GoDaddy owns up to role in Twitter account hijacking incident

PayPal dismissed claims that its customers representatives were tricked into helping the attacker

GoDaddy has acknowledged that one of its employees fell victim to a social engineering attack allowing a hacker to take over a customer's domain names and eventually extort a coveted Twitter user name from him. PayPal, which the victim claimed also played a role in the attack, denied the accusations.

Naoki Hiroshima, a software engineer and creator of the Cocoyon location sharing mobile app, reported Wednesday in a blog post that a hacker successfully extorted him into giving up his single-letter Twitter user name, called @N, after first hijacking his domain names registered at GoDaddy, email address and Facebook account.

Hiroshima claims he had received offers in the past from people willing to buy his @N Twitter handle for as much as US$50,000. He also said he regularly receives password reset emails from Twitter, suggesting that the account is a constant target for hackers.

The latest attack involved a hacker gaining access to his GoDaddy account that's used to manage several domain names, including the one used for his primary email address. This allowed the hacker to gain control over the email address and reset the password for Hiroshima's account on Facebook, but not Twitter since the developer had changed the email address associated with the latter as a precaution.

GoDaddy acknowledged Wednesday that one of its employees was tricked by the attacker.

"Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy," the company said in a statement on its website. "The hacker then socially engineered an employee to provide the remaining information needed to access the customer account."

"The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers," the company said. "We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques."

In emails exchanged with Hiroshima that the developer published on his blog, the hacker claimed to have first used social engineering on a PayPal customer support representative in order to obtain the last four digits of the credit card associated with Hiroshima's PayPal account.

The hacker claimed he then called GoDaddy's customer support and posed as the developer. In order to verify his identity, GoDaddy asked for the last 6 digits of the credit card on record. The attacker said had the last four from PayPal and simply guessed the other two.

"I got it in the first call, most agents will just keep trying until they get it," the attacker allegedly told Hiroshima via email.

With access to the GoDaddy account the hacker proceeded to change all information on record in order to prevent the real owner from regaining access to it. Hiroshima said he failed to regain access to his GoDaddy account, even after filing a case report and providing the company with a copy of his government issued ID.

Suspecting that the @N Twitter user name was the attacker's real target, Hiroshima changed the email associated with his Twitter account to one registered with Gmail. So even after gaining access to the developer's domain name and primary email address, the hacker failed to hijack the Twitter account. He was, however, able to reset the password for Hiroshima's Facebook account.

The hacker then switched to extortion tactics. He emailed Hiroshima and asked him to hand over the @N Twitter user name in exchange for returning the GoDaddy, email and Facebook accounts. He also suggested that in case of refusal, he would transfer Hiroshima's domain names, an action that would be hard to recover from and which would have had an immediate negative impact on the developer's websites.

Hiroshima accepted the deal and changed his own Twitter handle to @N_is_stolen.

PayPal dismissed the claims that its employees released personal information or credit card details from Hiroshima's account.

"We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer's information by contacting PayPal," the company said in a statement Wednesday on its website.

"Our customer service agents are well trained to prevent social hacking attempts like the ones detailed in this blog post," PayPal said. "We are personally reaching out to the customer to see if we can assist him in any way."

While he regained control of his domain names, Hiroshima still hasn't recovered the much coveted Twitter user name. The hacker seems to have deleted the @N account following the attention attracted by the developer's blog post and story.

"It seems that Twitter simply ignored my claim and let somebody grab @N freely. Seriously?" the developer said Thursday on Twitter.

The story is reminiscent of how a hacker gained access to the Apple ID account of Wired reporter Mat Honan in August 2012 and used it to remotely wipe all data from his iPhone, iPad and MacBook. Like in this case, the hackers who targeted Honan exploited security weaknesses in the customer service procedures of several companies, most notably Amazon and Apple, allowing them to impersonate Honan and obtain the access and various information they needed to further their attack.

The practice of verifying customer identity by using the last several digits of the credit card on record is unacceptable, Hiroshima said. Users should not let companies like PayPal and GoDaddy store their credit card information, he said, adding that he will terminate his accounts with the two companies as soon as possible.

Following this incident, he also believes it's better to use a address as a user name for online accounts rather than an email address created on a personal domain, since attackers could gain access to the latter if they hijack the domain name.

Using two-factor authentication for accounts that support it is a must, he said. "It's probably what prevented the attacker from logging into my PayPal account. Though this situation illustrates that even two-factor authentication doesn't help for everything."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusiononline safetysecurityAccess control and authenticationpaypalGoDaddyIdentity fraud / theftdata protectionprivacy

More about Amazon Web ServicesAppleFacebookGooglePayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts