How I Almost Lost My $500,000 Twitter Username

If you haven’t yet, start by reading Naoki Hiroshima’s account of how he was blackmailed into giving his Twitter account away.

I read this tonight, and sadly, the story was all to familiar to me. My version also has a few implications that are far worse. I thought I’d share the story in case anyone is interested.

I’m @jb on both Twitter and Instagram. My username is a very heavy target for these types of attacks. It used to be primarily because of the Jonas Brothers but of course now it’s all related to Justin Bieber. As you can imagine, with the marketing power behind his name, there’s thousands if not more companies/hackers/etc… who’d love to get their grubby hands on it for profit. Like Naoki, I too have been offered inordinate sums of money for my username and receive a regular stream of forgot password emails to my inbox.

Last May, I received a forgot password email from Amazon. Although I see a lot of these from Twitter and Instagram, this was the first I had ever received from Amazon. “Why in the world would someone want that?”

I ignored the first email from Amazon like I normally do with any of these that I didn’t initiate. Imagine my surprise when I received a second email about a half hour later saying that my password had been successfully reset! In the same amount of time, I also received 3 fresh forgot password emails from Apple. It was clear I was being targeted with some kind of attack.

I got lucky. Because I still had access to my email account, I was able to quickly do another forgot password request with Amazon and reset it myself. I had caught it just in time — the limbo between when the attacker had gained access to Amazon but had yet to gain access to my email. After I changed my password through their website, I called Amazon, where I learned they had given access to the attacker over the phone. I promptly asked them to lock my account and make a note not to allow any requests to change it again over the phone.

My next step was to call iCloud support and ask them if they had given out any of my information. Sure enough, I finally was able to talk to a representative who was able to tell me that there had been 4 support calls in the last hour regarding my account. The attacker was clearly calling Apple, pretending to be me by giving them my information, and attempting to gain access. I gave them the same instructions I gave Amazon, that this was not me and to please not allow any requests over the phone.

As I was on the phone with them, I received an email from iCloud support with instructions on how to reset my password. It was clearly an email from a representative and not an automated message. And what stood out to me was that the email was “To” a random gmail address and my iCloud address was only CC’d. That was it, I now had the email address the attacker was using. I quickly sent an email to the attacker, assuming I would never hear a response. But I did get a reply a few minutes later.

The attacker was very open about what he was doing. He was after my Twitter username, @jb. He explained that he first started by doing a little research and learning every piece of information he could find on me through public records. My Twitter profile linked to my website, my website had WHOIS information. I use a very very old address on all my public WHOIS records, but it happens to be the address of my parents, and since I’ve shipped gifts to my parents through Amazon, they had that address on file.

He then called Amazon with what little information he had gained and complained that he had lost his password and didn’t have access to that email address anymore. The representative eventually caved and reset the password over the phone giving him full access to my Amazon account. His plan was to then gain as much information he could with Amazon (last four of credit card numbers, current and previous addresses, etc…) and use that as ammunition to do the same thing with Apple. And it almost worked. He had an email in his gmail inbox with instructions on how to reset my iCloud account.

Luckily I had been online when all this was happening and was able to call Amazon and Apple respectively to lock my accounts and prevent access. Had I been even 5 minutes later, well…

The scary thing was that I only thought of the true implications of this attack days later. As I was contemplating what had happened and how I could prevent it in the future, a very frightening thought occurred to me. This attacker started with Amazon because he knew that an commerce shopping site’s customer support would be relatively easy to convince and gain access. However, that same site offers cloud services that many startups (including mine) rely on to host their data. Droplr, the startup that I am a founder of, is completely based on Amazon’s stack, from using EC2 servers where we host all of our technology to S3 which we use for file storage. This attacker had access to all of it. I was extremely lucky that in his rush to gain access to @jb, he didn’t think to check if my account had anything under AWS.

I was obviously infuriated with Amazon. I spoke to someone on the phone and they promised that it was a priority for them to train their representatives better. There were a couple other very public cases of this happening around the same time so they were just at the beginning of a PR fallout from their lack of security.

So what did I learn?

  1. Even though Amazon encourages you to only have one identity, don’t. Use completely separate accounts for your AWS services and your Amazon.com shopping account.

  2. Always use a private WHOIS service with domains that you own.

  3. Naoki’s thesis was that you shouldn’t use personally owned domain-based email addresses for your logins to these services. Unfortunately, this isn’t a guarantee. The problem is, all the big email providers like Gmail and iCloud are so big that they deal with thousands of requests on a daily basis from people who have genuinely forgot their password, and the only way they have to grant them access again is “verifying” their identity over the phone. If someone can fake being “you” over the phone, they’re even more likely to succeed with these large providers.

  4. Some of the biggest companies in the world have security that is only as good as a minimum-wage phone support worker who has the power to reset your account. And they have valid business reasons for giving them this power.

Notes

  1. i88-ca reblogged this from tinycrumb
  2. nervoustic reblogged this from tinycrumb
  3. steveneedham reblogged this from tinycrumb and added:
    All too familiar.
  4. 57ecq reblogged this from tinycrumb and added:
    Hackers
  5. ensambla reblogged this from tinycrumb and added:
    Otras otra historia de vulnerabilidad por helpdesk de Amazon.
  6. vampie reblogged this from tinycrumb
  7. punketta reblogged this from tinycrumb
  8. jessandnick reblogged this from tinycrumb
  9. crash6490 reblogged this from tinycrumb
  10. humphl reblogged this from tinycrumb
  11. nygdjs reblogged this from tinycrumb
  12. rationaloutlook reblogged this from tinycrumb and added:
    This is scary. Customer representatives at companies like Amazon, Apple and GoDaddy are easily duped by hackers into...
  13. consumersurplus reblogged this from tinycrumb
  14. tinycrumb posted this