Apple Support Allowed Hacker Access to Reporter's iCloud Account

[lord patton]

I don't know if this is reasonable... if your house burnt down with your Mac and your Time Machine backup, I'd still be pretty sympathetic.

Well, I can't argue against a generous heart like yours.

Nevertheless, your sympathy won't get my data back. It's exactly because of the possibility of a fire (or burglary) that I won't let all my backups be in one physical location. **** happens, and I will not lose my data to carelessness.

 

[Creep89]

Social engineering is the new way of getting passwords. Brute-Forcing? No way, man. Social engineering is way better.

 

[hafr]

Well, if you have everything on your iPad and on your iPhone and on your Macbook Air than making separate back-ups seems not necessary. You've three devices, three times the same files.

There is nothing in the story, or the original blog post, to point to him thinking that was enough. He actually says himself he didn't use backups, and my guess is it's pretty unlikely he had everything on all three devices...

I don't know if this is reasonable... if your house burnt down with your Mac and your Time Machine backup, I'd still be pretty sympathetic.

So would I, but if you have the opportunity to store an off site backup and don't do it - you're taking a risk. No matter how small it is, it's still a risk.

I mean, you've got your house insured for the fire hazard, so not storing an off site backup of your photos etc. is inconsistent reasoning...

 

[striker33]

If I was him I'd be demanding some serious compensation. Something along the lines of free iDevice upgrades for life.

And if that failed, I'm sure the threat of a nice little article on Apple Security (or lack of) in the next issue of Wired would be a nice little hand to play.

 

[ganymedes13]

No way. You have a hard drive with all your data in your computer. You need a complete physical backup onsite, and another offsite, and maybe one in the cloud. Anything less and you can't cry foul when disaster hits.

Where do you keep this offsite backup? At a bank? If so that means that anytime you have what you deem a significant backup your Mac or iOS device you'll have to travel to the bank, bring it home to backup that drive and then bring it back to the bank.

That is something that most won't have the time to go through. Most would view it as more effort than it's worth.

 

[Dustman]

Whoopsie Apple! But seriously, no human-being can be completely immune to manipulation by another person. I'm sure Apple will be more strict on security policies following this unfortunate incident, but people are people, and are prone to having lapses in good judgement. As someone who's been in customer service for big companies for a while, it is very hard sometimes to say no to someone you believe is a legitimate customer. I know I've let it slide before.

 

[hafr]

Having one reporter say something doesn't make it true. Otherwise, we'd believe everything that the National Enquirer publishes.

When did they start letting reporters write their stories?

I do feel like Apple will make an official response, either calling the guy's lie, or diffusing the story by coming clean and saying everyone on the iCloud team came into work this weekend to fix it.

Not likely. One single user who got hacked due to one single employee's mistake (who doesn't even have to be employed by Apple). Why would they spend a single second denying or confirming this story?

 

[charlituna]

Apple really needs 2-step authentication (Google offers it, and it works really great).

I hope they're able to restore his information from his Macbook Air.

Apple wouldn't be able as they don't keep backups, that is the users responsibility. And before any one suggests it, no they will not pay for data recovery if you didn't. Terms and conditions, even under Apple Care, they warranty their hardware and thats it. Even with iCloud they don't 100% guarantee your data won't ever be lost.

As for Honan, I wouldn't be so quick to blame Apple. We don't know what steps are taken in such matters to know if the questions asked were ones he'd given out the answers to. This could be another case like my older brother who got his email hacked because he posted his birthday on his Facebook and his security question was 'my greatest love' which was the car he restored by hand and talked about on his Facebook, with photos by the dozens. Matt made ultimately be a victim of something similar. In which case Apple can't really be blamed

 

[ChazUK]

A concerning story but a bit hard to swallow entirely with only one side of it.
If true then hopefully whoever made the mistake never does so again.

I guess we'll have to wait and see where this goes.

 

[Porco]

Apple today released iSupportEmployee 1.8, which includes several security upgrades to the previous version, such not changing people's passwords when an imposter calls them, being careful wth users security details and generally not getting played.

iSupportEmployee 1.7 has been retired to the back office putting Apple stickers in various product boxes.

Apple has not commented on what has happened to iSupportEmployee 1.6, but it probably isn't looking good for them right now.

----

P.S. I read this story whilst there is heavy rain and thunder outside. Hilariously apt.

 

[hafr]

Where do you keep this offsite backup? At a bank? If so that means that anytime you have what you deem a significant backup your Mac or iOS device you'll have to travel to the bank, bring it home to backup that drive and then bring it back to the bank.

That is something that most won't have the time to go through. Most would view it as more effort than it's worth.

At a neighbours' house, in your parents' house, in your kids' house, at work, in the car, in the boat... In short, somewhere where you spend time regularly and the picking up/dropping off doesn't become a chore.

 

[ThatsMeRight]

Apple wouldn't be able as they don't keep backups, that is the users responsibility. And before any one suggests it, no they will not pay for data recovery if you didn't. Terms and conditions, even under Apple Care, they warranty their hardware and thats it. Even with iCloud they don't 100% guarantee your data won't ever be lost.

As for Honan, I wouldn't be so quick to blame Apple. We don't know what steps are taken in such matters to know if the questions asked were ones he'd given out the answers to. This could be another case like my older brother who got his email hacked because he posted his birthday on his Facebook and his security question was 'my greatest love' which was the car he restored by hand and talked about on his Facebook, with photos by the dozens. Matt made ultimately be a victim of something similar. In which case Apple can't really be blamed

If you read the story, than you'd have found out that he went to the Apple Store and that Apple will try to recover the data.

If you remote wipe your iPhone, iPad or Macbook Air your data isn't deleted. It is basically made invisible. The data on these devices are encrypted and each have a unique code to 'unlock' the data. When you perform a remote wipe, the unique code (to 'unlock' the data) is removed, but the data is still there.

Compare it to deleting a photo on your PC or Mac: you might have deleted it (and even emptied the trash can), but it's still on your hard disk and with the right tools it could be retrieved. The data will only be lost as soon as you start writing new data over the old 'deleted' files.

 

[KALLT]

Well, if you don’t have a backup available, that is your own risk. iCloud isn’t nearly as reliable as to offer a proper alternative. But I also think the discussion about the backup misses the point here.

What I find much more bothersome is that a security feature has been abused in such a way as to completely lock out the user in case the iCloud account is compromised. If I happen to use my iCloud for everything, including e-mail, the risks involved when someone else gains access are considerable. Not only can website accounts be stolen, but also all iDevices be locked or wiped. And if the weak spot is actually Apple itself, than that is concerning.

Perhaps it would have been a good idea to keep Find my Mac separate from iCloud, just as it is on iPhone. Before I got iCloud, I was able to use one of my Apple IDs.

 

[lord patton]

Where do you keep this offsite backup? At a bank? If so that means that anytime you have what you deem a significant backup your Mac or iOS device you'll have to travel to the bank, bring it home to backup that drive and then bring it back to the bank.

That is something that most won't have the time to go through. Most would view it as more effort than it's worth.

The offsite backup is at a nearby friends house, to which I travel with my laptop several times a week anyway. I backup to this drive once a month or so. So I'm not covered completely, but being able to get back everything but the last couple weeks is *a lot* better than losing everything.

Online backup could be fine, too, provided it's a complete backup (which iCloud is not).

 

[Dr McKay]

That could never happen in Europe. Apple support here is unfriendly and would never ever do a "favor".

Apple support have been nothing but kind and helpful to me on the fair amount of times I've had to use them. (Apart from 1 single phone assistant)

 

[charlituna]

that honan dude said he had no backups so he lost all of his data when his mac was viped.

That kind of answers my question. Dude is supposed to be so smart but doesn't back up his stuff. And hasn't changed his password in 7 years. Makes me wonder about his security questions.

And there's a comment in his tale of woe about how he couldn't reset his google password because his phone had been wiped so he couldn't get a text message. I'm hoping he just wrote a bad sentence cause two minutes of set up screens and you have a working phone. If that's what he meant rather than simply the hacker deleted that option from the google account, I definitely don't discount the notion he gave up the answers on his blog, etc somehow.

----------

Well, if you have everything on your iPad and on your iPhone and on your Macbook Air than making separate back-ups seems not necessary. You've three devices, three times the same files.

You iTunes backup your iPad and iPhone to your computer and those become part of the data time machine or whatever backs up to your hard drive. Easy as pie

 

[racer1441]

Well, if you have everything on your iPad and on your iPhone and on your Macbook Air than making separate back-ups seems not necessary. You've three devices, three times the same files.

No. That is not a back up at all.

1 copy on your device, 1 copy on media type a (cd, DVD, external hd) on site, 1 copy on media type b off site, 1 copy on a cloud service.

That's how you back up.

 

[ryuworks]

Nothing went wrong here... Honan worked for Gizmodo.

 

[derangedcow]

Now that's good customer service

 

[atMac]

And we know this story is legit because...?

Having one reporter say something doesn't make it true. Otherwise, we'd believe everything that the National Enquirer publishes.

I do feel like Apple will make an official response, either calling the guy's lie, or diffusing the story by coming clean and saying everyone on the iCloud team came into work this weekend to fix it.

Because it was being posted on 4chan as it went down. I was watching the thread on it yesterday in /g/. A 4channer did it, He was angry because for being a computer writer he seemed to have no idea how computers or any other technology work.

 

[Puevlo]

The guy is a big mouth writer. It's probably very simple to pretend to be him over the phone. He has likely put all sorts of personal details about his life online.

 

[charlituna]

So, let's get this straight...a hacker "decides" to hack the account of a semi-high profile tech guy and then after committing several serious crimes like fraud that could land him in jail for an extended period of time repeatedly contacts the person he hacked when he must know that Apple will surely pursue this matter?

I smell a rat...

I'm not shocked at the idea that the hacker might contact the victim, especially when it seems to be personal. It's the comments implying that Apple admits what happened that I find a little suspect. I don't believe that Apple would say as implied 'yeah we we stupid and were fooled by this guy'. What I would believe is that if someone asked 'is there a way I could contact someone and have my password reset if say I don't have access to my email and I never put on a security question' they would say yes tech support can help you with that, and Honan made a leap.

I suggest everyone try contacting tech support for such help and see the process for yourself before judging Apple as to blame for this.

 

[endless17]

Nothing went wrong here... Honan worked for Gizmodo.

stay classy.

 

[ganymedes13]

At a neighbours' house, in your parents' house, in your kids' house, at work, in the car, in the boat... In short, somewhere where you spend time regularly and the picking up/dropping off doesn't become a chore.

Each of those situations carries it's own risks and problems.

The cloud is meant to be the solution for this and I think it will be eventually. What most can hope for is that Apple increases their security and, hopefully, their recent acquisition of AuthenTec increases security locally and in the cloud.

 

[Michaelgtrusa]

What is next?