Updated 1/29 at 9:35 am with PayPal comment.
Poor Naoki Hiroshima. He had a very cool Twitter handle, @N, until recently.
Then a hacker found a way into his GoDaddy account, switched up his email server to forward emails to the hacker’s address, and held the GoDaddy account hostage until Hiroshima handed over the keys to the @N account.
That’s the story Hiroshima tells in a post on Medium, about losing control of his $50,000 Twitter username.
Hiroshima writes that the terrifying story of what happened to Wired writer Mat Honan inclined him to negotiate with the hacker. He handed over control of @N, and regained control of his websites through GoDaddy.
But he also thought to ask the hacker how he’d gained access to Hiroshima’s accounts. It turns out that there were a couple of vulnerabilities in PayPal‘s and GoDaddy’s password-recovery systems that the hacker was able to exploit: First, to get the last four digits of Hiroshima’s credit card number from PayPal, and second, to use those four digits to gain access to his GoDaddy account.
Update: PayPal stated, through a tweet, that it looked into the incident and that “our investigation confirmed PayPal did NOT disclose any credit card details.”
Here’s the advice Hiroshima gives on how to avoid a similar attack:
- Don’t let PayPal release any details on your credit cards, including the last four digits, via phone. You can do this, the hacker said, by calling PayPal and asking them to add a note to your account stating that they shouldn’t release any details by phone.
- Don’t use a custom domain name as your login email address for Twitter or other services. Because Hiroshima used a custom domain, the hacker’s GoDaddy hack enabled him to redirect all mail for that domain to his own mailbox. A Gmail.com (or even a Yahoo.com) address would have been more secure.
- Use a longer time to live (TTL) for MX records for your domain name. Instead of an hour, give it a week. This will give you a longer window of opportunity to respond to MX record changes, which control where email sent to your domain name goes.
- Use two-factor authentication wherever possible. It may not be a panacea but it will slow down most hackers. It’s what prevented Hiroshima’s hacker from actually logging in to his PayPal account — which could have been disastrous. Instead, all the hacker got from PayPal was the last four digits of Hiroshima’s credit card.
In addition, Hiroshima recommends not letting companies like PayPal and GoDaddy store your credit card information at all. In fact, he’s abandoning both companies as soon as possible. This might be a bit extreme for most people. But given his experience, his reaction is not surprising.