GoDaddy Admits Hacker’s Social Engineering Led It To Divulge Info In @N Twitter Account Hack

An update in the @N account hacking case has just come through from GoDaddy, one of the companies involved in the somewhat convoluted social engineering case.  The company admits that one of its employees was ‘socially engineered’ into giving out additional information which allowed a hacker to gain access to Naoki Hiroshima’s GoDaddy account.

The hack, which we detailed in a post earlier today, was performed by calling up PayPal and GoDaddy to gain access to Hiroshima’s personal email, which was then used to extort the @N Twitter user handle from him.

Hiroshima outlined the hack in a post on Medium, which garnered a lot of attention. We received responses from Twitter that the matter was being looked into and PayPal was spurred to issue a denial that it had provided credit card information, and to note that its employees were trained to avoid social engineering attacks.

Social engineering is a method of hacking in which attackers utilize personal or not-so-personal information to impersonate the rightful owner of an account. They call up the company in question and engineer a ‘reset’ of the account permissions that allow them to take over.

In Hiroshima’s case, the target was simply his Twitter handle, but it could easily be things like bank accounts or websites.

GoDaddy Chief Information Security Office Todd Redfoot issued TechCrunch the following statement about the hack:

Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy. The hacker then socially engineered an employee to provide the remaining information needed to access the customer account. The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers.

Redfoot also says that GoDaddy is “making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.”

The sour note here is that these techniques really are nothing new. As we noted in our piece earlier today, some very high-profile hacks have been accomplished over the last couple of years using them. Not the least of which was a widely read case in which Wired writer Mat Honan’s accounts were nearly decimated by hackers employing social engineering techniques.

If anything, cases like Honan’s and this one about Josh Bryant (@jb)’s hack shared via Daring Fireball should have thrown up red flags for any Internet company dealing in identity. These are not new tactics and they should be guarded against as a very basic precaution.

More to follow…

Image Credit: Hans J E