Update: GoDaddy confirms the social engineering aspects of this Twitter extortion scheme.\tUpdate 2: Added commentary from Chris Hadnagy and Michele Fincher, from Social-Engineer Inc.\tLeverage. That's what the criminal had when he contacted Naoki Hiroshima. Until recently, he had one of the highly prized single letter Twitter profiles; his was @N, but now it's @N_is_stolen.\tThe details of his story are posted to his Medium account.\tIn order to steal the coveted Twitter account, the criminal behind this scheme started with PayPal. Initially, they tried to reset the account password, but Hiroshima uses two-factor authentication, so that attempt failed. The attacker tried again, this time allegedly calling PayPal and posing as an employee, where they claim they managed to get the customer service representative to give out the last four digits of Hiroshima's credit card.\tIn a statement, PayPal said that Hiroshima's personal details and credit card details were not shared, noting that Hiroshima's PayPal account was not compromised.\t\t\t"We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer\u2019s information by contacting PayPal... Our customer service agents are well trained to prevent, social hacking attempts like the ones detailed in this blog post.We are personally reaching out to the customer to see if we can assist him in any way."\tIt's entirely possible the criminal lied to Hiroshima, that's what criminals do. So their claims that they posed as a PayPal employee could be completely false. But whoever is behind the attack did have the last four digits of the credit card in question, because this person used them to gain access to Hiroshima's GoDaddy account.\tAccording to the criminal, explaining the process to Hiroshima, they called GoDaddy and gained access to his account by pretending to have lost the card on file, but told the customer service representative that they recalled the last four digits \u2013 which can be used for verification of account ownership.\tCompounding the problem, the criminal noted that they were allowed to guess the first two digits of the card GoDaddy had on file to prove they were the owner of the account. They guessed correctly on the first try. Now, Hiroshima's GoDaddy account was in the hands of the criminal behind this scheme, and they altered all of the account details.\tWith the details changed, GoDaddy told Hiroshima that he wasn't the owner of the account, and as such, there was nothing that could be done to help him. Stuck, with few options, Hiroshima is left to deal with an attacker who wants to make a trade.\tGoDaddy didn't respond to emails seeking comment for this story [see statement below], but they have told Hiroshima they are willing to assist him, now that the story is out in the open.\tAs Hiroshima put it:\t\t\t"It\u2019s hard to decide what\u2019s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification."\tOnce the attacker had control over Hiroshima's GoDaddy account, they threated to delete data unless Hiroshima gave up his Twitter profile. Felling pressure, Hiroshima relented and released the @N account.\tKeeping to their word, the criminal returned control of the GoDaddy account back to its rightful owner, which allowed Hiroshima to start the recovery process and attempt to protect his remaining accounts.\tTwitter is investigating, but wouldn't comment further when asked for details on the status of @N.\tSocial engineering is an attack on the mind, and one that plays into basic human traits. In this case, if the attacker is to be believed, a PayPal representative shared information because they were under the impression they were helping a co-worker.\tHowever, even if the criminal lied, their claims are valid, because such security blunders happen all the time. If the information is presumed to be of little value, then there is little effort made to protect it.\tIn this case, the last four digits of a credit card are seen as useless, because on their own they don't amount to much. But the problem is that they're often used as a means of identification, which is a bad idea no matter how you look at it.\tAdding to that, the fact the criminal was allowed by GoDaddy to guess at the first two numbers of the card on the account, which are uniform to begin with, and you have a breach just waiting to happen.\tThese little gaps in security are what social engineers will focus on, and given that people generally want to help others, all one needs is time. Eventually they'll get what they want simply by asking.Update:\tGoDaddy's CISO, Todd Redfoot, sent the following statement:\t\t\tOur review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy.\u00a0 The hacker then socially engineered an employee to provide the remaining information needed to access the customer account.\t\t\tThe customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers.\u00a0 We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.Update 2:\tChris Hadnagy and Michele Fincher, two well-known social engineering experts, told the Hash that this was "a pure social engineering attack from start to finish."\t\t\tThis would be a good opportunity to remind people to review their various accounts, passwords, and whether they allow any entities to store credit card or personal information. The attacker did his homework and came at the guy through multiple channels.\u00a0 The guy in the article suggested using a Gmail password as opposed to the domain password in case of compromise and extending your TTL\u00a0 - but it is a safer bet to do some things like:\t\t\tCall your hosting \/ payment \/ card companies and have notes put on your account about information needed to give out your details;\t\t\tDo not reuse passwords and make them stronger that you think you need;\t\t\tFinally, review the companies you use to host and control things. It is a lot of work to switch companies especially if you host a lot of domains, so do your due diligence and chose one that will server your needs.\t\t\tCompanies that hold our information are obviously not going to any extent to protect our information, so it\u2019s up to the individual user.\u00a0 I am amazed at how easy it was for the attacker to trick PayPal.\u00a0 It is something that we just can't imagine as many of us with PayPal accounts have had problems trying to do legit business with them.\u00a0 So this just blows me away personally.\u00a0 But it also points to the increasing number of MULTI-STAGED [Social Engineering] attacks.\u00a0 This is not new, but in the last few years we are seeing much more of these popping up.