GoDaddy And PayPal Blamed In Twitter Handle Extortion

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

GoDaddy admits it was duped during extortion attempt to get @N Twitter handle, but PayPal denies it gave away any customer data

A much-prized single-letter Twitter handle, ‘@N’, has been stolen in attacks, leaving the former owner of the name furious at GoDaddy and PayPal.

Naoki Hiroshima claims he was extorted into giving up the name, which he had previously been offered $50,000 for. In a post on Medium, Hiroshima said his suspicions were first roused by a message from PayPal with a one-time validation code.

Unbothered by the attempt on his account, he forgot about it, until he learned his GoDaddy account had been compromised. As he hosted email accounts and his own domain on GoDaddy, this was particularly bad news.

godaddylogohorizontalTwitter handle stolen

He later learned the attacker was trying to acquire the coveted @N Twitter handle, but was struggling, partly because Hiroshima had changed the email address linked to his Twitter account.

“The attacker tried to reset my Twitter password several times and found he couldn’t receive any of the reset emails because it took time for the change of my domain’s MX record, which controls the email domain server,” he noted.

Having gained access to Hiroshima’s GoDaddy accout, the attacker changed all the account details. Hiroshima was then locked out, and the hosting company refused to give him access. The attacker then askedfor the Twitter handle in exchange for getting GoDaddy access back.

Hiroshima accepted the deal.

But how did the attacker get control of his Godaddy details? PayPal may bear some of the blame. The bad guy gained the last four digits of Hiroshima’s credit card number from PayPal, which were then used to gain access to his GoDaddy account.

GoDaddy has now admitted it was duped, but claimed ”the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy”.

“The hacker then socially engineered an employee to provide the remaining information needed to access the customer account,” said Todd Redfoot, GoDaddy chief information security officer.

“The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers. We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.”

Yet PayPal said it did not give away any credit card details whatsoever. “Our customer service agents are well trained to prevent social hacking attempts like the ones detailed in this blog post,” it said.

“We are personally reaching out to the customer to see if we can assist him in any way.”

Twitter has not yet given the handle back to Hiroshima.

Can you look after your personal data online? Take our quiz!