How I Lost My $50,000 Twitter Username (opens in new tab)

Why would a company ever ever ever accept 6 digits of a credit card number as a way to authenticate an identity??

Credit card numbers are not secure. Therefore, they should not ever be accepted as authentication. Especially only 6 digits of it! This is by far the most shocking part of this story. As if I needed another reason to despise GoDaddy.

[Edited to add] I would sure love to see a scarlet letter list of companies which allow such practices, so I can never use them.

I feel bad for this guy, and twitter needs to do the right thing and return to him his handle.

Then I can come back here and post nasty comments about squatters.

Heads really ought to start rolling at PayPal. Their general approach to security is, quite frankly, appalling.

Is there any possible rational for Paypal to give the last four digits of his card number to "him" over the phone? Given that they're routinely used for verification, it's as if they've never heard of social engineering. It's simply inexcusable.

And it's almost as bad as the ridiculous "Log In Without Your PayPal Security Key" option that lets you bypass 2-factor auth and head straight to the ultra-secure world of the ridiculous security questions such as the ever-popular "what city were you born [that's also listed on Facebook]" and what not. I still can't believe they think that's a good idea.

Seems like Twitter could easily verify the story based on their own logs and then restore access to his N account. He doesn't mention pursuing that, though.

This story is horrifying because PayPal was the enabler.

PayPal gave the attacker the last four digits of my credit card number over the phone

That person should lose their job if it is not PayPal policy.

I really hope by some small chance the person that did this gets some serious prison time, if not for this then anything else prior or down the road. Then maybe one of those mornings they wake up in prison they can ponder if it was all worth it.

I believe that it is ISO 9001 (quality assurance) that states that a company must be able to audit any stored data and data changes dating back some time. Judging by Paypal (specially for being a financial company), Twitter (for being an open capital company), and GoDaddy's size they may all comply to ISO 9001, but I'm just guessing.

Anyhow, if any of them actually comply to ISO 9001, it is possible to audit previous data to establish the true identity of the owner in some arbitrary date before any of this happened.

Quite possibly, to avoid unnecessary user annoyance, these companies will only subject themselves to the effort of analyzing that data under court order, so it's fair to suppose there is need to open a judicial process. Therefore, I believe it's possible to regain access to everything that was supposedly stolen, even though it may take quite some time.

Everyone looks bad here, but I want to focus on Twitter. For me this case is yet another demonstration that Twitter sees its customers as advertisers and places low priority on the community.

I pay Twitter nothing, and yet the service is valuable to me. So instead of continuously crippling the service in the name of goodness knows what, why not actually charge users for a premium experience. Things like customer service that works, a gold member status flag, controls on swapping account ownership, analytics and so on. Offer 3 paid levels - personal, business and corporate, and obviously keep the free level forever. Once revenue comes from customers, then perhaps it will help in understanding that while other revenue night be larger, the true value of Twitter is derived from the community.

An interesting point made was to avoid using custom domains for the login emails, since a DNS takeover would compromise your accounts tied to that email.

Ditch GoDaddy - They are a terrible company.

Also considering closing my paypal account now.

One thing that people should realize in why Twitter may not respond to these kinds of issues, or may be slow to respond, is that it's probably true that lots of people buy and sell Twitter accounts, and people may report them stolen when in fact they've already sold them to someone.

This kind of thing happened a lot in MMO games which is why they try to push account security into your hands so they don't have to attempt to arbitrate in deals that may or may not have happened outside of their sphere of control.

Why is anyone still using GoDaddy?

I felt very angry and uncomfortable reading that. I can't imagine being in a helpless position like that.

I lost a nice handle (@Houselogic) a few years back. Sent Twitter all the proof and email trail and everything, but they were useless. Every time I email their support, it's a new ticket and I have to explain the whole situation again and again. I gave up after two years.

Slightly OT, but someone registered a Twitter account with my primary e-mail address. I received a "Confirm your e-mail account" email with a link "Not My Account". That link brings me to a page that says "Sorry, that page doesn’t exist!".

There doesn't appear to be any way to contact Twitter about this.

Shortly after, I received a second email "Welcome to Twitter, <username>"

Going to: https://support.twitter.com/forms/impersonation

..and selecting "Someone is using my email address without my permission." tells me to submit a general support ticket. That's fine except none of the general categories has anything to do with this problem and choosing "My issue is not in the list" simply redirects me immediately to the root support page. I submitted a ticket with a different topic and have not heard back from them in a week and expect I never will.

I found it interesting how open the attacker was about how they did it.

Don't use GoDaddy. Simple as that.

If that hadn't happened, he'd still have his twitter account.

>If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.

Just google and the NSA then. Also, Gmail has an exposed password reset and social-engineerable support. A server running Postfix/Exim doesn't.

I'd consider a domain with a good registrar far more secure than google.

And we all know how this would end. GoDaddy and Paypal will try to make this right because of the negative publicity. Why does it always take a post like this to call for help?

I don't understand why Twitter doesn't have the standard 30 day wait period on handle changes that most sites have. For a while it was a standard to not let old usernames be available until 30/60/90 days after a change, so that in the event that this kind of thing happened, it could be reclaimed with ease as soon as the GoDaddy account is in his possession.

This is a terrifying story, and I'm very glad Hiroshima wrote it, because I didn't have two factor auth turned on with my domain provider. Now I do!

It seems like if he'd had 2FA turned on with GoDaddy, this may not have happened. So rather than use @gmail.com addresses to register for things, as he recommends, just turn on 2FA with your provider. And if your provider doesn't support it, leave them and tell them why.

The admonition to use a @gmail.com address was annoying enough that I actually put up a response blog post just on this point: https://konklone.com/post/protect-your-domain-name-with-two-...

Someone tracked down the hacker: http://www.reddit.com/r/hacking/comments/1whk3a/tracking_the...

No lawyer? Any reason why none was mentioned? Extortion is serious federal crime (across state lines, multiple companies, even clear admission of guilt). At the least it would get GoDaddy's attention vs. just asking nicely.

>Using my Google Apps email address with a custom domain feels nice but it has a chance of being stolen if the domain server is compromised.

Sigh I use Google Apps exactly so that I have control over the domain and aren't subject to the good will of Google. I had never thought of this particular problem. Now I don't know what to do.

Reminds me of harvesting ICQ numbers. There was a time when you could search 6-digit ICQ numbers for expired freemail addresses like Hotmail (they deleted your account after a while), register that freemail address and reset your ICQ number password to get a brand "new" 6-digit number. I think this doesn't work anymore, since most freemail hosters don't "free" expired email addresses but keep them locked.

It still works if you find an expired domain name, register the domain name and then do the whole password-reset procedure. Might be cheaper to buy a 6 digit number on eBay though :)

This is a scary story!

Focusing on the Twitter handle sale part: I have the twitter handle @jetsetter, and have been offered multiple thousands of dollars for it (guess who!).

Unfortunately, selling a twitter handle is against TOS. Only @israel has been officially allowed to transfer hands for money, that I'm aware of.

So trying to broker the sale of a twitter account can allow the buyer to report your 'behavior' to twitter. They can seize the account and make it so no one has it, which may be what the buyer prefers to you having it.

So no matter the price you could command, it isn't like you could just list @n up for sale and make it rain.

It's sad, but twitter's not transferring it back in a week's time gives me more confidence in twitter, not less. There isn't any evidence of the stealing of the domain names and the extortion available besides OP's copies of the email messages and information that GoDaddy won't provide. With the value twitter ID has, twitter shouldn't do anything without clear evidence.

He might have been able to get it back if it was his trademark or even name that he lost and not some witty username.

Have you reported it to someone with prosecution powers?

http://www.fbi.gov/about-us/investigate/cyber

http://www.ic3.gov/default.aspx

Who are people's current favorite domain registrars? I've been with name.com for the last year or so and have been happy, but I'm always curios to hear from others.

Wow, this is both interesting and terrifying. I have a two character Twitter handle that I use actively and it makes me worry that one day I might be targeted too using a similar method, although so far I've had no problems.

If the author is reading, did you end up getting back your @n username? If so, did you simply go to Twitter and explain to them the whole story?

Just find it interesting to see how different the conversation on the same topic is over at reddit, http://www.reddit.com/r/technology/comments/1wfwfp/how_i_los...

My custom domain address was stolen with the Dropbox data leak, got so much spam that I set my Gmail to pull my mails via POP3. Then I changed everything to use my Gmail, and locked down my Gmail account.

I've heard people go on about how Google (and I suppose other corporations) are evil, and how they are rolling their own custom mail solutions etc. It's times like these that people lose important things.

Also, I really don't understand why US companies must store credit card details. I understand the convenience, but there's been a lot of security compromises to let this practice continue. In South Africa online retailers don't store CC info, yet we aren't being brought to our knees by inconvenience.

At least the attacker mentioned his methods, so GoDaddy and PayPal can educate their staff better.

what's more likely, someone hacks your domain name / DNS gaining control of your MX records or someone hacks your username @gmail.com?

I have a four letter twitter handle(zaid) and I probably average a half dozen forgot-password requests daily...many of them people in the middle east with the same name as me trying to take over my account.

I've had two users offer to buy my username.

It's not a $50K Twitter username unless someone actually paid $50K for it at one point, is it?

"Not accepting an offer of $50K for a twitter username I didn't use" doesn't really count...

Since medium also depends on Twitter, his page is no longer available. I checked @N_is_stolen page, it is fresh. So, all his posts in medium is gone, just because there is a change in username?

> But guessing 2 digits correctly isn’t that easy, right?

The first few digits of card numbers refer to the provider (Visa, Amex, etc) [0]. Given that Paypal gave the last four digits of the card, I'm surprised they wouldn't give out the provider as well, so guessing this would be even easier.

[0] https://github.com/stripe/jquery.payment/blob/master/src/jqu...

The advice to use @gmail.com vs. a custom domain name seems kind of questionable if you use a reasonably secure registrar. Not GoDaddy.

Using an unusual/unknown address for account validation mails (maybe with forwarding of other communications) probably would make sense, though. And/or sites coming up with a better account-recovery procedure, perhaps outsourced to a startup.

There's probably a market for a super-secure email address for account login mails, but that isn't a free gmail account.

Namecheap posted a tweet[1] with an offer to move domains out of GoDaddy:

How we make sure that you don't lose your $50,000 Twitter username: http://ow.ly/t4yR8 $5.99 domain transfers with code BYEBYEGD

[1] https://twitter.com/Namecheap/status/428555697882935296

What I take away from this is that:

a) Two Factor should be mandatory and as soon as it is, any representative of the company MUST insist that a reset cannot be done over the phone. It should be highly suspicious if someone comes up and says "Hi, I lost my email account access AND my phone so could you please reset my password via phone now?"

b) If not Two Factor, the security questions should also be mandatory. No other "data" like past addresses or cc numbers should suffice to reset over the phone if the person doesn't know the answers to all security questions.

And, speaking of these questions, of course they should be stuff that you know and cannot be "guessed" by anyone who is able to read your facebook page or similar. Maybe even some non nonsensical thing like "Favorite Food" - "Horse Droppings". As long as you remember this, nobody should be able to "hack" that over the phone. Even if you go on and on on facebook about how you "could eat your way through a giant bowl of pasta you love it so much"

Why does anyone believe the hacker's story of how he did it? It's possible he told the truth but it's likely he did not.

I'm not a programming expert, nor a process expert, but the way I see it...

... there has got to be a multi-stage process for authentication that does NOT use any CC or SSN. Of course, the responsibility lies with the account owner for maintaining passwords/authentication information.

If you lose the information, no way to recover it.

I say this because it seems (again, I'm not an expert) that these thieves use social engineering mostly in the "data recovery" stage of the process.

The only way to tighten that from my perspective is to put maximum responsibility on the account owner to keep their logins, passwords (again, for multi-stage authentication), and such on hand. Don't have a need to recover your info, and others can't use the recovery process to get to your account.

I guess it wouldn't be a perfect scenario but... this, or lose @N.

I am sorry to hear there are companies allowing these practices, though... sad.

Is it not possible to use the last bills as verification of who you are? screenshot of the bank statements and asking GoDaddy to verify their bank data and you've shown that it is in fact you who paid the bills.

Also if account data is changed they MUST keep a log of what your data was before. At least anything beside passwords.

I could be wrong but what is the value of a stolen Twitter handle? Just like a stolen car or phone if someone starts using it won't it be obvious that it's the thief or the thieves buyer? That's like stealing a Porsche and then showing it off downtown in front of everyone.

That reminds me, a few months ago I had a weird Twitter experience. Someone gained access to my rarely used Twitter account @smartician and started posting spam. Somehow Twitter noticed, reset the password and notified me via email. I have no idea how that was possible.

Up until late 2013, it was very easy to social engineer your way past Customer Sales Rep call screens to gain access to an AT&T account once you put together a few pieces of personal data (which was even easier to obtain) of the account owner. You didn't need to know the account password to gain access if you had other pieces of information. Those bits of information leak out through other service providers and are sometimes available through State and Federal Government systems.

That meant that anyone using SMS via AT&T for two-factor auth was vulnerable.

The extra layer of security is only enabled if you call AT&T and ask them to further protect your account from future changes.

I have seen great articles that document the best practices, patterns and anti-patterns for authentication within an application or storing passwords etc. But where is the gold standard for authenticating people over the phone?

Good Developers understand how critical it is to handle authentication and password storage well. It can be complicated thing and is very easy to screw up.

But all that goes out the window when somebody calls the support line. There needs to be just as much scrutiny placed on over the phone authentication as there is within an application. The problem is likely that those over the phone patterns/anti-patterns are not well documented and available.

I read the article. Sounds like an epic fail by GoDaddy, I blame them for 99% of what happened. Glad I'm not a customers of theirs... Oh btw, try to find a registrar that does 2factor authentication!

So who are you planning on suing? PayPal, godaddy, twitter, or all three?

Interesting that GoDaddy does not keep an audit trail for account detail changes that might help detect malicious activity. I guess they'll rather lose customers and reputation than do this.

Regardless of how this all went down, and is responsible... It is still theft right? Falsifying ones identity and taking possession of @n is stealing and should be covered under some law, no?

I feel so bad for Naoki that he was compromised in this scary manner. While the hacker did con his way on the phone for personal information, at the minimum, it's...hmmm....not nice...but "informative/narcissistic," of the hacker to describe his method to the victim.

Makes me happy that companies are moving towards text authentication since emails are easy (or at least well practiced) to compromise.

Note: Time to change my Time To Lives on my MX records and up my security.

Crumbs, this makes interesting reading - clearly lots of failings by the companies involved here.

However. If someone were to steal a physical asset in order to extort something else out of me I would go immediately to the police. I'd have thought I'd do the same if the assets involved were digital.

I've no idea if a criminal offence was committed in what ever jurisdiction this happened. But I'd have thought extortion is illegal is many parts of the world?

The "we take X seriously at Y company" line is so tired. These companies are so incompetent that it would be funny if not for people getting screwed IRL.

What was up with the part with the facebook message? Why would the attacker tip him off rather than just take what he came for? Or did I read that wrong?

You can sell twitter @'s now? #itsNotWorth50k

Follow us at @N on twitter.

Looks like a typo. Imparts zero cred since 99.999% of people will not take your ability to "possess" a short twitter account name as helpful for whatever else you may be trying to do.

As far as the "Sorry I am so technically gifted. Let me tell you what you should do to prevent me next time..." thing, what kind of cartoon caper is this?

Can't you sue paypal or godaddy ? Or better yet, both. Shouldn't be hard to track down the attacker either if you report the crime.

pretty freaky stuff. Also, what was the attacker so interested in the @N for anyways? future investment in case some big company/celeb comes along wanting the username? Seems so crazy to go after it...... if Twitter can't sort this out, can't we all just shame the acct into inactivity... Is squatting on it worth all this Mitnick-attack-work?

No domain registrar should be taking the last four of your credit card number as proof of account identity or ownership. We certainly don't. Have you confirmed they reset the password based on just the last four of the credit card OR was your account's email address itself comprised, allowing them to reset the password via your email address?

Serious lapses on the parts of PayPal and GoDaddy. Ironically, there are sites which even refuse to identify the real person - like this one posted on HN a few days back(http://kevinchen.co/blog/square-identity-verification/)

Was @n private before? It is now. If this kid is trying to sell the handle to someone, the buyer is likely in for a rude awakening if and when Twitter does the right thing and returns it.

Woah ! What a story. You can trust nobody. Well hope that twitter people are reading this and can understand how badly they are trolled. All the best buddy. All the best.

I'm still wondering WHY the hacker took a twitter handle and why he didn't blackmail his victim into keeping quiet.

$50k is hardly worth such a bold crime with no exit strategy.

In case OP reads HN: If your websites are hosted with GoDaddy, I would consider them compromised aswel.

He may say that he has left them alone, but you have no chance of knowing.

This was the last straw. I'm moving away from GoDaddy.

Yet another example of a compromised GoDaddy account and someone potentially losing their domain. Yet people continue to use GoDaddy time and time again.

besides the obvious stupidity of the parties involved, why would anyone pay for such an uninformative handle 50k ? @N ? seriously -- doesn't spam occur for twitter feeds yet ? I remember when google started off they didn't allow you to have email addresses less than 6 characters to avoid spam...

btw, @! google search returns 0 results. interesting... hmm, twitter apparently allows alphanumeric handles only...

Thats awful.. I use both GoDaddy and Paypal for my website and this has certainly made me a more cautious of securing sensitive information

What if this whole story was a lie? What if it was the hacker's final attempt to steal the @n twitter name.

Don't use godady is what I would take away from the story.

story archived here in case it did/does go down:

http://pastebin.com/g7R6Ren2

Why on earth are people still using GoDaddy?

I hope Twitter can help this guy somehow.

This is quite frustrating even to read!

It was like I read some scary book.

$50,000 twitter username. Sigh...

this story reeks of fake to me.

what sane person doesn't call the FBI when an attacker blatantly commits fraud against them, admits to it, and then commits extortion based on the successful fraud? Furthermore, what kind of attacker explains how they attacked? Thats ludicrous.

this has got to be some kind of roundabout way of advertising for the various competitors of godaddy mentioned in the post.

Another reason to use Bitcoin. No credit card number to give away to the attacker and identity can be verified by signing a message with a private key instead of guessing at personal information.