In a statement to TheNextWeb.com, GoDaddy’s Chief Information Security Officer offered up something that is as close as Hiroshima will probably get to a public apology:
Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy. The hacker then socially engineered an employee to provide the remaining information needed to access the customer account. The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers. We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.
For those coming late to this story, Hiroshima had staked a claim on the @N Twitter handle back in 2007. Since then, he’d received numerous offers — up to $50,000 — from people who wanted the account and had fended off countless attempts to wrest the account from him via less legitimate means.
Then a clever hacker called PayPal and convinced someone there to give him the last four digits of Hiroshima’s credit card number. With this info, the hacker called GoDaddy — through which Hiroshima had registered the URL for his personal site — and convinced the rep to let him guess multiple permutations of the first two digits of the card.
[NOTE: an earlier version of this story said PayPal had revealed info about Hiroshima’s Social Security number. It was actually his credit card. This correction has been made.]
Once the hacker tricked GoDaddy, he was able to take control of Hiroshima’s site and the e-mail addresses associated with it. He held the site hostage in exchange for the @N Twitter account.
Hiroshima made multiple attempts to get assistance from GoDaddy but was told each time that the company could not help him because he was no longer listed as the current owner of the site.
The @N account is still in the hands of someone other than Hiroshima, who Tweeted last night (via his account @N_is_stolen) that “It seems that Twitter simply ignored my claim and let somebody grab @N freely.”
PayPal also addressed the gaffe in its blog last night, but in a much more defensive tone.
“We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer’s information by contacting PayPal,” writes the company, while not admitting that this “failed” attempt still resulted in Hiroshima’s credit card number being compromised.
“PayPal did not divulge any credit card details related to this account. PayPal did not divulge any personal or financial information related to this account,” continues the post. “This individual’s PayPal account was not compromised.”