Apple Support Allowed Hacker Access to Reporter's iCloud Account

MacRumors

macrumors bot
Original poster
Apr 12, 2001
46,727
8,945





On Friday, Wired writer Mat Honan recounted the tale of how his iCloud account was hacked which resulted in his iPhone, iPad and MacBook Air getting remote wiped.

The point of entry appeared to be his iCloud account which was then used to gain access to Gmail and then his and former-employer Gizmodo's Twitter accounts.
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn't use elsewhere.
...
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo's they were then able to gain entry to that as well.
Honan wasn't entirely sure how the hackers had gotten access to his iCloud account. His guess was that they had somehow brute-force guessed the password, while others speculated his password had been keylogged or used in another insecure service.

As it turns out, the hacker was able to call Apple support and convince them they were the user. From an update to the original blog post:
I know how it was done now. Confirmed with both the hacker and Apple. It wasn't password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.
After convincing Apple support that they were Mat Honan, the hacker had Apple Support change Honan's iCloud password which gave them full access. From there, they were able to perform the remote wipes on Honan's devices using Apple's Find My iPhone service which offers remote wipe as a security feature for lost devices.

As a somewhat public figure, Honan may have been an easier target than the average iCloud user, but many users may also have personal information publicly available on online services such as Facebook that could be used in a similar fashion. Forbes' Adrian Kingsley-Hughes suggests that Apple "needs to tighten up security and come clean about what went wrong here."

Article Link: Apple Support Allowed Hacker Access to Reporter's iCloud Account
 

ThatsMeRight

macrumors 68020
Sep 12, 2009
2,257
124

alq

macrumors member
May 6, 2011
80
8
Panamá
That could never happen in Europe. Apple support here is unfriendly and would never ever do a "favor".
 

Northgrove

macrumors 65816
Aug 3, 2010
1,114
381
In a sense, I'm happy this has happened and gained this kind of media attention, being all over my Flipboard yesterday. I think Apple will now be hard pressed to add two-step authentication, much like the one in effect for Google accounts. As well as issuing new support guidelines. These kinds of accounts are so important, and focus so much on connecting personal data and private details, that anything less should not be acceptable.

Perhaps Apple can sneak such a feature into iOS 6? :)
 

hafr

macrumors 68030
Sep 21, 2011
2,743
5
What chocks me the most is that someone working at Gizmodo doesn't have a backup...
 

FNi

macrumors member
Jul 18, 2011
45
0
This terrible story is the reason why nobody should put all their eggs in one basket (read: ecosystem). Be it Apple/Google/Microsoft. You're just asking for trouble.

Also 1 Password/Lastpass/Keypass are amazing. Use them.
 

ThatsMeRight

macrumors 68020
Sep 12, 2009
2,257
124
What chocks me the most is that someone working at Gizmodo doesn't have a backup...
Well, if you have everything on your iPad and on your iPhone and on your Macbook Air than making separate back-ups seems not necessary. You've three devices, three times the same files.
 

Compile 'em all

macrumors 601
Apr 6, 2005
4,106
205
Also Apple should allow us set a PIN on turning off an iPhone. Find my Phone is useless if all it takes is turning the whole device off. It would be a 10000 times better if who ever steals the phone can't turn it off immediately.
 

kolax

macrumors G3
Mar 20, 2007
9,186
115
Anything Gizmodo related I always raise an eyebrow to.

I'll wait to for a response from Apple before taking this story seriously.
 

Arctix

macrumors newbie
Oct 15, 2011
24
0
I also had a bad experience with iCloud some months ago. Spam mail had been sent from my @me.com account to all my contacts that were synced with iCloud. On that day a limited amount of users also reported this on the Apple forums (it was the exact same kind of spam mails that were sent to 3 iCloud contacts per mail). It was not spoofing, because the sent mails were in my sent folder! Since that day, I no longer am putting my contacts in iCloud. However, the damage has already been done, my contacts are probably somewhere in the hands of a shady corporation/individual.
 

SBlue1

macrumors 65816
Oct 17, 2008
1,475
1,646
time to change my mac account password again! :)

my account was hacked once and they just bought some in app purchases using my gift card balance. luckily i removed my credit card data at that time. apple refunded the lost balance and I had no icloud at that time. if they would get into my account now they could wipe my mac and iPad as well.

so kids do your backups so you can restore your devices. that honan dude said he had no backups so he lost all of his data when his mac was viped. :eek:
 

skinnylegs

macrumors 65816
May 8, 2006
1,417
6
San Diego
Dude had no backups? Are you kidding me? IMO that is the scariest part of this story; to think that somebody doesn't have enough common sense to back-up data. Makes me shiver!
 

ganymedes13

macrumors member
Dec 30, 2011
52
0
This terrible story is the reason why nobody should put all their eggs in one basket (read: ecosystem). Be it Apple/Google/Microsoft. You're just asking for trouble.

Also 1 Password/Lastpass/Keypass are amazing. Use them.
I had my Google account hacked during the Gawker fiasco and was never able to get it back. Luckily for me it was my garbage email account.

What I took away from it is that we're still not ready to move into the all digital age. Even local backups can get screwed up. It took one accidental drop for my Seagate external drive to break and hard drives can break for any reason that don't include a drop.

Hard copy still seems to be the best option.
 

lord patton

macrumors 65816
Jun 6, 2005
1,050
4
Chicago
Well, if you have everything on your iPad and on your iPhone and on your Macbook Air than making separate back-ups seems not necessary. You've three devices, three times the same files.
No way. You have a hard drive with all your data in your computer. You need a complete physical backup onsite, and another offsite, and maybe one in the cloud. Anything less and you can't cry foul when disaster hits.
 

Flobber88

macrumors regular
Jun 19, 2007
100
0
Also Apple should allow us set a PIN on turning off an iPhone. Find my Phone is useless if all it takes is turning the whole device off. It would be a 10000 times better if who ever steals the phone can't turn it off immediately.
Completely agree. Having a thief being allowed to turn off my phone doesn't help me at all
 

Sensa

macrumors newbie
Jul 23, 2012
25
0
So, let's get this straight...a hacker "decides" to hack the account of a semi-high profile tech guy and then after committing several serious crimes like fraud that could land him in jail for an extended period of time repeatedly contacts the person he hacked when he must know that Apple will surely pursue this matter?

I smell a rat...
 

lannisters4life

macrumors 6502
May 14, 2012
298
0
Sydney
No way. You have a hard drive with all your data in your computer. You need a complete physical backup onsite, and another offsite, and maybe one in the cloud. Anything less and you can't cry foul when disaster hits.
I don't know if this is reasonable... if your house burnt down with your Mac and your Time Machine backup, I'd still be pretty sympathetic.
 

ArtOfWarfare

macrumors G3
Nov 26, 2007
8,579
4,019
And we know this story is legit because...?

Having one reporter say something doesn't make it true. Otherwise, we'd believe everything that the National Enquirer publishes.

I do feel like Apple will make an official response, either calling the guy's lie, or diffusing the story by coming clean and saying everyone on the iCloud team came into work this weekend to fix it.