Man loses rare Twitter handle after PayPal and GoDaddy inadvertently help scammer (Update: PayPal response)

Naoki Hiroshima had (i.e. squatted) a rare and valuable Twitter handle, @N. It was extorted from him, he claims, by a scammer who figured out that PayPal reveals part of one's credit card number during security verification—and that GoDaddy accepts the same part of the number during security verification.

I asked the attacker how my GoDaddy account was compromised and received this response:

To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 19:53:52 -0800
Subject: RE: …hello
- I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)
- I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you’d like me to recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but

GoDaddy outright refused to help him at first, too. It's shocking how weak account security is there, and at PayPal: "Don’t let companies such as PayPal and GoDaddy store your credit card information," Hiroshima writes.

UPDATE: On its Twitter account, PayPal denies that it gave out "any credit card details".

Notable Replies

  1. I have no sympathy for someone who still uses GoDaddy after their CEO publicly supported SOPA and was on an elephant killing safari.

  2. angusm says:

    Increasingly, it seems like the weakest link in our personal security is outside of our control. You can be as diligent and ingenious as you like about protecting your own confidential information, but if that same information is stored by someone else who stores your data in plaintext, hosts malware on their PoS terminals, downloads your records to a laptop and leaves it on the backseat of their car, etc. etc. you're screwed.

    Attempts to resolve the situation are then typically frustrated by the "Too big to care" effect that seems to cling to large organizations.

  3. If they believe his story, can't Twitter just give his handle back to him? If it's extortion, why not call the police or FBI? Or is this just another Internet hoax?

  4. Honestly, this is GoDaddy's fault, and it's not fair to blame PayPal. The last four digits (and first six digits) of your credit card number don't have to be held securely under PCI standards and shouldn't be used to identify anyone. GoDaddy should never have adopted a policy of using last four digits for account recovery -- they could use digits 9 through 12 if they wanted (for 16-digit card numbers).

  5. While I have no love for GoDaddy (I was already on the fence with their weird sexist ads, and the SOPA thing put it over the top for me, so I switched out to a different company), I don't think it's really fair to say "Hah, tough luck dummy, you get what you deserve" just because he uses a registrar with a crappy CEO.

Continue the discussion

1 more reply