How I Lost My $50,000 Twitter Username

How I Lost My $US50,000 Twitter Username

I had a rare Twitter username, @N. Yep, just one letter. I've been offered as much as $US50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my email inbox. As of today, I no longer control @N. I was extorted into giving it up.

While eating lunch on January 20, 2014, I received a text message from PayPal for one-time validation code. Somebody was trying to steal my PayPal account. I ignored it and continued eating.

Later in the day, I checked my email which uses my personal domain name (registered with GoDaddy) through Google Apps. I found the last message I had received was from GoDaddy with the subject "Account Settings Change Confirmation." There was a good reason why that was the last one.

From: GoDaddy

To: <*****@*****.***> Naoki Hiroshima

Date: Mon, 20 Jan 2014 12:50:02 -0800

Subject: Account Settings Change Confirmation

Dear naoki hiroshima,

You are receiving this email because the Account Settings were modified for the following Customer Account:

XXXXXXXX

There will be a brief period before this request takes effect.

If these modifications were made without your consent, please log in to your account and update your security settings.

If you are unable to log in to your account or if unauthorised changes have been made to domain names associated with the account, please contact our customer support team for assistance: [email protected] or (480) 505-8877.

Please note that Accounts are subject to our Universal Terms of Service.

Sincerely,

GoDaddy

I tried to log in to my GoDaddy account, but it didn't work. I called GoDaddy and explained the situation. The representative asked me the last 6 digits of my credit card number as a method of verification. This didn't work because the credit card information had already been changed by an attacker. In fact, all of my information had been changed. I had no way to prove I was the real owner of the domain name.

The GoDaddy representative suggested that I fill out a case report on GoDaddy's website using my government identification. I did that and was told a response could take up to 48 hours. I expected that this would be sufficient to prove my identity and ownership of the account.

Let The Extortion Begin

Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites. By taking control of my domain name at GoDaddy, my attacker was able to control my email.

I soon realised, based on my previous experiences being attacked, that my coveted Twitter username was the target. Strangely, someone I don't know sent me a Facebook message encouraging me to change my Twitter email address. I assumed this was sent from the attacker but I changed it regardless. The Twitter account email address was now one which the attacker could not access.

The attacker tried to reset my Twitter password several times and found he couldn't receive any of the reset emails because it took time for the change of my domain's MX record, which controls the email domain server. The attacker opened issue #16134409 at Twitter's Zendesk support page.

N, Jan 20 01:43 PM:

Twitter username: @n

Your email: *****@*****.***

Last sign in: December

Mobile number (optional): n/a

Anything else? (optional): I'm not receiving the password reset to my email, do you think you could manually send me one?

Twitter required the attacker to provide more information to proceed and the attacker gave up on this route.

I later learned that the attacker had compromised my Facebook account in order to bargain with me. I was horrified to learn what had happened when friends began asking me about strange behaviour on my Facebook account.

I received an email from my attacker at last. The attacker attempted to extort me with the following message.

From: SOCIAL MEDIA KING

To: <*****@*****.***> Naoki Hiroshima

Date: Mon, 20 Jan 2014 15:55:43 -0800

Subject: Hello.

I've seen you spoke with an accomplice of mine, I would just like to inform you that you were correct, @N was the target. it appears extremely inactive, I would also like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again D:

I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5minutes while I swap the handle in exchange for your godaddy, and help securing your data?

Shortly thereafter, I received a response from GoDaddy.

From: [email protected]

To: <*****@*****.***> Naoki Hiroshima

Date: Mon, 20 Jan 2014 17:49:41 -0800

Subject: Update [Incident ID: 21773161]  —  XXXXX.XXX

Unfortunately, Domain Services will not be able to assist you with your change request as you are not the current registrant of the domain name. As the registrar we can only make this type of change after verifying the consent of the registrant. You may wish to pursue one or more of the following options should you decide

to pursue this matter further:

1. Visit http://who.godaddy.com/ to locate the Whois record for the domain name and resolve the issue with the registrant directly.

2. Go to http://www.icann.org/dndr/udrp/appr... to find an ICANN approved arbitration provider.

3. Provide the following link to your legal counsel for information on submitting legal documents to GoDaddy: http://www.godaddy.com/agreements/sho... GoDaddy now considers this matter closed.

My claim was refused because I am not the "current registrant." GoDaddy asked the attacker if it was ok to change account information, while they didn't bother asking me if it was ok when the attacker did it. I was infuriated that GoDaddy had put the burden on the true owner.

A coworker of mine was able to connect me to a GoDaddy executive. The executive attempted to get the security team involved, but nothing has happened. Perhaps because of the Martin Luther King Jr. holiday.

Then I received this follow-up from the attacker.

From: SOCIAL MEDIA KING

To: <*****@*****.***> Naoki Hiroshima

Date: Mon, 20 Jan 2014 18:50:16 -0800

Subject: …hello

Are you going to swap the handle? the godaddy account is ready to go. Password changed and a neutral email is linked to it.

I asked a friend of mine at Twitter what the chances of recovering the Twitter account were if the attacker took ownership. I remembered what had happened to @mat and concluded that giving up the account right away would be the only way to avoid an irreversible disaster. So I told the attacker:

From: <*****@*****.***> Naoki Hiroshima

To: SOCIAL MEDIA KING

Date: Mon, 20 Jan 2014 19:41:17 -0800

Subject: Re: …hello

I released @N. Take it right away.

I changed my username @N to @N_is_stolen for the first time since I registered it in early 2007. Goodbye to my problematic username, for now.

I received this response.

From: SOCIAL MEDIA KING

To: <*****@*****.***> Naoki Hiroshima

Date: Mon, 20 Jan 2014 19:44:02 -0800

Subject: RE: …hello

Thank you very much, your godaddy password is: V;Mz,3{;!'g&

if you'd like I can go into detail about how I was able to gain access to your godaddy, and how you can secure yourself

The attacker quickly took control of the username and I regained access to my GoDaddy account.

PayPal and GoDaddy Facilitated The Attack

I asked the attacker how my GoDaddy account was compromised and received this response:

From: SOCIAL MEDIA KING

To: <*****@*****.***> Naoki Hiroshima

Date: Mon, 20 Jan 2014 19:53:52 -0800

Subject: RE: …hello

- I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)

- I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you'd like me to

recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but enom.com)

It's hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification. When asked about this, the attacker responded with this message:

From: SOCIAL MEDIA KING

To: <*****@*****.***> Naoki Hiroshima

Date: Mon, 20 Jan 2014 20:00:31 -0800

Subject: RE: …hello

Yes paypal told me them over the phone (I was acting as an employee) and godaddy let me "guess" for the first two digits of the card

But guessing 2 digits correctly isn't that easy, right?

From: SOCIAL MEDIA KING

To: <*****@*****.***> Naoki Hiroshima

Date: Mon, 20 Jan 2014 20:09:21 -0800

Subject: RE: …hello

I got it in the first call, most agents will just keep trying until they get it

He was lucky that he only had to guess two numbers and was able to do it in a single call. The thing is, GoDaddy allowed him to keep trying until he nailed it. Insane. Sounds like I was dealing with a wannabe Kevin Mitnick — it's as though companies have yet to learn from Mitnick's exploits circa 1995.

Avoid Custom Domains for Your Login Email Address

With my GoDaddy account restored, I was able to regain access to my email as well. I changed the email address I use at several web services to an @gmail.com address. Using my Google Apps email address with a custom domain feels nice but it has a chance of being stolen if the domain server is compromised. If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.

If you are using your Google Apps email address to log into various websites, I strongly suggest you stop doing so. Use an @gmail.com for logins. You can use the nicer custom domain email for messaging purposes, I still do.

In addition, I also strongly suggest you to use a longer TTL for the MX record, just in case. It was 1 hour TTL in my case and that's why I didn't have enough time to keep receiving emails to the compromised domain after losing the DNS control. If it was a week-long TTL for example, I would have had a greater chance to recover the stolen accounts.

Using two-factor authentication is a must. It's probably what prevented the attacker from logging into my PayPal account. Though this situation illustrates that even two-factor authentication doesn't help for everything.

Conclusion

Stupid companies may give out your personal information (like part of your credit card number) to the wrong person. Some of those companies are still employing the unacceptable practice of verifying you with the last some digits of your credit card.

To avoid their imprudence from destroying your digital life, don't let companies such as PayPal and GoDaddy store your credit card information. I just removed mine. I'll also be leaving GoDaddy and PayPal as soon as possible.


Naoki Hiroshima is the creator of @Cocoyon, developer for@Echofon, a father of two, and a Harley and Chopin Lover.

This post originally appeared on Medium and was republished with permission.


Comments

    Not sure why you released the username.

    If the attacker was in control of everything, why did they have to give anything back to you? They could have taken the username AND kept everything else. You got lucky.

    Last edited 30/01/14 10:05 am

      Agreed, at least the "hacker" didn't just delete everything within GoDaddy.. I know people who this has happened to before (without the Twitter username exploitation)

      On the article I read (on Reddit) he managed to change the email address on his twitter account after the DNS change was made but before the hacker had control of the domain email account. And apparently he had other domains, so he chose to give up the Twitter handle (which the hacker told him was all he was after) to recover the stolen domain.

        Why would he believe a word the hacker said?
        Like I said, he got lucky this time, but it would have been simple for the hacker to keep everything after being given the twitter handle.

          He got notification from GoDaddy that the account settings had been changed. By the time he had a chance to check it out, he was already locked out of his account.
          Correct. the hacker could have kept everything, but didn't.

    I think his first problem was that his beloved twitter handle was using an email that was registered with his other domains. multi-level security and separate the accounts. better yet, you should have taken the $50k on the first chance.

      Agreed, you'd have to be insane to not give it up for 50 grand.

      i mean as if not use 2 factor authentication in this day and age...

      also, i was one of the first twitter beta testers, ive got like a 4 year old twitter account. Had i foreseen it to be this popular, wouldve totally made like 1000 accounts and squat on them lol

    Looks like @N has been suspended on twitter, maybe he will get his handle back?

      I think Twitter has only investigated because of the current viral shitstorm this story has generated over the last few days. Most of the time unless you're a verified celebrity they wouldn't bother.

    Not really surprised, GoDaddy are idiots, we host our company Website through them and have an issue where emails sent from our booking page cannot be sent to the email address hosted by GoDaddy, they are however able to be sent to ANY OTHER EMAIL ADDRESS. I have sent numerous requests to GoDaddy to find out what is wrong and they keep saying the problem is with the coding on the website even though it allows emails to be sent, as I said, to any other email.

    After a bunch of emails they finally agreed to check the code and test it themselves, sent an email and it worked so they considered it closed. Obviously they didn't bother reading my email or actually looking at the coding because they would have realised I had also put in a Hotmail account which was redirecting everything to our normal account as a work around, even when I explained this to them and the fact that if it was working then 2 emails should have come through they still refused to accept it. Complete tools!!

      *Possible cause*, it sounds like GoDaddy's edge firewall is filtering SMTP with either or both sender address or sender IP address. In your case, it's sounds like GoDaddy is sending email to GoDaddy which would look like:
      Sender: [email protected]
      Recipient: [email protected]
      This is a common mailspam tactic where spammers spoof the sender address in order to bypass weak firewall and mail filter rules. It's possible that GoDaddy have rules in place to block any incoming mail which could consist of a few or all of the domains they control. It's not often that you need an email from your own domain allowed through your firewall to a recipient with the same domain suffix. In most circumstances this is all internal traffic and it would never have to traverse the firewall for it to be accepted, it'd go from one internal user to the mail server then straight to the other user.
      It's a good thing to have in place, I'm surprised though that they haven't whitelisted their own IP address as a kind of 'accept all mail from this source ip' which would bypass all of this. Assuming of course that the system they have in place is a good sane system. Hah!

    Jesus. There's some major institutional failure right there. Lucky I have a name no one could want :P

      I'll trade you two buttons and a stick of gum I found in the back of my car?

    If those companies had any decency or smidgeon of business ethics they would actively be trying to resolve this as a priority and restore what is Naoki's property.

    He's barely used the twitter account. He is crazy for not selling it for $50k

    Sounds like someone is crying over an opportunity lost.

    Bet you thought that by holding onto it you could get more money. Just goes to show, greedy piggys get nothing!

      Exactly was I was thinking. Who needs a $50k handle?? What an amateur.

      Sounds like someone is crying over an opportunity lost.

      I read it as a story of online security failure.

      - The last 4 digits of his credit card number was provided to a hacker over the phone
      - GoDaddy accepted the last four digits of his credit card as verification
      - GoDaddy let him guess the first two digits.

      It's a warning not a sob story.

        This is what I took from it, the lengths at which Paypal and GoDaddy are willing to release your personal information / lenient to guess the rest of it. It's a very good warning.

        Last edited 31/01/14 9:05 am

      So your saying its the victims fault for being the target of a crime?

        Yes this is what the internet has done to society. Person A thinks person B deserves to have a crime committed against them because Person A is faaaaaaar more intelligent than person B and it would never ever happen to them.

    Come guys, don't be nasty to him. This is a good story. It doesn't matter why he didn't take the $50k, what matters is that he was attacked, and the attacker got away with it.

    People can criticise his decision-making in not selling the handle and so forth, but this really does highlight the challenge of knowing which services are trustworthy.

    I'm not surprised GoDaddy made a hash of it; they are renowned for that. Seriously, guessing the first two digits of a credit card? There are only 19 possibilites.
    PayPal, on the other hand, should know better. They are essentially a financial institution. If someone called my bank to try to get the last four digits of my credit card number I would expect them to be invited to provide a lot of supporting evidence for their identity.

    If you recall, it was not long ago that Mat Honan (of wired) had all his Apple gear remotely wiped after someone tricked Apple and Amazon support into giving him control. Funnily enough, that was also about getting a good twitter handle.

    The real question then becomes how do you know who you can trust not to roll over in the face of good social engineering?
    One possible guide might be generally bad security practices (e.g. if a company password recovery process sends you back your password via e-mail, then you can be certain their technological security practices are bad; if they send you a new password by e-mail it is bad but less bad).
    That doesn't necessarily translate over to having well or poorly trained staff, of course, but you have to start somewhere.

    I think the point is not the sale of the Twitter account, but how easily someone can take over your Paypal and GoDaddy accounts.

    Sad story but seriously, what were you thinking? You could have had 50k in your account right now for doing very little. Not taking that = crazy.

    Are you joking? He literally told you, and gave you evidence, that he stole and comprimised you account and basically blackmailed you. I'm 127.94% positive you can take this to the authorities, and failing that, straight to ombunsmen, and even a court case direct to paypal FOR GIVING OUT IMFORMATION ILLEGALLY (without verifying the user, no one should be allowed to give out any data), and godaddy for bad practise. The best 2FA in my opinion would use your mobile phone, ie via text. Emails are hacked/lost/stolen. If you had a mobile setup with 2FA somewhere in all this, this would have been alot more hard. Actually, paypal should've texted "you" the credit card details, not give them over the phone in the first place!

    why not pursue Legal action? you've obviously got enough evidence.

    From the government that brought you trademarking "Candy"...

Join the discussion!

Trending Stories Right Now