Apple Support Allowed Hacker Access to Reporter's iCloud Account

[deathmuffin]

Hahahah

Thats why you don't post personal information on the internet, while I agree apple should have higher security its not their job to police evil people. As for adding security like google using those key-encriptions they are breakable just like any other system probably because the guy who designed it has told others how to get around it. Like wise the technology is probably patented and apple will have to try to come up with its own secure variation that is a lot easier said then done. Seriously I don't understand how everyone cant see this. There are bigger concepts at work here then just saying it got "hacked"

 

[webbuzz]

Others are coming forward now saying this has happened to them.

Apparently the developers of the MyBB.com bulletin board software experienced the same 'social engineering' attack against their iCloud account:

http://blog.mybb.com/2012/06/02/well-be-back-soon/

Horrible stuff to read this.

From the article: Emphasis on the bolded text.

The story to date
There are still a few missing pieces, but at this stage we have a pretty clear understanding of what happened. Contrary to what has been posted elsewhere, we do not believe social engineering was the culprit, although the hackers did try unsuccessfully to gain access to several of our accounts via this method.

The main incident that lead to the breach was a compromise of Chris’ personal Apple ID (iCloud, etc) account. From there, the hackers were able to reset passwords to our hosting and domain accounts. It’s still not clear how they got access to this account, however they also had numerous personal details about Chris, including contact details and knowledge of at least the last four numbers of his primary credit card.

Fortunately SoftLayer (our host) called Chris when his password was reset which alerted us to the situation unfolding and all public access to the server was shut off soon thereafter. As far we can tell they were not able to log into our server and do not have copies of our databases. We have been very pleased by the response we received from SoftLayer and without their vigilance the situation could have been far worse.

While Chris was trying to reset his passwords to NameCheap (our Domain Registrar at the time) and Apple ID accounts, the hackers even went as far as to remote wipe his iPhone via iCloud to prevent him from having 3G access. Unfortunately they successfully took control of Chris’s NameCheap account and redirected the domain to their defacement page, later we discovered they even tried to transfer the
domain.

Edit: "Horrible stuff to read this." But, you didn't read it.

 

[PinkyMacGodess]

Nice...

You are only as secure as the weakest link. Apple... I'd be very embarrassed...

 

[KnightWRX]

"Ok, Sir, hang up now and I'll call you back on the phone number registered on your account."

Yep, that's a callback verification, something I pointed out as a possibility earlier but that apolloa keeps ignoring. There's also mailback or simply verifying the identity with other information found in the account that only the holder would know (list of last transactions, other information fields).

The security questions are not the only way to identify someone nor is it invalid to use other methods.

We do not know what the "Clever social engineering" was in this case, there is no statement as to what actually happened.

----------

Nice...

You are only as secure as the weakest link. Apple... I'd be very embarrassed...

Can you tell us what Apple did wrong from the information posted ? What you would have done differently ?

*sigh*, do people even bother to read the articles anymore or just gun straight to the forums after reading the headlines ?

 

[djtech42]

I've always worried about the fact that a device getting wiped is just one password away...

They need more security, even if it is just in the Find My iPhone section of iCloud.

 

[webbuzz]

*sigh*, do people even bother to read the articles anymore or just gun straight to the forums after reading the headlines ?

I agree...It's ridiculous.

 

[Nova Sensei]

Haven't read the thread, but this smells suspiciously of a reporting looking for attention.....

 

[kiwiboi87]

i think its fake
iv tried to recover a forgotten password from applecare(via email)
and it took me a good few days, answering different questions etc

and also, with a mac or any pc for that fact. why the hell don't you have some form of backup? its his own fault "if" he lost his info.
i make sure i back everything up every few days,
just to be safe

 

[conradwt]

I had my Google account hacked during the Gawker fiasco and was never able to get it back. Luckily for me it was my garbage email account.

What I took away from it is that we're still not ready to move into the all digital age. Even local backups can get screwed up. It took one accidental drop for my Seagate external drive to break and hard drives can break for any reason that don't include a drop.

Hard copy still seems to be the best option.

After installing Mountain Lion on my desktop/laptop, I have started using its ability to backup to multiple external drives using TimeMachine. One drive will remain local and the other wil be offsite. The plan is to rotate these drives every other week or so until it feel right for me.

 

[webbuzz]

i think its fake
iv tried to recover a forgotten password from applecare(via email)
and it took me a good few days, answering different questions etc

and also, with a mac or any pc for that fact. why the hell don't you have some form of backup? its his own fault "if" he lost his info.
i make sure i back everything up every few days,
just to be safe

Yep. He was on TWiT earlier, nothing he said made sense, and he mentioned several times "I am writing an article for Wired" and it will explain more.

 

[Macyourdayy]

apple sucks as usual eh?

Nothing suspicious here - new iPhone coming soon, Sumsang close to being exposed in the courts, possibly a mini ipad coming, computer nerd reporter type with special unique password, no backups, Gizmodo/Wired involvement, $millions/billions involved, axes to grind, etc, etc...
Nope, nothing strange going on here. Oh, don't forget, Apple is evil and it sucks and all their stuff is for losers (who want to lose their stuff).
Yeah.

 

[webbuzz]

Nothing suspicious here - new iPhone coming soon, Sumsang close to being exposed in the courts, possibly a mini ipad coming, computer nerd reporter type with special unique password, no backups, Gizmodo/Wired involvement, $millions/billions involved, axes to grind, etc, etc...
Nope, nothing strange going on here. Oh, don't forget, Apple is evil and it sucks and all their stuff is for losers (who want to lose their stuff).
Yeah.

Like this

http://twitter.com/mat/status/232220254619725824

 

[KnightWRX]

he mentioned several times "I am writing an article for Wired" and it will explain more.

Good, maybe the missing details will be there and we'll know more how this was pulled off and if it is Apple's policy that is deficient or not.

Let's hope the MacRumors staff update the original article when the information becomes available.

 

[DVD9]

I've always worried about the fact that a device getting wiped is just one password away...

They need more security, even if it is just in the Find My iPhone section of iCloud.

It's a gimmick.

Apple should offer and encourage the use of strong encryption that cannot be accessed by another human being.

 

[kiwiboi87]

the fact he has talked to the hackers, tells me theres something not right.
i think its all a setup on his part, to try and show a point.

 

[bonelyfish]

Hacking? Can we use a better word.

Hacking was used too deliberately to include anyone breaking in a protected circumstance almost to the case of stealing an access card to a data center. Don't we have better English word to describe it?

 

[johnnyrb]

Not cool!

 

[Dustman]

This is what annoys me. The extra security in Mac OS made for idiots who open stuff from suspicious DMGs and ZIPs is really tiresome.

Not just Mac OS. I remember when Windows XP came out, pre SP1. Not a single warning or pop up preventing you from opening any EXE you could get your hands on. Now with SP3, you get like 3-4 warnings from the time you click download til the time the application actually opens. Add one more for Vista/7. And there is absolutely no way to turn off the file warnings.

OT: I really hope they aren't too hard on the rep who allowed the password change. ***** happens.

 

[charlituna]

You still don't understand do you? The Apple agent completely failed to follow DPA processes and was fooled into giving the sensitive information away.

Were you listening to the actual conversation? No. So you really can't say what happened. You have only Mat's comments and he's not about to admit what really happened (assuming he actually knows) in detail if it makes him look like a bigger moron

You don't need to post your password on your blog.

You really think that's the only info you can give up that gives someone access to your stuff. It's not. Thinking like yours is how folks find themselves hacked

----------

How do you know the Apple agent didn't follow his internal procedures ? The article and twitter posts don't even claim so. They only claim the security questions were bypassed, not that no authentication took place.

Yep. The questions being referred to could be just the user created ones from the initial account creation. Which like the password could be 5-7 years old. So 'I don't remember isn't that shocking and they go on to phase two. Or they don't bother asking those questions since if you knew the answers you don't need to be talking to them

But it doesn't mean that Apple doesn't have their policies etc to verify who they are talking to or that didn't give out the information somehow

 

[pdjudd]

Were you listening to the actual conversation? No. So you really can't say what happened. You have only Mat's comments and he's not about to admit what really happened (assuming he actually knows) in detail if it makes him look like a bigger moron

Not to mention that we don't know what is accurate and what isn't simply because some of Matts intel comes right from the hacker whom we don't know who he/she is and we don't know what information they are providing and if it was accurate or not. I don't necessarily trust a person who just admitted to a computer crime and neither should we.

 

[charlituna]

I can tell you comfortably if the password was not asked for or an account number etc. DPA was breached if this follows the same rules as the UK does.

IF it follows the rules. Now it is revealed that you accused Apple, without proof, of violating legal procedures you don't even know exist.

AND you are claiming to know what happened based on the vague words of the victim who is supposed to be some in the know tech writer. Of course he would never lie especially to make himself look less stupid

----------

Sometimes my bank calls me and asks me to prove I'm me. They are basically training people to hand over the exact information needed to impersonate you over the phone to any random person who calls.

A smart person hangs up the phone and calls the bank back. That way you know it's not someone that randomly called.

Those that aren't smart enough to do that in this day and age deserve what they get.

----------

As I said, the law in Canada is very different. The comments you make here would get you fired very quickly and possibly investigated at my company.

You need to get off this train. You have no real information about what went own. This is NOT Canada or the UK and you have admitted you don't know the US laws. So you have no place to be placing blame

Same for your digs on other companies and their security.

----------

"Ok, Sir, hang up now and I'll call you back on the phone number registered on your account."

And?

How do they know it's really me and not you with my phone? They don't. So they still have to validate who I am so why the phone dance when it don't really prove anything.

----------

Not to mention that we don't know what is accurate and what isn't simply because some of Matts intel comes right from the hacker whom we don't know who he/she is and we don't know what information they are providing and if it was accurate or not. I don't necessarily trust a person who just admitted to a computer crime and neither should we.

What's amusing is folks taking Mat at his word over who is to blame etc and the reason for the attack is allegedly this hacker being pissed off that Mat fronts himself as some kind of expert when it's clear he's not. Which is why it was felt he needed to be taught a lesson.

 

[Dglory]

As someone who knows a few things about iCloud and about AppleCare I can say without a doubt that the only way that this "hacker" would have had AppleCare assist in resetting the password would be if the "hacker" knew way more about Mat's personal info than Mat should have EVER let into the public. I'm not talking about addresses/phone numbers/DoB. I'm talking about answers to security questions, CC details, highly unique personal info saved in the cloud.

Without such info no AppleCare rep in the world would assist in a PW reset.



And before you say anything about up grading security remember this... Apple received a massive amount of complaints last time they updated security. Security comes at a price that most people are not willing to pay.

 

[pdjudd]

What's amusing is folks taking Mat at his word over who is to blame etc and the reason for the attack is allegedly this hacker being pissed off that Mat fronts himself as some kind of expert when it's clear he's not. Which is why it was felt he needed to be taught a lesson.

I'm willing to take Mat at his word - trouble is, we don't know if Mat's information that he bases his conclusions on makes any sense. Right from the get go he says Apple confirmed. We have no confirmation since Apple hasn't publicly even acknowledged it happened at all and thusly we only have the words of two people and one of those is highly suspect as an admitted hacker. We have so many pieces of information and we can't verify the details.

 

[accidental]

It was just a few days ago that my brother bought an iPhone — he previously owned an iPod Touch — and was required to authenticate the new device by answering the three security questions. He had forgotten the correct answers (had foolishly rushed through the question creation process) so couldn't log into his iTunes account on the new iPhone.

The only recourse when you forget your security questions is to contact Apple and ask them to reset them. This was a major hassle for him but after three calls complaining to Apple Support he finally managed to get them to reset them.

Thankfully this happened BEFORE the Mat Honan debacle because now there's no way in hell anyone from Apple Support is going to let a customer reset their security questions over the phone even if they legitimately forgot them.

Any system like this needs a way for legitimate customers who have forgotten to be able to not be locked out of their account for life. It was this weakness that the hacker exploited.

 

[faroZ06]

Not just Mac OS. I remember when Windows XP came out, pre SP1. Not a single warning or pop up preventing you from opening any EXE you could get your hands on. Now with SP3, you get like 3-4 warnings from the time you click download til the time the application actually opens. Add one more for Vista/7. And there is absolutely no way to turn off the file warnings.

OT: I really hope they aren't too **** the rep who allowed the password change. ***** happens.

I can't even use my security DVR's HTTPS site because it requires ActiveX, which only exists in IE, and when I go there, it says that it cannot verify the publisher of this ActiveX controller and doesn't let me use it at all. Windows 2000 was way less annoying than XP and pretty good.