Naoki Hiroshima was lucky enough to snag a one-character Twitter username: @N. Over the years, he'd been offered large sums -- as much as $50,000 -- for the name, but he kept it. Then, according to a horrifying first-person account, a hacker socially engineered the last four digits of his credit-card out of Paypal, used that information to seize control of his Godaddy account, and threated to trash all of Hiroshima's websites unless Hiroshima transferred @N to the hacker. The hacker also seized control of Hiroshima's Facebook account. The attack took place over the Martin Luther King, Jr day holiday, and Hiroshima couldn't get his case escalated to anyone at Twitter, Godaddy or Paypal while it was taking place, and so he lost his domain. All three companies now say that they're looking into his story. Hiroshima offers some helpful advice on avoiding his fate (use two-factor authentication, mostly).
Just when you thought PayPal couldn't get any stupider, well, they get stupider. Erica sold an antique violin to someone who paid $2500 for it over PayPal. The buyer disputed the authenticity of the violin -- which had been authenticated by a top luthier -- and PayPal instructed him that he could have his money back if he destroyed the violin. He did, and sent the photo of the destroyed, one-of-a-kind, precious instrument to the seller and PayPal. PayPal took the $2500 back from Erica, gave it to the violin-smasher, and called it a day.
I am now out a violin that made it through WWII as well as $2500. This is of course, upsetting. But my main goal in writing to you is to prevent PayPal from ordering the destruction of violins and other antiquities that they know nothing about. It is beyond me why PayPal simply didn’t have the violin returned to me.
I spoke on the phone to numerous reps from PayPal who 100% defended their action and gave me the party line.
Security researcher Brian Krebs got a look at the auction prices at iProfit.su, a criminal marketplace where you can buy hacked and phished PayPal accounts; he discovered that the going account for 100 zero-balance verified PayPal accounts is a mere $50 -- that's 50 cents per account.
Accounts are sold with or without email access (indicated by the “email” heading in the screenshot above): Accounts that come with email access include the username and password of the victim’s email account that they used to register at PayPal, the site’s proprietor told me via instant message. The creator of iProfit.su told me the accounts for sale were stolen via phishing attacks, but the fact that accounts are being sold along with email access suggests that at least some of the accounts are being hijacked by password-stealing computer Trojans on account holders’ PCs.