What's your Twitter handle? Is it some combination of your favorite artist (Justin Bieber) and the year you were born, something like, @BieberLover1991?
Maybe you wanted it that way, maybe you didn't, but either way you have to be a little creative when creating your Twitter handle, since millions of them have been reserved. That's why some of the first Twitter users, who were able to lock in handles like @Jason, @Biz and @A, get regular inquiries into selling their handles. Take Naoki Hiroshima, who received a $50,000 offer for his handle, @N. Sounds like an awesome deal, yet outside of that, many people wanted @N, but didn't want to pay for it.
Hiroshima was periodically under attack by hackers, but had been able to protect his account over the years. Then, PayPal and GoDaddy happened. "While eating lunch on January 20th, 2014, I received a text message from PayPal for one-time validation code," says Hiroshima. "Somebody was trying to steal my PayPal account. I ignored it and continued eating."
The hacker wasn't able to get into Hiroshima's PayPal account, but improvised and posed as a PayPal employee, and talked another employee to give them the last four digits of Hiroshima's credit card while on the phone with them. With the four digits in hand, the hacker then found Hiroshima's GoDaddy account, which he used to keep his email and websites. The hacker was able to use those four digits to gain access into Hiroshima's email, which he planned to use to get @N's account password—but Hiroshima was quick enough to realize what was going on and switched the email address registered with the account. Yet, the hacker was able to access his Facebook, and with control of his domains and email, sent Hiroshima this email:
I would just like to inform you that you were correct, @N was the target. it appears extremely inactive, I would also like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again D:
I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5minutes while I swap the handle in exchange for your godaddy, and help securing your data?
Hiroshima complied, and let go of @N for access to his domains and email, before they were gone for good.
"It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification," says Hiroshima.
Check out his story on Medium.
Re: this incident http://t.co/bOiuzqvFep, our investigation confirmed PayPal did NOT disclose any credit card details. More info soon.— Ask PayPal (@AskPayPal) January 29, 2014