If you think PayPal and GoDaddy are reliable and take customer security seriously, think again. Naoki Hiroshima, the developer of Echofon and creator of Cocoyon app shared his story (or nightmare) with The Next Web. Naoki had a rare Twitter Inc (NYSE:TWTR) username “@N” for which he was once offered a whopping $50,000. Many people have tried to steal it in the past. But a hacker finally extorted his prized username, thanks to PayPal and GoDaddy. At the same time, these two giants put his entire business at risk!
Naoki’s horror story
Naoki received a text message from PayPal on January 20, 2014, asking for one-time validation code. Someone tried to hack his PayPal account. He ignored the text. And when he opened his email, which he uses for his personal domain name registered with GoDaddy, he saw a message from GoDaddy, with the subject line “Account Settings Change Confirmation.” Below is the full message:
Naoki was shocked. He tried to log in to his GoDaddy account, but couldn’t gain access. He immediately called the web hosting company. After explaining the situation, the representative on the other side asked Naoki the last 6 digits of his credit card number for verification. This too didn’t work because the hacker had already changed all of his information with GoDaddy. So, Naoki Hiroshima had no way to prove that he was the real owner of the domain name. The representative advised him to file a case report using his ID proof. Naoki did that immediately, but GoDaddy’s response was that the process would take at least 48 hours.
Email is the key method of verification with most websites. If an attacker gained access to your email account, he can change your password and personal information on many other websites. That’s what happened with Naoki. The attacker took control of his GoDaddy domain name, and then gained control to his email. Suddenly, Naoki realized that his coveted Twitter username might be the target, just like the past attempts. Meanwhile, someone sent him a message over Facebook Inc (NASDAQ:FB), recommending that he change his Twitter email. He did it right away.
The attacker couldn’t gain access to his Twitter account email address. The hacker made several attempts to reset his Twitter password, but didn’t receive any password reset emails. Finally, the attacker opened issue #16134409 on Twitter Inc’s support page. Here is what the attacker requested:
The microblogging site required the hacker to provide more information, which he didn’t have. Naoki later learned that even his Facebook Inc (NASDAQ:FB) account was compromised after his friends started asking him about his strange behavior on the social network. At last, the attacker sent Naoki an email to extort him:
And then he received GoDaddy’s response to his case report:
The web hosting company had refused his claim because he was not the “current registrant.” The funny thing is that GoDaddy asked the hacker if they would mind changing account information. Why didn’t GoDaddy bother to ask Naoki the same thing when the attacker changed his account details? And then the attacker sent him the following message:
After much deliberation and advise from friends, Naoki decided to give up the Twitter handle to avoid an irreversible disaster.
He took a new Twitter Inc (NYSE:TWTR) handle “@N_is_stolen”. The attacker responded:
The attacker took control of his coveted Twitter Inc (NYSE:TWTR) username “@N”, giving Naoki full access to his GoDaddy account.
How PayPal and GoDaddy participated in the crime
If you think PayPal could not have played a role in this crime, it was equally responsible for the hacking as GoDaddy and the attacker. When Naoki asked the attacker how his GoDaddy account was hacked, he received the following response:
It’s shocking to see PayPal share the last four digits of Naoki’s credit card number with an attacker over the phone. And even more shocking was the thing that GoDaddy accepted it during verification.
It’s horrible how these two “trusted and reputed” companies put their customers at risk.
