Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Support Allowed Hacker Access to Reporter's iCloud Account
- Thread starter MacRumors
- Start date
- Sort by reaction score
One of the goals of iCloud ought to be never having to back anything up, because you can supposedly rely on the cloud.
Apple needs to consider some snapshot mechanism for iCloud storage... "Time Machine for iCloud".
Wait, do you think I have a backup on each of the locations I mentioned earlier? I haven't, it was just examples of places one could keep them. And it's not like I go pick it up, backup my computer, then return to put it back. That's just silly and very ineffective. Why would you even think such a thing?
I have two backup drives. Every monday morning I disconnect the one that is at home and put it in my bag, I then switch it out with the drive I have lying in my desk which I bring home and use as backup drive that week.
So I alternate between two disks, one week at a time, one being at home and the other at the office and it involves about 30 seconds of extra work per week and no extra travel time.
I see two scenarios:
a) He was really hacked.
Me thinks the recovery e-mail address was a Gawker/Gizmodo e-mail address, used to confirm his identity and allow the hacker access to his account. Whether AppleCare did or did not help the "hacker" is irrelevant unless s/he verified the Serial # of one of the devices on his account; iCloud support is tied directly to the warranty of one of your iDevices. Therefore, unless the hacker was able to verify the serial # of an iDevice or Mac, it's highly implausible that AppleCare helped the "hacker" gain access.
b) He was not hacked but colluded with a friend and/or fellow Gawker/Gizmodo employee to create a sensational story about a "hacker" being helped by AppleCare to gain access to his account.
The latter scenario is far, far more likely since AppleCare would indeed have verified the SN# of one of his Apple devices before even discussing his iCloud account with him, or anyone else, in the first place. Apple's iCloud support via AppleCare is contingent upon phone support via warranty coverage.
The part that gives me reason to believe the latter of these two scenarios is his statement of fact, confirming with both the "hacker" and with AppleCare. (especially the former)
a) He was really hacked.
Me thinks the recovery e-mail address was a Gawker/Gizmodo e-mail address, used to confirm his identity and allow the hacker access to his account. Whether AppleCare did or did not help the "hacker" is irrelevant unless s/he verified the Serial # of one of the devices on his account; iCloud support is tied directly to the warranty of one of your iDevices. Therefore, unless the hacker was able to verify the serial # of an iDevice or Mac, it's highly implausible that AppleCare helped the "hacker" gain access.
b) He was not hacked but colluded with a friend and/or fellow Gawker/Gizmodo employee to create a sensational story about a "hacker" being helped by AppleCare to gain access to his account.
The latter scenario is far, far more likely since AppleCare would indeed have verified the SN# of one of his Apple devices before even discussing his iCloud account with him, or anyone else, in the first place. Apple's iCloud support via AppleCare is contingent upon phone support via warranty coverage.
The part that gives me reason to believe the latter of these two scenarios is his statement of fact, confirming with both the "hacker" and with AppleCare. (especially the former)
I was one of those three other fools, since he understood my post... I would like to claim I understand the context.
I was going to quote some of the horror stories in the reviews on Newegg - but Newegg has pulled this drive from their site.
I think you mean "If his iCloud password was changed"?
and you are right, since he said he was receiving the notices from Gmail at the time:
MattHonan said:
This wouldn't be possible if someone changed his iCloud password. Something doesn't add up.
Having just signed up for google 2-step authentication, I can share my experience.
You login to a web page with your 2-step authentication and request a password for the phone. You enter this password instead of your regular gmail password. The password is a "one time use" password. Seems like a pretty safe way of doing it.
I find it weird how so many people here seem to think that Gizmodo hates Apple because they leaked a design that made the iPhone 4 one of the most desired devices of all time, before Apple had even revealed it and had discussed any of the features it had.
People are willing to blindly accept that Gizmodo is "anti-Apple", but they never stop to consider that the people telling them that could have an agenda of their own...
People are willing to blindly accept that Gizmodo is "anti-Apple", but they never stop to consider that the people telling them that could have an agenda of their own...
Last edited:
The hackers would need to change the iCloud password in order to read the password recovery email from Google.
He should have never received that 2nd message.
Yes, I think you are correct, the last time i called Apple Care, first thing they asked me was the serial number, I wonder how did the "hackers" got the serial number?
My 4TB backup drive is buzzing with glee
Anyone knows if his dropbox account was compromised as well (as long as the password was different form icloud's one) ? I have copies of settings, documents and most important files encrypted on db.
Don't you get it?
All the accounts are tied together by the password reset feature. If they access one account with email history it will indicate all the services that can be accessed. The hackers hit 'forgot password', read the email, change the password & then delete all your stuff & the account. You can't stop them because you can't login.
This is why Apple's 'one password' system is a lousy idea.
Social engineering is new?
Tell that to Kevin Mitnick.
The Apple guy was so used to reading customers information stored on iCloud during his downtime that he felt no sense of suspicion.
Well, we should learn from your post and others here that FANBOYS will defend anything, and they keep massive enemies lists of all who do not share their psychotic obsession.
iCloud equals iSURRENDER. Here's all my private thoughts and vital information for your viewing pleasure.
Why would anyone give up "remote access" to their device? That's a trojan. If your information is encrypted with strong encryption you don't need to worry about losing your data, so no need to think about wiping your drive with a preinstalled trojan that someone else can take control of.
Any exploit that exists on your system - no matter who put it there - can be used by someone else.
Sounds like someone is getting fired for violating CPNI, then everyone is getting CPNI training.
TEG
TEG
3 copies of your data is bare minimum. You have data on your device. One backup local and one offsite.
While you may have more control at another location, you won't when storing it with another company
By having data stored in multiple locations, you also have to worry more about privacy. Can your backups be read by employees? Hackers? etc?
I don't think I could trust my data on iCloud or any other service. Then again, if I created my own cloud service at home and using WebDAV and contact/calendar, how could I make it 100% secure? I can't
So really I need a MacBook that never connects to the web and have my phone hard wired synced
At what point does all this security become too much to the point where we don't want to use digital data?
We trust online companies too easily without questioning their security practices. And when it happens, what can we do from there?
While you may have more control at another location, you won't when storing it with another company
By having data stored in multiple locations, you also have to worry more about privacy. Can your backups be read by employees? Hackers? etc?
I don't think I could trust my data on iCloud or any other service. Then again, if I created my own cloud service at home and using WebDAV and contact/calendar, how could I make it 100% secure? I can't
So really I need a MacBook that never connects to the web and have my phone hard wired synced
At what point does all this security become too much to the point where we don't want to use digital data?
We trust online companies too easily without questioning their security practices. And when it happens, what can we do from there?
time to change my mac account password again!
my account was hacked once and they just bought some in app purchases using my gift card balance. luckily i removed my credit card data at that time. apple refunded the lost balance and I had no icloud at that time. if they would get into my account now they could wipe my mac and iPad as well.
so kids do your backups so you can restore your devices. that honan dude said he had no backups so he lost all of his data when his mac was viped.
You can't backup a Mac using iCloud.
Well if you lost the device it's very convenient to be able to remotely access it, as several threads have shown. David Pogue of the NYT just recently got his iPhone back thanks to it!
http://pogue.blogs.nytimes.com/2012/08/02/where-is-david-pogues-phone/
If however you don't like that feature it's very easy to turn it off.
1. The source isn't a credible one
2. The story doesn't add up for the reasons several people have stated
But it's a good reminder anyway to always have data in at leasr three places, eg. Mac, Time Machine and Crashplan. And never to use as security info anything people could know or guess from your public posts (facebook, twitter, forums, etc).
It's also why I always give false dates of birth to websites: DOB is extremely useful data for identity theft.
2. The story doesn't add up for the reasons several people have stated
But it's a good reminder anyway to always have data in at leasr three places, eg. Mac, Time Machine and Crashplan. And never to use as security info anything people could know or guess from your public posts (facebook, twitter, forums, etc).
It's also why I always give false dates of birth to websites: DOB is extremely useful data for identity theft.
Yeah, it's not hard to be skeptical, especially coming from Gizmodo. Would anyone really be surprised if this was coordinated to create yet another sensational anti-Apple story?
Even if that's true, it does highlight the danger of putting so much power behind a single password.
I don't doubt you, but I don't follow
Why would he need to change the iCloud password in order to read the e-mails?A funny/alarming side note on the subject: I've changed my password on Twitter, but I haven't had to enter the new password on either OS X Mountain Lion or my iPhone!
Maybe the hacker used his SN or a random one posted online. Does Apple really verify if that SN is tied to the account in question?
This does not surprise me.
My AppleID was "hacked" in a similar manner about 3 years ago. A friend of the family unwittingly had all my AppleID info changed all because she had the serial number for the iPhone that I sold her.
So if someone can change your AppleID accidentally with just a serial number I'm hardly surprised that someone could social engineer an Apple Support person if they had more specific information.
The funny thing is that it took me a long time to get my account fully restored (my ADC account was completely screwed up until I finally got someone to help me fix it last year during the account migration that they did). They kept stone walling me and treating me like the "hacker".
Basically, Apple needs to review their security policy for AppleIDs since they're even more important now.
My AppleID was "hacked" in a similar manner about 3 years ago. A friend of the family unwittingly had all my AppleID info changed all because she had the serial number for the iPhone that I sold her.
So if someone can change your AppleID accidentally with just a serial number I'm hardly surprised that someone could social engineer an Apple Support person if they had more specific information.
The funny thing is that it took me a long time to get my account fully restored (my ADC account was completely screwed up until I finally got someone to help me fix it last year during the account migration that they did). They kept stone walling me and treating me like the "hacker".
Basically, Apple needs to review their security policy for AppleIDs since they're even more important now.
That wouldn't be right. They shouldn't lose their job (especially in this economy) just because they were trying to help someone, even if it was a bit of a dumb mistake.
This is another example of how we're all a little TOO connected... and Apple's made things a bit too streamlined and linked up. No one should be able to remote wipe anything, not without going through about a dozen security checks on each device. This is really scary.
Also makes me glad I still use PowerPC-based Macs...