All of this was prologue to the hacker's ultimate goal. With his GoDaddy account in hand, the hacker extorted Hiroshima to hand over the @n handle, which he did. A variety of investigations are now ongoing, but @n is now in the hands of one "Badal_NEWS."
Social engineering still works... and works well
What went wrong? It's easy to say Paypal and GoDaddy share the blame, but the common denominator in both cases is simple human nature. To really understand how social engineering like this works, put yourself in the shoes of the company that receives the phone call from the hacker. A panicked user calls you, asking for your help with a problem. He's been the victim of a crime or an accident, and the standard security systems available on the Web aren't helping him. A company like Paypal probably receives thousands of calls like this every day, and the vast majority are likely totally legitimate — real people in real crisis.
It's natural to want to help these people, and a good hacker will have acting skills that are just as developed as his tech skills. But considering the general level of training and experience that most tier one tech support operators have, it probably doesn't take a lot of convincing to trick them into giving up data that they have no business handing out over the phone. To quote David Mamet, "It's called a confidence game. Why? Because you give me your confidence? No. Because I give you mine."
Paypal has denied that its employees released Hiroshima's personal or credit card information. GoDaddy has 'fessed up to its part of the problem, saying it is "making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques."
That same rhetoric is used every time a big hack takes place. Apple, for example, briefly froze all over-the-phone password resets after reporter Mat Honan was catastrophically attacked in 2012. The average computer user has dozens of active online accounts, and they'll never all be locked down tight. If a hacker can't grab your Paypal account or your GoDaddy account, he'll simply go after another one. Eventually someone will answer the phone.
Imperfect solutions are better than none
Hiroshima offered a few tips in his Medium post that you can use to help you protect yourself. Don't use an email address tied personal domain for logins. Increase the time to live (TTL) on your mail server's MX record to give you more time to plan a response if someone takes over your email account. And use two-factor authentication wherever possible. The hacker in the case also gave Hiroshima some good advice: If you're worried about attacks, call the company (Paypal in this case) and ask them to make a note on your file not to release any details about your account over the phone. It can't hurt.
Sign up for CIO Asia eNewsletters.