After an app developer revealed how a hacker managed to get access to his web properties and hold them for ransom by exploiting some potential security flaws in PayPal’s and GoDaddy’s customer identification policies, the two companies have each commented on the matter. PayPal said in a blog post that the Naoki Hiroshima’s PayPal account has not been compromised, even though there was a “failed attempt made to gain this customer’s information by contacting PayPal.”
The company added that it “did not divulge any credit card details related to this account,” and that it “did not divulge any personal or financial information related to this account.” Hiroshima said the hacker told him he was able to find out the last four digits of the card registered with PayPal by simply calling the company and successfully impersonating the developer.
The Next Web reports that GoDaddy has sent in an official statement, partially admitting that it helped the hacker gain access to Hiroshima’s GoDaddy account, but said the person already had some of the information required to access the account.
“Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy. The hacker then socially engineered an employee to provide the remaining information needed to access the customer account,” GoDaddy Chief Information Security Officer Todd Redfoot said. “The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers. We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.”
Meanwhile, Twitter is yet to come out with a public response on the matter. Hiroshima wrote on Twitter that the company “simply ignored my claim and let somebody grab @N [the rare Twitter handle object of the heist] freely.” According to the developer, Twitter responded to his claim that “Unfortunately, we’re unable to verify you as the account holder and cannot assist you in accessing the account.”