Twitter Username Stolen Thanks to PayPal and GoDaddy
Naoki Hiroshima (via Hacker News):
I tried to log in to my GoDaddy account, but it didn’t work. I called GoDaddy and explained the situation. The representative asked me the last 6 digits of my credit card number as a method of verification. This didn’t work because the credit card information had already been changed by an attacker. In fact, all of my information had been changed. I had no way to prove I was the real owner of the domain name.
He recommends two-factor authentication, not storing credit card information with your accounts (to prevent it from being used for fraudulent verification), and not using a custom domain for your e-mail address of record.
Update (2014-01-30): GoDaddy requires a valid payment method for each domain. So you cannot actually remove your credit card information (unless you replace it with your bank information), and you cannot enter an invalid card number. You can, however, have your card issuer generate a single-use number and enter that, even if the number has already been used elsewhere.
Update (2014-01-31): PayPal (via Emil Protalinski and Hacker News):
PayPal did not divulge any credit card details related to this account.
I read this tonight, and sadly, the story was all to familiar to me. My version also has a few implications that are far worse.
Update (2014-02-26): Josh Ong (via John Gruber):
It remains to be seen what exactly took place behind the scenes at PayPal and GoDaddy, and why it took so long for Twitter to decide to return the account to its original owner, at least we’ve arrived at a happy resolution for this particular saga.