It’s the modern-day bureaucratic nightmare — Someone steals something that belongs to you, and the one party that could easily do something about it refuses to listen to you because its records show that the thief is the rightful owner. According to developer Naoki Hiroshima, someone lusted after his Twitter handle (@N) so badly that they went to great lengths, hijacking his personal website in a (sadly successful) extortion attempt.
In fact, writes Hiroshima, he’d received numerous potentially lucrative offers for his @N handle since he’d scored that Twitter account way back in the Twitter stone age of 2007. He claims to have had as much as $50,000 dangled in front of him for the rare, single-letter account.
In addition to the legitimate purchase attempts, he says that hackers are constantly attempting to breach this account or any of this others in an effort to get control of the Twitter handle.
Then on Jan. 20, he received an “Account Settings Change Confirmation,” notice from GoDaddy, the company through which he’d registered his personal domain name.
“If these modifications were made without your consent, please log in to your account and update your security settings,” reads the e-mail, “If you are unable to log in to your account or if unauthorized changes have been made to domain names associated with the account, please contact our customer support team for assistance: email@example.com or (480) 505-8877.”
Hiroshima was not able to log in and so he called the number, as per the instructions.
“The representative asked me the last 6 digits of my credit card number as a method of verification,” he writes. “This didn’t work because the credit card information had already been changed by an attacker. In fact, all of my information had been changed. I had no way to prove I was the real owner of the domain name.”
All the rep could do was tell him to file a case report, complete with his government ID info, with GoDaddy in an attempt to prove that he was who he claimed to be. Of course, this didn’t really help because his info was no longer associated with the account.
Meanwhile, the hacker who’d hijacked his site was able to control Hiroshima’s e-mail account.
He smartly changed the e-mail address associated with his Twitter account, making sure the hacker did not have access to that much-desired public feed.
The hacker persisted in attempting to get the Twitter account e-mail changed over, but to no avail. And so the hacker began e-mailing Hiroshima, making their extortion attempt quite clear.
Reads the e-mail from the hacker, who dubbed themselves “Social Media King”:
I’ve seen you spoke with an accomplice of mine, I would just like to inform you that you were correct, @N was the target. it appears extremely inactive, I would also like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again D:
I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5minutes while I swap the handle in exchange for your godaddy, and help securing your data?
Meanwhile, GoDaddy confirmed it could and would not help Hiroshima because he was no longer the current registrant. To us, this is like police telling a homeowner you can’t kick out squatters because they live in the house now.
Even a promised investigation by a GoDaddy exec (contacted by Hiroshima though a mutual acquaintance) has thus far resulted in nothing.
Realizing he’d rather cede his Twitter handle and go public with the whole ridiculous story, Hiroshima finally gave in to the extortionists demands and gave up the Twitter account he’d had for almost seven years.
After the hacker handed Hiroshima back the keys to his website, they provided the following explanation for how PayPal and GoDaddy facilitated the hijacking:
- I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)
- I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you’d like me to recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but enom.com)
Reps for PayPay, Twitter, and GoDaddy tell TheNextWeb that each of the companies is investigating the matter.
Meanwhile, Hiroshima has launched the new Twitter handle @N_is_stolen.