How much is your Twitter username worth? For most people, the answer is probably not a very big number. San Francisco Bay Area app developer Naoki Hiroshima, on the other hand, reports having turned down offers of $50,000 to buy his account. Hiroshima doesn’t have millions of followers, he merely joined the micro-blogging service early enough to snag a single-letter user name: @N.
Hiroshima sat on @N until earlier this month, when he claims to have become the victim in a complex social hacking/extortion scheme that robbed him of his username and may have exposed troubling holes in the security measures of several major tech companies.
In a blog entry posted on Medium on Wednesday morning, Hiroshima received messages from PayPal and GoDaddy notifying him that someone had been attempting to monkey around with his accounts. When he checked out GoDaddy, he discovered someone had broken into his account and changed all of the settings, effectively locking him out. He quickly realized the hacker had gained access to his accounts on sites across the Internet—from Facebook to his personal email address.
Hiroshima soon got an email from the attacker, who went by the name Social Media King, informing him that the target was his Twitter account, which was connected to a separate email address the attacker didn’t control:
I would just like to inform you that you were correct, @N was the target. it appears extremely inactive, I would also like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again D:
I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5 minutes while I swap the handle in exchange for your godaddy, and help securing your data?
Weighing his options, Hiroshima eventually submitted and gave control of his Twitter account to the scammer. He now tweets under the very apropo username @n_is_stolen.
The fact that someone would go through all of this hassle just to get their hands on a single-letter Twitter account is interesting, what’s likely the most fascinating part of the story is that, after the blackmail was complete, Hiroshima asked Social Media King how it was accomplished. Surprisingly, not only did Social Media King respond (in detail), but also gave Hiroshima tips on how to improve his online security.
According to what Hiroshima pieced together from his own experience and the info he got from Social Media King, the attack started with a phone call to PayPal. Social Media King pretended to be a company employee and got the operator to give him the last four digits of Hiroshima’s credit card. The hackers took that info to an operator at GoDaddy, pretended to be Hiroshima, and said he had lost his credit card and forgotten the number save for the last four digits. A GoDaddy operator let him guess the first two digits of the card, which is even easier than it sounds because those numbers are used to identify the system (all Visa cards start with the number 5, all American Express cards start with the number 5, etc.). Once that was done, Social Media King had unlimited access to Hiroshima’s GoDaddy profile, which was then leveraged to take over his Facebook and email accounts.
If this account is accurate, those are some pretty serious social engineering skills. Although, all that effort may be for naught; Twitter has since suspended the account. Even so, over on Reddit, users have requested that Social Media King do an AMA.
In a blog post, PayPal disputes Hiroshima’s account of what happened and insists it did nothing wrong:
We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer’s information by contacting PayPal.
PayPal did not divulge any credit card details related to this account.
PayPal did not divulge any personal or financial information related to this account.
This individual’s PayPal account was not compromised.
The post noted that the company has reached out Hiroshima.
Twitter and GoDaddy did not respond to a request for comment, nor did Hiroshima for that matter. However, Twitter told The Verge that the company is “investigating the report,” but does not comment on the accounts of individual users.
Update: GoDaddy has responded to our request for comment. In an email to the Daily Dot, GoDaddy Chief Information Security Officer Todd Redfoot wrote: “Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy. The hacker then socially engineered an employee to provide the remaining information needed to access the customer account. The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers. We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.”