A hacker has used PayPal and GoDaddy security flaws to take over a user's accounts
A hacker has used PayPal and GoDaddy security flaws to take over a user's accounts and extort his victim for a rare Twitter account.

Update: PayPal has told IBTimes UK that it definitely did not release any credit card details, and is preparing an update with more information.

A Twitter user has had his unique username - for which he was once offered $50,000 (£30,167) - taken from him after a hacker gained access to his PayPal and GoDaddy accounts and held the information to ransom.

App developer Naoki Hiroshima acquired the unique Twitter handle @N in 2007, and since then many hackers have tried and failed to take it from him. Hiroshima says that someone even once offered him up to $50,000 to sell it - but he declined.

On 20 January Hiroshima discovered a hacker was trying to gain access to his PayPal account. After failing to breach the account, the hacker rang PayPal and using "simple engineering tactics" convinced them to release the last four digits of Hiroshima's credit card.

The hacker then moved on to comprimising Hiroshima's websites which are hosted by GoDaddy. Using the credit card information he obtain from PayPal, the hacker tried to convince GoDaddy to let him access Hiroshima's personal domain name. That would in turn give the hacker control of Hiroshima's Google Apps email account, which was connected to the Twitter account.

Already changed

Having realised that he was being attacked, Hiroshima took some action, but it was too late:

"I tried to log in to my GoDaddy account, but it didn't work. I called GoDaddy and explained the situation. The representative asked me the last 6 digits of my credit card number as a method of verification," writes Hiroshima in his blog.

"This didn't work because the credit card information had already been changed by an attacker. In fact, all of my information had been changed. I had no way to prove I was the real owner of the domain name."

Although Hiroshima, who is based in California, contacted GoDaddy and explained the situation, GoDaddy refused to give him access to his account as the registrar information had been changed to that of someone else, and advised him to seek legal action.


Hiroshima managed to change the email address attached to his Twitter account before the hacker was able to gain access to it, but the hacker now had access to his Facebook account, and all of the domains in his GoDaddy account.

Since the hacker was still unable to gain access to Hiroshima's Twitter account, he then sent an email extorting Hiroshima to give him the Twitter account in exchange for getting his GoDaddy domains back, as well as advice on how to secure his data.

The email, from "Social Media King" reads:

"I would also like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again.

"I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5minutes while I swap the handle in exchange for your godaddy, and help securing your data?"

No option

Fearful that he was facing a digital disaster similar to what happened to Wired's Mat Honan in 2012, Hiroshima gave the hacker what he wanted.

Hiroshima's advice to other users is to avoid using custom domain email addresses to log into web services, as they can be more easily compromised rather than a popular email domain like gmail.com or yahoo.com.

The experience of Hiroshima highlights the fragile nature of your digital life and how hackers don't need a high level of technical skill to access your accounts and sensitive information, but only need to know how weaknesses in one company's security measures can be used to compromise another.

Both GoDaddy and PayPal say they are investigating the issue but for Hiroshima it is all too late:

"To avoid their imprudence from destroying your digital life, don't let companies such as PayPal and GoDaddy store your credit card information. I just removed mine. I'll also be leaving GoDaddy and PayPal as soon as possible," Hiroshima advises.