Naoki Hiroshima was extorted into giving up his incredibly rare “@N” Twitter handle.
Update: PayPal has issued an official statement claiming that contrary to Hiroshima’s claims, PayPay did not divulge credit card information to his hacker. They did acknowledge that there was a hacking attempt on his account, but assured us that “Our customer service agents are well trained to prevent social hacking attempts like the ones detailed in this blog post.”
In this case, it looks like it’s PayPal’s word against the word of Hiroshima’s hacker, and considering the former has much more of a reason to lie, I know which one i’m more inclined to believe.
Source: PayPal
Original Story:
Naoki Hiroshima is a blogger who, until very recently, owned the very rare 1-letter “@N” Twitter handle. The handle, which he had been offered up to $50,000 for in the past, was stolen after hackers abused security flaws in web hosting service GoDaddy and online payment gate PayPal to take control of Hiroshima’s accounts, and extort him.
Hiroshima says that while hacking attempts on his rare username were something he deals with on a regular basis, this time, it was different. By the time he had realized he had lost access to his GoDaddy account, and by association, his email, his attacker had already changed all of the account’s information, including the credit card info. He had no-way to prove to GoDaddy that he was the legitimate owner of the account.
Luckily, Hiroshima was able to change the email associated with his Twitter account just in time to stop the hacker gaining access, but that’s when the extortion started. When the hacker realized he couldn’t access the Twitter’s email, he contacted Hiroshima, threatening to bring down all of his GoDaddy domains, unless he released the @N handle.
Hiroshima, rather than risk losing his domains, released the username, and the hacker, true to his word, restored Hiroshima’s access to his GoDaddy account.
But it’s what happened next that is the most interesting part. Hiroshima asked the hacker how he was able to gain such absolute control over his accounts so quickly, and the hacker obliged.
“I called PayPal and used some very simple engineering tactics to obtain the last four [digits] of your [credit] card,” said the hacker. “I called GoDaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case).”
You read right – PayPal simply told the hacker the last four digits of Hiroshima’s credit card because he was “acting as an employee,” and then GoDaddy proceeded to let him “guess” the card’s first two digits.
In conclusion, both Hiroshima and his hacker urge us to not let companies like PayPal and GoDaddy store credit card information, and to have different email addresses associated with different accounts.
Source: The Next Web