These Hacks Will Make You Lose Sleep

by Lily Bradic

Until late last month, Naoki Hiroshima was the owner of coveted Twitter handle @N — an account he’d been offered $50,000 for in the past. Hiroshima was used to people attempting to take control of his account, but until January 20th, nobody had succeeded.

Hiroshima was the victim of a seemingly elaborate hack that, once explained by the perpetrator, turned out to be incredibly simple. And, according to the hacker, this is a pretty common trick.

In this case, the hacker called up Paypal — posing as a Paypal employee — and requested the last four digits of Hiroshima’s credit card number. Paypal handed them over. It’s shocking that they didn’t verify someone claiming to be staff. It would be so EASY.

Although he couldn’t get any further with Paypal, the hacker was able to pose as Hiroshima and use this information to verify, and subsequently seize, ownership of his GoDaddy domains over the phone.

By this point, the hacker had control over Hiroshima’s domain names, websites, email accounts and Facebook account. Hiroshima, having guessed that @N was the target of the attack, had already changed the login email for that account.

But the hacker had enough to barter with. To keep everything else, Hiroshima had to give up @N. The hacker explained how it was done, and returned the accounts as promised.

Some skeptics are suggesting that Hiroshima sold his Twitter account — there is a black market for this type of thing —  but it seems unlikely. If he had agreed to sell the handle, the buyer could have reported him to Twitter for TOS violation, waited for them to delete his account, and then take it for themselves.

But that doesn’t mean his account wasn’t worth $50,000. It probably was — people are willing to pay a lot of money for single letter and “first name” Twitter handles. And there’s not usually anything Twitter can do about it. 

If there’s a lesson in this, it’s be careful. Don’t use email addresses registered to your domain name when you’re logging into other sites, and directly instruct companies not to give out any of your details over the phone.

And maybe don’t get so hung up over a username. It’s not worth the heartache. So — is anyone else now feeling strangely content with their plain, unremarkable Twitter handle?