this. If you don’t know your CC, ask your bank, it’s what you should be said.

    Reply
  • Tom January 29, 2014, 7:30 am

    Are godaddy reps really this dumb that they can change all your account info based on 4 numbers? Seriously godaddy, I can’t wait till uniregistry goes live, you are going to loose 2000 names.

    Reply
  • Aaron Strong January 29, 2014, 8:10 am

    For many years I was so impressed with Godaddy’s customer service and whole operation………………..They have completely “lost it”!…………….Customer Service at Godaddy is horrific, like when the “cat is away the mouse will play”……………Godaddy is in need of some serious fixing…………..

    Reply
  • Nick January 29, 2014, 8:56 am

    @Tom: yes.

    I am now for 2 weeks trying to get a simple answer from GoDaddy “support”. And, as far as PayPal goes, I will never use eBay ever again after having them GIVE a product to the buyer after the buyer LIED and scammed me and PayPal. They dont care.

    As far as I am concerned the only company with stellar anything is Amazon these days.

    The rest can use the slogan “mediocrity is our new standard”.

    Reply
  • Louise January 29, 2014, 10:19 am

    @ Nick said: “the only company with stellar anything is Amazon these days. ”

    How Apple and Amazon Security Flaws Led to My Epic Hacking
    http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking

    This article is referenced by link to the other article.

    Nice find, @ Morgan Linton! It’s finding its way into domainers’ discussions.

    Reply
  • Nick January 29, 2014, 10:28 am

    @Louise, thanks for that. Going to bite my tongue now. 🙂

    Reply
  • Nuno January 29, 2014, 10:57 am

    and another Amazon example:
    http://d.pr/n/KUMK

    “I of course ignored the first email from Amazon like I normally do with any forgot password emails I get that I didn’t initiate. Imagine my surprise when I received a second email about an hour later saying that my password had been successfully changed! I also had 3 fresh forgot password emails from Apple. It was clear I was being targeted.”

    Reply

Leave a Comment