Naoki Hiroshima is a Web developer in California. Until recently, his Twitter handle was @N – a unique name, to say the least.
But last week, according to Mr. Hiroshima's own account, he received a text message from PayPal, asking for a verification code. He ignored the message until he received an e-mail from GoDaddy, alerting him to changes in his account settings. As it turned out, a hacker had apparently commandeered both accounts with the purpose, Hiroshima says, of forcing him to hand over his @N handle.
It was extortion, in other words, and Hiroshima believes that PayPal and GoDaddy, in allowing the hacker to use simple credit card information to access his account, were complicit in the scam.
"Stupid companies may give out your personal information (like part of your credit card number) to the wrong person," Hiroshima wrote in a post on Medium. "Some of those companies are still employing the unacceptable practice of verifying you with the last some digits of your credit card. To avoid their imprudence from destroying your digital life, don't let companies such as PayPal and GoDaddy store your credit card information."
Of course, as Julianne Pepitone of NBC News notes this afternoon, it's likely that we haven't heard the end of this one – PayPal, for instance, says it didn't give out any of Hiroshima's information to anyone. Meanwhile, the @N handle is again live, operating under the moniker badal_news.
Here's the official statement from GoDaddy:
Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy. The hacker then socially engineered an employee to provide the remaining information needed to access the customer account. The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers.
At the very least, the whole debacle seems to be a lesson that it can never hurt to be too careful when it comes to Internet security. But as Matthew Panzarino of TechCrunch notes, for the time being, some problems seem to be out of our hands.
"The question about what can be done to improve security in these matters is a long-running one," Mr. Panzarino writes. "There have been some changes like two-factor authentication being offered by more vendors – but sloppy procedures like allowing account resets with credit-card numbers (especially partial ones!) remain commonplace."
Panzarino points out "that many of these ‘hacks’ don’t take any special technical knowledge. They just require a methodical and bold operator that is willing to pick up the phone and follow a script."