PayPal and GoDaddy will hand your data over to just about anyone

PayPal GoDaddy Security Issue

An app developer who had a rare Twitter username revealed he has been hacked by a person that wanted to own the @N handle at all costs, with PayPal and GoDaddy serving as unsuspecting accomplices in the ordeal. After blocking Naoki Hiroshima out of his PayPal and GoDaddy accounts, the hacker demanded to compromise – “access to @N for about 5 minutes while I swap the handle in exchange for your GoDaddy and help securing your data,” he wrote in an email.

Hiroshima had to agree with the exchange, as GoDaddy was not able to help him regain control to his web properties otherwise. After the exchange, the hacker told Hiroshima how he was able to gain access to his online properties, revealing it all started with PayPal, which gave the attacker the last four digits of his credit card. He then contacted GoDaddy by phone, just like he did with PayPal, saying that the had lost the card but remembered the last four digits.

Apparently GoDaddy would have allowed the hacker to keep trying until he got it right, although he apparently managed to guess the numbers from the beginning – it’s not clear whether the same cards were used for these two accounts, but it’s certainly a possibility.

In order to avoid such potential security hassles, Hiroshima advises users not to use the same email address for multiple services, and not to use a custom domain for logins. Furthermore, he advises for better security for web properties, as well as using two-factor authentication when available. Interestingly, the hacker also revealed that PayPal users could avoid such an issue by calling the company and placing a note to their accounts not to release any details related via phone.

Wired‘s Mat Honan was also hacked last year, with an attacker taking advantage of certain security flaws in Apple and Amazon to access and wipe personal data.

PayPal, GoDaddy and Twitter are each looking into the matter, The Next Web has been told.

blog comments powered by Disqus