A Twitter username, you might think, isn’t very important. If you can’t have the one you originally want, just stick a couple of underscores in and it’s more or less the same. The lengths that some people have gone to in order to get the name they want though suggests that Twitter usernames are more significant than they first appear. @N The username @N was so coveted that recently it was stolen from Twitter user Naoki Hiroshima in an elaborate online heist. Naoki registered the username in 2007 and since then has been subject to numerous attempts of theft. Naoki even claims that he has been offered as much as $50,000 for the account.
The reason the account is so coveted is possibly due to its adaptability (the letter N can stand for many different things) and that it is short, taking up just two characters. Whatever reasons people wanted the account for is largely irrelevant, as this most recent play for @N revealed some worrying flaws in security belonging to some of the world’s biggest online services.
The method that the hackers used was to hold Naoki’sGoDaddy account up for ransom. They changed his password and the email address attached to the account and sent him a message claiming that they would delete the website data in his account if he refused to surrender his Twitter username.
Naoki recalled similar attacks whereby users had their entire online profiles wiped out, and so decided to give up the @N handle. The hackers revealed that they were able to access the GoDaddy account via PayPal and finding out the last 4 digits of his credit card. Then it was a simple call to GoDaddy where they were then able to verify their details by claiming that they had lost the card. By quoting the last 4 numbers and guessing another two, they were eventually granted access.
In Through The Back Door
The implications of this attack run deeper than simply losing a Twitter username. The fact that the hackers were able to easily gain access to Naoki’s GoDaddy account implies that other accounts may easily be breached too. They could then be held to ransom for other online profiles or details as in this instance, or potentially used as a base to access every single online account belonging to that user. Although a personal Twitter account may not be a huge loss to many people, there are much more sinister actions a hacker can take on uncovering your personal details. As it stands, Naoki has changed his handle to @N_is_stolen, and it is unclear who currently controls @N.
Thankfully, GoDaddy have updated their security policy as a result of the breach and users must now provide 8 card digits which will lock after 3 failed attempts. It’s good to hear that big companies are willing to listen to their users concerns, but perhaps the high publicity this case has received put pressure on them to do so. Unless there is a full scale revision of security measures though, we are all at risk.