Passwords, even strong ones, aren't enough to protect you. Your online accounts are only as safe as the security policies of the companies that hold them.
At least that's the apparent lesson to be learned from Naoki Hiroshima's epic account of how one hacker used a series of simple social-engineering tactics to gain control of his online accounts without using a single password.
See also: 7 Ways You're Killing Your Tech
Naoki Hiroshima claims to have tweeted using the @N handle since signing up for Twitter in 2007. In that time, he said, he has fended off multiple attempts by attackers to take control of the coveted one-character account. He claims he was once even offered $50,000 in exchange for the handle.
These attempts were unsuccessful — until Jan. 20.
On that day, according to Hiroshima's account, a hacker posing as a PayPal employee called PayPal's customer service and was ultimately able to obtain the last four digits of Hiroshima's credit card.
The hacker then called GoDaddy's customer service and, after providing the numbers obtained from Paypal, was allowed to "guess" the first two digits of the credit card on file. After providing this information, the hacker gained access to Hiroshima's account and promptly changed the account information, effectively locking the real Hiroshima out of the account.
For Hiroshima, who used GoDaddy to host the domains for his personal websites and email, the significance of being shut out of this account was huge:
Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites. By taking control of my domain name at GoDaddy, my attacker was able to control my email.
Once in control of Hiroshima's email, the hacker also took control of his Facebook account.
Around this time, Hiroshima says he realized his Twitter account was the target of the attack. He changed the email linked to the account, preventing his attacker from changing the password.
Undeterred, the hacker contacted Hiroshima with an ultimatum: Turn over @N, or lose all of his GoDaddy domains forever. Hiroshima, who had so far been unsuccessful in his attempts to regain control of the account, relented.
True to his word, the hacker returned the GoDaddy account to Hiroshima, now tweeting from @N_is_stolen, and revealed the the details of how he carried out the attack.
If this story sounds familiar, it's because it bears striking similarities to the the 2012 hacking of Wired reporter Mat Honan, who had his iPad, iPhone and MacBook wiped when a hacker used similar social-engineering methods to obtain Honan's iCloud password. Like Hiroshima, the ultimate target of that attack was Honan's Twitter account. Honan nearly irrevocably lost much of his person photos and media, and Hiroshima didn't want the same thing to happen to him.
"I remembered what had happened to @mat and concluded that giving up the [Twitter] account right away would be the only way to avoid an irreversible disaster," Hiroshima wrote.
Honan had his accounts restored and even managed to eventually restore much of the data from his wiped Macbook.
It's not yet clear whether Hiroshima will be as lucky, though it appears the sudden publicity his account has drawn may have given GoDaddy, who did not respond to Mashable's request to comment, more incentive to help him.
Surprisingly @godaddy seems to eager to help me now. I wonder why they didn't do so on the day I shouted for help.
— Naoki Hiroshima (@N_is_stolen) January 29, 2014
 
In a statement to Mashable, Twitter said the company does not comment on specific accounts but confirmed they are investigating the report.
On its part, PayPal has denied disclosing any credit card information to Hiroshima's attacker.
"Our investigation confirmed PayPal did NOT disclose any credit card details," the company said in a tweet Wednesday.
Re: this incident http://t.co/bOiuzqvFep, our investigation confirmed PayPal did NOT disclose any credit card details. More info soon.
— Ask PayPal (@AskPayPal) January 29, 2014
 
PayPal later revealed more details about their internal investigation in a blog post Wednesday. The company called Hiroshima's situation "difficult" but reiterated they did not disclose any of his account information and said his account was never actually compromised.
We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer’s information by contacting PayPal.
PayPal did not divulge any credit card details related to this account.
PayPal did not divulge any personal or financial information related to this account.
This individual's PayPal account was not compromised.
Have something to add to this story? Share it in the comments.