Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Support Allowed Hacker Access to Reporter's iCloud Account
- Thread starter MacRumors
- Start date
- Sort by reaction score
My offsite is kept in my desk at the office. (It's encrypted with TrueCrypt, so no danger if it's stolen.)
Usually they buzz right before they fail.
The Hitachi 4 TB drives are having a higher than normal failure rate, I hope your drive is a RAID-0 stripe of two 2 TB drives.
Using raid 0 is about the worst idea you can have for a backup. You're dramatically increasing the probability of failure by having the data dependent on two drives working.
It's be much smarter to have a raid 1 with 2 4TB drives. Or even a raid 10 with 8 1TB drives.
Luckily there aren't that many of those that are interested in stealing cell phones.
Not to mention they'd have to disable the ability to do a hard reset or dfu mode restore for it to be effective. Both of which could lead to a lot more warranty claims being made - since the iPhone does on occasion hard lock.
There is extensive proof that Apple can track iPhones with their unique ID number, even with a different SIM-card. I think it was even after it had been wiped, but not 100 % sure there...
Just look at all the posts about people getting iMessage messages aimed to the previous owner of an iPhone...
Apple accounts have major security flaws
My apple Id password was stolen and someone went ahead and bought $20 in an authorized purchases. Then, after changing my password, and calling Apple, they again made $10 worth of purchases.
Apple support were nice and refunded me all the money, temporarily locked my account until this was gone, but what I discovered is that Apple has some sort of password caching thing that basically allow hackers to continue using your account even after you reset your account.
They do need to work on this.
My apple Id password was stolen and someone went ahead and bought $20 in an authorized purchases. Then, after changing my password, and calling Apple, they again made $10 worth of purchases.
Apple support were nice and refunded me all the money, temporarily locked my account until this was gone, but what I discovered is that Apple has some sort of password caching thing that basically allow hackers to continue using your account even after you reset your account.
They do need to work on this.
You underestimate the creativity of scumbags.
Also, considering this is Gizmodo, a known fence for stolen iPhones, and a big time grudge against Apple...
As someone else said, we could have a rat in the house.
Last edited:
In a sense, I'm happy this has happened and gained this kind of media attention, being all over my Flipboard yesterday. I think Apple will now be hard pressed to add two-step authentication, much like the one in effect for Google accounts. As well as issuing new support guidelines. These kinds of accounts are so important, and focus so much on connecting personal data and private details, that anything less should not be acceptable.
Perhaps Apple can sneak such a feature into iOS 6?
So by design - important information - this cloud concept should be DOA.
Amazing that people are ready to upload their hard drives to a cloud where any employee - rogue or otherwise - can have access to their information.
This hacker is a true SAINT. I congratulate him for taking an action on behalf of the people. May the rest of you who do not learn from this suffer for it.
iPhone 4S has the CDMA antenna too, which does not require a sim card.
I actually like the idea, the only flaw with this is if the battery is close to dying, then the phone will shut down on its own. But it's better than nothing.
Absolutely. Given how much information is store in an iCloud account, 2-step is a no-brainer.
I don't think that you'd ever see a device like this where you have to enter a PIN to turn it off - it'd be a huge problem where you have to turn devices off for legal reasons (e.g. planes or hospitals).
What the f!? Why did Apple give out or reset a password without proof that that's the right person? And how the hell can you remote wipe a Mac?
Anyway, I learnt the hard way not to use iCloud: it wiped my entire iCal from my computer, and even restoring it from a backup didn't work (it kept re-deleting it on a never ending loop). Restoring the computer didn't work either as the iCloud settings are stored in the freaking cloud. So once it screws up, you can't just use Time Machine or some other backup: you're screwed and at the mercy of Apple.
Anyway, I learnt the hard way not to use iCloud: it wiped my entire iCal from my computer, and even restoring it from a backup didn't work (it kept re-deleting it on a never ending loop). Restoring the computer didn't work either as the iCloud settings are stored in the freaking cloud. So once it screws up, you can't just use Time Machine or some other backup: you're screwed and at the mercy of Apple.
I'm not sure which is funniest: that you find the cost of two external drives to be prohibitively expensive, that you think making a backup takes 14 hours of "work", or that running into a burning building to retrieve pictures is a reasonable security measure.
Well, you probably didn't mean it exactly like that. All I'm saying is backups are necessary, multiple backups are advisable, and iCloud isn't backup.
Did you read the post I responded to? He mentions several backups that he has. Add the cost of several backups, the work it takes to go to each location and back it up and you'll see how I came to my conclusion.
The funny thing is that you managed to read my post but you managed to ignore who I was replying to.
What's odd is that three other fools upvoted you while probably not understanding the context.
My point was that you dramatically increase the probability of failure by having one of the new 4 TB drives....
My twice-daily (time machine like) backups are on RAID-5 drives, but the offsite is a single 3TB USB drive.
I dont know for sure but things should be something like this...If a person calls Apple Care to reset iCloud password, Apple Care should ote down the information the caller provides and then ask that person to hang up and wait. The Apple shuld call up the phone number which was used to register the iCloud account. (Apple should add one more field in registration form of iCloud to add secondary number may be your friend/family member or home number) and then Apple should verify with the owner of the account.
Last edited:
Do you keep your seven backups at one spot? If so you are lucky. Going to one neighbor's house will take at least 5 minutes. If their wife is home I will have to deal with them being annoyed at me. Then you have to go through the process of backing up each drive and putting them back in each location (further annoyances).
Unless your several backups are within one mile that is some serious work. What I have of value is at least worthy of a weekly backup which means some serious work for you.
Unless these things have a 30% or so failure rate, a raid 0 will not be a more reliable alternative.
You can't do things like changing your password on the device (unless you use the browser - which then triggers the 2 factor auth), so that's not really important.
Some services trigger a 2 factor authentication when you login on a new device (like Xbox or Steam). From that point on, the device is trusted until you revoke the trust.
The benefit of two factor authentication isn't really in how it's delivered, it's that you use a different method to provide the second piece of data (e.g. password in web browser, code via SMS. OR password and fingerprint).
If his gmail password was changed, how did he get a notification via email that it was changed? If It was linked to his iCloud which was also reset. That means that on any of his devices, he shouldn't have been able to check email without updating the stored password on the device. password changes are instant and he would have gotten an error message had his device tried to check email or if he tried to log in on another device.
I think he's checking that now, by looking at the messages that arrived when he wasn't able to access the account.
That's not the way the story or the blog makes it out to be. The way the narrative goes is that, that email arrived and he got it in the midst of things.