The software developer whose valuable @N Twitter handle was socially engineered and extorted away from him, Naoki Hiroshima, says that after more than a month, he now has his handle back.
Order has been restored.
— Naoki Hiroshima (@N) February 25, 2014
Naoki Hiroshima says that Twitter gave no explanation.
According to his tweets, he filed a ticket on Friday morning to make sure the account was still gone. The ticket was returned, having been marked “solved”, no details provided.
By Hiroshima’s account, he had previously been offered the princely sum of $50,000 to sell his coveted user name – an offer he politely declined.
People didn’t always play that nice with their handle lust, though.
According to Hiroshima, they sometimes tried to flat-out steal the handle away, leaving behind proof of their attempts in a trail of password-reset instructions that regularly appeared in his email inbox.
In late January, one such attacker skipped the wooing, lunged for Hiroshima’s digital jugular, and this time, hit home.
Hiroshima wrote a detailed account of how the scam went down on 20 January.
As he describes it, the successful attacker used social engineering to first gain access to Hiroshima’s PayPal account, allegedly managed to socially engineer the last four digits of his credit card out of PayPal, then used that to call GoDaddy, where his domains were hosted.
The attacker called GoDaddy, told an agent that he was Naoki Hiroshima and that he’d lost his credit card, but that he remembered the card’s last four digits. That worked to get him in.
When the real Naoki Hiroshima checked his email late in the day, he found the last of a string of messages from PayPal and GoDaddy. The last message from GoDaddy had the subject “Account Settings Change Confirmation”.
As is typical for such messages, GoDaddy’s note advised the recipient that if the account modifications had been initiated without his consent, he should log in and change his security settings.
Unfortunately, the attacker had already modified the account, locking out the true account holder. Hiroshima couldn’t log in.
When he called GoDaddy to explain the situation, the agent asked for the last 6 digits of his credit card, as a method of verification.
Too late. The attacker had already changed the account’s credit card information, too. Hiroshima had no way to prove he was the real owner of the domain name, he says.
The attacker managed to thus seize control of Hiroshima’s PayPal, GoDaddy and email accounts. He went after his alluringly sparsely handled Twitter account, but there he failed: his victim had used a different email address for that account.
So the attacker emailed Hiroshima with the aim of extorting the handle out of him.
Either give up the Twitter user name or lose his entire website data on GoDaddy, the attacker threatened.
Hiroshima soon found out that the attacker had compromised his Facebook account as well, as a means to bargain with him.
He was getting no help from GoDaddy, he says, because he wasn’t the “current registrant”.
With his domains being held for ransom, he gave up. He did what his extortionist wanted, he said: he changed his handle, giving up @N and creating a new handle: @N_is_stolen.
Hiroshima notified Twitter, but Twitter merely told him that it was “investigating.”
Tweeting from his new handle, he kept his followers informed of his ongoing attempts to get the @N handle back.
According to Ars Technica, the @N account was made private and was later shut down, but access wasn’t restored to Hiroshima until Tuesday.
In the aftermath of the hack, GoDaddy, for one, owned up to its role in the attack and modified its account policies.
The company on 1 February said in a tweet that it would henceforth require 8 card digits (instead of six), would lock an account after three recovery attempts, and would deal with 2-factor authentication accounts differently.
Hiroshima’s writeup is full of advice on avoiding having this happen to you.
For what it’s worth, he feels strongly that two-factor authentication (2FA) is “a must”:
It's probably what prevented the attacker from logging into my PayPal account, though this situation illustrates that even two-factor authentication doesn't help for everything.
Hiroshima’s saga is similar to the fates suffered by others, such as that of technology reporter Mat Honan.
Honan had all of the data wiped from his iPhone, iPad and MacBook and had his Gmail and Twitter accounts hijacked.
In that instance, Honan admitted, 2FA well may have helped prevent the misery that ensued.
Hiroshima’s harrowing tale is yet another testament to the power of two in the 2FA equation – a powerful step toward protecting ourselves not only from having our digital personas hijacked but also from stolen password databases, phishing attacks, keyloggers and more.
Want to to take Hiroshima’s and Honan’s advice on how to avoid their fate? Want to know more about 2FA and how to use it?
Naked Security, at your service: here’s an overview.
3 comments on “Twitter restores @N handle to its rightful owner”
“the successful attacker used social engineering to first gain access to Hiroshima’s PayPal account, allegedly managed to socially engineer the last four digits of his credit card out of PayPal”
Here’s the real problem. At least from what is written here, someone armed with nothing more than a name managed to gain access to someone else’s PayPal account.
What’s even worse is that PayPal denied the entire thing, when there’s even call recorded evidence.
Strict adherence to policies that prevent unauthorized access to anyone’s accounts needed to be followed by both Paypal and GoDaddy. They were the weakest links in the chain.