Twitter Social Engineering Account Takeover Saga Continues
Yesterday, I wrote about the ignominious story of how Twitter user Naoki Hiroshima lost his @N Twitter account. The story involved somewhat questionable actions from vendors PayPal and GoDaddy, and the story is still evolving.
After the media coverage here on eWEEK and elsewhere, both PayPal and GoDaddy issued public statements on Wednesday, Jan. 29, in a bid to reassure users that security is a priority.
PayPal responded to the story by denying that it divulged any credit card details related to Hiroshima's account. Hiroshima alleged that the person who took over his @N Twitter account was able to get the last four digits of Hiroshima's credit card number from PayPal; the number was then used in the second stage of the social engineering attack which, was the GoDaddy domain account takeover.
"Our customer service agents are well-trained to prevent social hacking attempts like the ones detailed in this blog post," PayPal stated.
GoDaddy responded to the Hiroshima account takeover incident by claiming that the attacker already had lots of information prior to contacting GoDaddy.
"The hacker then socially-engineered an employee to provide the remaining information needed to access the customer account," Todd Redfoot, GoDaddy chief information security officer, said in a statement. "The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers."
GoDaddy is making necessary changes to employee training to provide security to its customers and stay ahead of evolving hacker techniques, Redfoot added.
The most shocking part of the evolving story, however, is with Twitter, where Hiroshima lost his coveted @N account. Even after all the media attention, Hiroshima still has not yet regained the @N Twitter account.
"While we don't comment on individual accounts, we are investigating the report," Twitter spokesperson Jim Prosser told eWEEK.
According to Hiroshima, Twitter has ignored his claims to regain control of the @N account. Late Wednesday afternoon, Hiroshima now using the Twitter handle @N_is_stolen, tweeted: "It seems the guy who stole @n from me just deleted the account. It's available but unavailable to take."
Several hours later, the @N account reappeared, but it wasn't Hiroshima who was in control.
"It seems that Twitter simply ignored my claim and let somebody grab @N freely. Seriously?" Hiroshima tweeted.
It's great that PayPal and GoDaddy have taken some public steps to prevent this same kind of situation from happening again. Social engineering by phone and tricking people who have the ability to erase a person's digital life is an extremely serious risk that should not be understated.
Let's hope Twitter now does the right thing here, too, sooner rather than later and that there is a happy ending to the @N saga.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.