Twitter handle worth $50k stolen thanks to GoDaddy and Paypal

This guy had the handle @H. As a single-letter Twitter handle, he had received offers of up to $50,000 to sell it, but he held on to it. A hacker got ahold of a person at Paypal, convinced them to give him the last four digits of the credit card number, then convinced GoDaddy that he was the legitimate registrar. The thief contacted the owner through email and Facebook and basically extorted him to give the thief the Twitter account in exchange for returning the many web sites on GoDaddy.

Reminiscent of what happened to Matt Honan last year. And there's an excellent comment on this article about someone who has fended off similar attacks, that person owns the Twitter and Instagram account @JB. Got hounded by people who wanted it for the Jonas Brothers and now the Beebster.

It's debatable how he could have prevented the attack. One would be to use a different email account for every service, so you'd have name.AMAZON@gmail.com, name.PAYPAL@gmail.com, name.GODADDY@... You get the idea. A friend of mine does this, at least in a limited fashion. Not easy to manage. And you could use a private domain for those email addresses, which would be slightly easier to manage, but then if your personal server gets compromised, all of those email addresses are now known.

One thing that I like about smartphones is the ability to easily monitor multiple email accounts, I read eight different email accounts on my iPhone and am adding #9 today. But I now have a single point of vulnerability if someone steals my phone and it isn't locked and it takes me time to get to a computer to remotely wipe my phone.

There are no easy defenses against determined criminals.

https://medium.com/p/24eb09e026dd

http://yro.slashdot.org/story/14/01/29/1527247/developer-loses-single-letter-twitter-handle-through-extortion

Did you know Amazon stores EVERY address of yours that they've ever shipped to?

I was thinking about the guy who just lost his @H Twitter handle. The comment in reply to his post talked about the attacker getting in to his Amazon account, going through his old orders, and finding an old address that was his parent's house. Once he had that, he started hitting public records repositories and building a history of the replier to build up a social engineering attack.

I decided it would be good to delete the two or three extra addresses that I had in Amazon, so I logged on and deleted them. And decided to check my order history. And there, in 1999, my oldest logged order with Amazon (though I don't know that it was my first), was the address of my old condo in Phoenix. My order history also includes my parent's address, and that of a few friends. It's all there.

I'm not sure what I'm going to do about this. I'm not a prime target for people wanting to steal this sort of information for social engineering attacks against me, I'm just not that important. All of the domains that I own are run through a privacy protection service, so you can't get my name and address information from my web sites, though that information is stored on some of my sites for business purposes. I'm thinking maybe set up a domain with a name that is not used anywhere, have no web site for it, and just use a mail service to toughen up the logins for various commercial web sites that I use, so if one is compromised they might have a harder time compromising other accounts.

But is it worth going to that extreme?