GoDaddy Updates Its User Protection Policies In Wake Of Infamous Twitter Account Extortion

Next Story

Harvey Keitel, CEO, Or How To Pull Off The Impossible

GoDaddy has updated its account security policies in the wake of the now infamous extortion of a Twitter account. As TechCrunch previously reported, a hacker claimed to have gained the Twitter user’s last four credit card digits from PayPal, which was then used to convince GoDaddy to reset their account.

The compromised GoDaddy account — and its requisite domain collection — was used as leverage to extort the user out of their excellent Twitter account, @N. In the wake of the hacking and ensuing outrage over lax security, denials of culpability, TechCrunch wondered out loud why Twitter itself hadn’t made @N whole.

We spoke to @N, known to most as Naoki Hiroshima, after the fact and and he detailed a few things that GoDaddy should do to tighten its security, methods that might have helped protect his account:

“[Two factor authentication] can’t prevent this from happening again,” says Hiroshima. “GoDaddy allowed the guy to reset everything over the phone. As long as a company only uses the last 4 digits of a [credit card] to verify [identity], this will keep happening. They should ask multiple questions.”

GoDaddy has made steps that mirror what Hiroshima felt was needed. In a tweet today, the company said the following:

@N_is_stolen Will do. We now require 8 card digits, lock after 3 attempts and deal with 2-factor authentication accounts differently. ^NF

Requiring more credit card digits matters. If the hacker in question had been required to provide that quantity of information, the jig would have been up prematurely: The hacker claims that PayPal gave them the last four digits of Hiroshima’s credit card. If the GoDaddy threshold had been higher, we wouldn’t be talking about this now.

It’s a bummer that GoDaddy was able to be compromised in the above way, but the new security policies should reduce future risk for its customers, of which I am one.

I’ve reached out to GoDaddy for an explanation of the changes to its security policies and will update this post when I hear back.

Top Image Credit: Flickr (Image cropped)