A California man says he was extorted into giving up his valuable single-letter Twitter name after a hacker staged an elaborate online stickup — allegedly by tricking a customer service representative into revealing the victim’s credit card information.
Naoki Hiroshima detailed his ordeal in a post on the blogging site Medium on Wednesday, in which he also shared information he received directly from the hacker explaining the attack.
According to the hacker, as told to Hiroshima, this person masqueraded as a PayPal employee and talked a customer service representative at the company into revealing the last four digits of Hiroshima’s credit card. With this information, the hacker claimed to take control of Hiroshima’s PayPal and GoDaddy accounts, holding them hostage until Hiroshima agreed to give up the unique @N Twitter handle he scored seven years ago, soon after Twitter first launched.
But PayPal issued a full denial in a blog post later on Wednesday. "We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer’s information by contacting PayPal," the company said. PayPal said it "did not divulge" credit card details, personal information or financial information related to Hiroshima's account. In fact, the company said his PayPal account was not compromised.
"We are personally reaching out to the customer to see if we can assist him in any way," PayPal added.
So it’s as yet unclear what exactly happened — GoDaddy and Twitter both said they were investigating.
While the hacker's tale may seem like a convoluted and crazy scheme just to get a Twitter handle, it’s not the first time such a story has come to light. Even if it didn't happen exactly the way the hacker says it did, Hiroshima’s experience is only the latest reminder that security failures don’t always come from stolen passwords and technical attacks. Humans can also be a weak link.
In 2012, “Wired” reporter Mat Honan saw his “entire digital life” destroyed after scammers reportedly conned customer service representatives at Apple and Amazon into providing access to Honan’s accounts. Once inside, the attackers remotely deleted all the photos and files stored on the writer's iPhone, iPad and Macbook. The reason Honan was targeted? Scammers wanted his three-digit Twitter handle, @mat.
Hiroshima, an app developer, knew his own Twitter handle was valuable. He had received several offers throughout the years to buy the @N handle — including one as high as $50,000. Only 26 single-letter accounts are available — even two- or three-letter names are considered rare and therefore valuable to marketers.
Therefore, he knew owning that lucrative asset also made him a target. He’d grown accustomed to password reset instructions popping into his inbox after people tried to get into his accounts, and he generally ignored them as no one had yet succeeded.
But on January 20, someone got in.
How it happened
Hiroshima first received a message from PayPal, which he initially ignored as usual. But later in the day, he found an email from GoDaddy – which hosted both his personal website and personal email address — confirming that someone had changed his account information.
The attacker later told Hiroshima via a series of emails that he or she called PayPal and pretended to be a company employee in order to get the last four digits of Hiroshima’s credit card.
From there, the hacker supposedly called GoDaddy, which requires the last six digits of a credit card for identity verification. The attacker had only the final four digits of the card, but GoDaddy reportedly allowed the person to “keep trying” until he guessed the previous two digits. (Again, PayPal denied it gave out any information.)
“It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification,” Hiroshima wrote.
PayPal’s denial is a big hole in the hacker’s story. But it would hardly be the first time that humans – customer service reps — unwittingly took part in a major hack. After Honan published his hack story, which involved gaming customer service at Apple and Amazon, both companies changed their policies on what kind of information can be shared via phone.
It was Honan’s story, Hiroshima wrote, that led him to turn over the @N account to the hacker later in the day.
“I remembered what had happened to @mat and concluded that giving up the account right away would be the only way to avoid an irreversible disaster,” Hiroshima wrote in his Medium post.
On Hiroshima’s end, he felt powerless to stop the attack even as it continued last Monday.
“Would you be willing to compromise? access to @N for about 5minutes while I swap the handle in exchange for your godaddy, and help securing your data,” the attacker asked.
About three hours later, Hiroshima acquiesced.
The hacker politely thanked Hiroshima “very much” for turning over the account and gave him the GoDaddy password in exchange, and the person explained what happened at PayPal and GoDaddy.
The hacker recommended that Hiroshima ask PayPal to add a note to his account informing agents not to release any details by phone. The person didn’t have similar suggestions for GoDaddy, so he or she recommended Hiroshima switch registrars.
Hiroshima himself called the practice of verifying identity via the last few digits of a credit card “unacceptable,” and he removed his credit card information from both GoDaddy and PayPal. He said he plans to delete his accounts with both companies shortly.
Update: As of late Wednesday, Twitter appears to have suspended the @N account.
Julianne Pepitone is a senior technology writer for NBC News Digital. Previously she was a staff writer at CNNMoney, where she covered large tech companies including Apple and Google, as well as the intersection of tech and media. Follow Julianne on Twitter at @julpepitone or email her at email@example.com.