I had a rare Twitter username, @N. Yep, just one letter. I’ve been offered as much as $50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my email inbox. As of today, I no longer control @N. I was extorted into giving it up.
While eating lunch on January 20, 2014, I received a text message from PayPal for one-time validation code. Somebody was trying to steal my PayPal account. I ignored it and continued eating.
Later in the day, I checked my email which uses my personal domain name (registered with GoDaddy) through Google Apps. I found the last message I had received was from GoDaddy with the subject “Account Settings Change Confirmation.” There was a good reason why that was the last one.
From: <[email protected]> GoDaddy
To: <*****@*****.***> Naoki Hiroshima
Date: Mon, 20 Jan 2014 12:50:02 -0800
Subject: Account Settings Change Confirmation
Dear naoki hiroshima,
You are receiving this email because the Account Settings were modified for the following Customer Account:
There will be a brief period before this request takes effect.
If these modifications were made without your consent, please log in to your account and update your security settings.
If you are unable to log in to your account or if unauthorized changes have been made to domain names associated with the account, please contact our customer support team for assistance: [email protected] or (480) 505-8877.
Please note that Accounts are subject to our Universal Terms of Service.
I tried to log in to my GoDaddy account, but it didn’t work. I called GoDaddy and explained the situation. The representative asked me the last 6 digits of my credit card number as a method of verification. This didn’t work because the credit card information had already been changed by an attacker. In fact, all of my information had been changed. I had no way to prove I was the real owner of the domain name.
The GoDaddy representative suggested that I fill out a case report on GoDaddy’s website using my government identification. I did that and was told a response could take up to 48 hours. I expected that this would be sufficient to prove my identity and ownership of the account.
Let The Extortion Begin
Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites. By taking control of my domain name at GoDaddy, my attacker was able to control my email.