Naoki Hiroshima had (i.e. squatted) a rare and valuable Twitter handle, @N. It was extorted from him, he claims, by a scammer who figured out that PayPal reveals part of one’s credit card number during security verification—and that GoDaddy accepts the same part of the number during security verification.
I asked the attacker how my GoDaddy account was compromised and received this response:
From: SOCIAL MEDIA KING
To: Naoki Hiroshima
Date: Mon, 20 Jan 2014 19:53:52 -0800
Subject: RE: …hello
– I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)
– I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you’d like me to recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but enom.com)
GoDaddy outright refused to help him at first, too. It’s shocking how weak account security is there, and at PayPal: “Don’t let companies such as PayPal and GoDaddy store your credit card information,” Hiroshima writes.
UPDATE: On its Twitter account, PayPal denies that it gave out “any credit card details”.