"I would also like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again D:
I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5minutes while I swap the handle in exchange for your godaddy, and help securing your data?"
And then later the attacker explains the attack in detail.
Naoki Hiroshima, the victim, wonders "what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification". The answer is that GoDaddy accepting this as verification is more shocking. The last 4 digits of your credit card appear everywhere, from restaurant receipts to not-quite-logged-in-so-we'll-need-your-password-again-to-do-anything-really-important sections of websites. They are not really secure. That isn't to say that PayPal should give out these digits without significant verification, but what GoDaddy did is far worse.
GoDaddy accepted the last 4 digits as verification, but also required the first 2 digits. If you know anything about how credit cards work, you'll know that requiring the first 2 digits add almost no extra security. The first digit will be either 4 (Visa), 5 (MasterCard) or 3 (Amex) in the vast majority of cases. For Amex cards, the second digit will be 4 or 7. For Visa and MasterCard, the second digit (actually the first 4-6 digits) indicate which bank issued the card. So for most cards, there are only 22 or so pairs of starting digits, and if you know the card type or bank you can narrow things down further. To make matters (much) worse, "GoDaddy allowed him to keep trying until he nailed it. Insane."
Yet another reason I'm happy that I no longer use GoDaddy.