July 5th, 2013

Pay4Tweet is Closed

Twitter, Mediatemple, and Unethical Methods for Handling Identity Theft

On June 1st., 2013, Pay4Tweet's Twitter account was stolen through a breach in Yahoo! Mail's security. Through the hijacked email account, the thieves were able to take not only the @Pay4Tweet Twitter account, but were able to take over the Pay4Tweet.com domain altogether. They were able to access Pay4Tweet's web hosting account with MediaTemple via Yahoo! Mail.
Dealing with hackers is something that any company dealing with transactions has to learn to manage. Assuming that, like financial institutions, internet vendors consider it in their best interest to help their customers recover from identity theft, dealing with hackers becomes merely a bump in the road.
Unfortunately, internet vendors are not financial institutions and, for many, it is not in their best interest to accommodate their users who have been victims of identity theft. Who knew? Below, are the responses I received from Twitter and MediaTemple when trying to recover my Twitter account and the Pay4Tweet.com domain.
Twitter's Response:

From: notifications-support@twitter.zendesk.com
Subject: #10037169 Twitter Support: update on "@pay4tweet Twitter handle and www.pay4tweet.com domain name hacked"
Date:

From: Twitter Support

Hello,

If you're encountering personal difficulties, or just need someone to talk to, it may help to speak to a professional who can help you cope with your current circumstances.

There are people who care about you more than you realize. Please take the first step and contact a therapist or call the National Suicide Prevention Lifeline, at 1-800-273-TALK (8255), or you may visit their website: http://www.suicidepreventionlifeline.org.

If you are writing to us because you're concerned that a Twitter user is posting thoughts of suicide or self-harm, you can encourage them to contact a therapist or direct them to other resources.

In the United States:
National Suicide Prevention Lifeline
1-800-273-TALK (8255)
http://www.suicidepreventionlifeline.org

Outside the United States:
Befrienders Worldwide http://befrienders.org/index.asp

We will also reach out to the user and provide them with the above information.

Take care,

Twitter Trust and Safety

Please note: Requests filed via this form that are unrelated to reports of self-harm or suicide will not be reviewed or processed.
As you can see Twitter's automated reply implies mental instability for anyone that is a victim of identity theft. Bravo Twitter. For a company that's been in the spotlight for not producing user data on demand for the NSA, it begs the question, who's identities are they protecting? That's not an unreasonable one to ask for a social media giant whose account roles are populated increasingly by bots (according to the New York Times), and seems to treat identity theft as a joke.
Because Twitter regularly frustrates developers on it's platforms by changing its guidelines and APIs, it wasn't a surprise to see a robotic response. Maybe the bots are in charge now. HAL? SkyNet? Or, maybe, like Pay4Tweet, the entire company has been hijacked. I say this in jest, but you have to have a sense of humor when exposed to a lack of empathy at this level.
MediaTemple's Response:

From: support@mediatemple.net
Subject: SUPPORT (req# 2355620) - Response | Subject: Assistance requested for pay4tweet.com.
Date:

***********************************************
| THIS IS A ONE-WAY EMAIL NOTICE ONLY.
| PLEASE USE THE ACCOUNTCENTER TO RESPOND.
***********************************************

Maurice,

We are very sorry to hear about your situation. We've been informed that there may have been some sort of security breach with your Yahoo! email account(s), and please know, we truly sympathize with this unfortunate situation. However, please understand, you are solely responsible for keeping your account secure. You also bear sole responsibility for any and all actions taken on your account. As stated in our Terms of Service, "…you are required to and solely responsible for maintaining the confidentiality and security of the passwords used to access the (mt) Account, the Service and the Peripherals. Any and all activity that occur under your username and password will be considered done by you and you bear sole responsibility for that activity. Media Temple shall not be liable for any loss or damage arising from or otherwise related to your failure to maintain control over access to your password or username, the (mt) Account, the Service or the Peripherals, whether due to your own negligence or for any other reason." Accordingly, unfortunately, we are unable to offer much assistance in the matter.

In addition, please understand, the matter is entirely outside of our control. To put the situation into perspective, it may be helpful to consider an apartment building. If your unit was broken into and your television was stolen, your landlord would be unable to assist you in retrieving your television from the thieves. In such a scenario, your best course of action would be to contact the appropriate authorities. In applying this example to your current situation, we are the landlord and the domain is the television inside of your unit (or your account). Unfortunately, as the landlord, we are unable to retrieve the domain, as the domain is no longer registered with us. As mentioned by our Support Team, we recommend that you contact ICANN, the governing body over domain name registrations. You may also consider reporting the incident to the appropriate law enforcement agency.

For your reference, the following information may be helpful:

ICANN / UDRP Information
http://www.icann.org/en/help/dndr/udrp

(mt) Media Temple Terms of Service (Passwords)
http://mediatemple.net/company/legal/general_terms.php#section-c2

Again, we realize how frustrating this situation must be for you and we are sorry that we are unable to offer much assistance in the matter. We wish you the best in your pursuit of a resolution.

MediaTemple, as compared to Twitter, not only chose to pass the blame, which is what legal representatives do, but simply chose not to take ANY action to restore the account in spite of being presented with identification and utility documents, as well as having nearly 10 years of their own records to reference for billing names and addresses. Whether or not I am responsible for the initial breach (thanks Yahoo! Mail) recovering the account should be a trivial matter for them.
Unlike MediaTemple, the registrar that the Pay4Tweet.com domain was transferred to has been supportive. Enough to at least point the domain back to it's original servers. MediaTemple, however politely declined to help even with the overwhelming evidence of nearly 10 years of my hosting with them. This was after receiving the same documentation that the new registrar needed to point the domain back to the original DNS addresses.
MediaTemple even added a poor metaphor to explain their decision, comparing the loss of my domain to the loss of property in an apartment. A better metaphor would be to compare a domain name I have hosted with them to a bank account. I've worked at financial institutions as a web engineer for the better part of the past ten years, and I can safely say that a bank that takes no action on identity theft will not be around for long.
In the end, without support from the vendors that run the underlying platforms, Pay4Tweet cannot provide a safe and secure method of managing transactions. It was not the failure in security protocols that was the cause (although Yahoo Mail was indeed hacked), it was the failure of the common courtesy of trusted partners that underlies the reason for the permanent shutdown.
For Pay4Tweet users, I am truly sorry. Pay4Tweet was meant to be a method of funneling advertising revenue back to the people who make social media thrive in the first place. You. I even wrote a blog post about it. Oddly, that blog was posted on May 1st, 2013. On June 1st, 2013, Pay4Tweet was hacked. Just sayin'.
There will soon come a time when "social media" is no longer anti-social with respect to the revenue generation powered by it's individual participants. Until then, make sure to max out the security options on your social media and email accounts.
Best Regards,
Mo
Founder, Pay4Tweet
View Maurice Wright's profile on LinkedIn