January 30, 2014, 9:11 AM — GoDaddy has acknowledged that one of its employees fell victim to a social engineering attack allowing a hacker to take over a customer's domain names and eventually extort a coveted Twitter user name from him. PayPal, which the victim claimed also played a role in the attack, denied the accusations.
Naoki Hiroshima, a software engineer and creator of the Cocoyon location sharing mobile app, reported Wednesday in a blog post that a hacker successfully extorted him into giving up his single-letter Twitter user name, called @N, after first hijacking his domain names registered at GoDaddy, email address and Facebook account.
Hiroshima claims he had received offers in the past from people willing to buy his @N Twitter handle for as much as US$50,000. He also said he regularly receives password reset emails from Twitter, suggesting that the account is a constant target for hackers.
The latest attack involved a hacker gaining access to his GoDaddy account that's used to manage several domain names, including the one used for his primary email address. This allowed the hacker to gain control over the email address and reset the password for Hiroshima's account on Facebook, but not Twitter since the developer had changed the email address associated with the latter as a precaution.
GoDaddy acknowledged Wednesday that one of its employees was tricked by the attacker.
"Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy," the company said in a statement on its website. "The hacker then socially engineered an employee to provide the remaining information needed to access the customer account."
"The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers," the company said. "We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques."
In emails exchanged with Hiroshima that the developer published on his blog, the hacker claimed to have first used social engineering on a PayPal customer support representative in order to obtain the last four digits of the credit card associated with Hiroshima's PayPal account.
The hacker claimed he then called GoDaddy's customer support and posed as the developer. In order to verify his identity, GoDaddy asked for the last 6 digits of the credit card on record. The attacker said had the last four from PayPal and simply guessed the other two.
"I got it in the first call, most agents will just keep trying until they get it," the attacker allegedly told Hiroshima via email.