How a Hacker Gained Access to a Reporter's iCloud Account

MacRumors

macrumors bot
Original poster
Apr 12, 2001
46,753
8,952





Wired reporter Mat Honan details the exact process by which hackers had gained control of his iCloud account. The hijacked iCloud account resulted in a remote-wipe of his iPhone, iPad and MacBook Air, as well as further intrusions into his Gmail and Twitter accounts.

As previously reported, the hackers were able to convince Apple Support to provide them with a temporary password to access Honan's account. Honan details exactly how this was performed.

Apparently, Apple Support only requires an iCloud user's billing address and last-four digits of the credit card on file in order to issue a temporary password. That temporary password grants full access to the user's iCloud account. Apple spokesperson Natalie Kerris issued this statement which claims that internal policies were not followed completely in Honan's case, but failed to specify exactly how:
"Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected."
Wired was able to confirm the reported policy themselves by successfully gaining access to another account using only those two pieces of information: a billing address and last-four digits of the credit card number.

As noted by Honan, a target's billing address is generally easy to determine by looking up a domain registration or by public white pages databases. As for discovering the last-four digits of Honan's credit card, Honan's hacker used a loophole in Amazon's security systems which don't protect the last-four digits of their user's credit card information. The hack requires a two-step phone call to Amazon. In the first call, Amazon allows you to add a second credit card to the account by simply offering the account's billing address, name and email address. Then, a second call allows you to add a second email address by verifying the previously added credit card. This second email address then has access to the account information including the last four digits of the original credit card.

Honan's intrusion seemed to be a result of a targeted effort to infiltrate his Twitter account, and a number of items had to line up just right for the hackers to gain access. The situation does reveal that the differing security processes between different providers could open up unwanted opportunities. It also seems to show that at present, a specific user's iCloud account access can be gained with those two pieces of only semi-private information.

Honan's full story about the sequence of events is an interesting read.

Article Link: How a Hacker Gained Access to a Reporter's iCloud Account
 

faroZ06

macrumors 68040
Apr 3, 2009
3,387
1
I lost my security question answers, emailed Apple, and had them reset with no kind of verification.

It was asking me for the answers because I knew my password and was buying an app on my grandma's iPad using my account. The point was to verify that someone didn't just take my password. In the end, I didn't even need anything but my password to reset them, so that defeats the purpose. Someone was cutting corners.

But I'm glad the security wasn't so tight because I was extremely annoyed when it asked me what my first car was... I don't have a car.
 
Last edited:

Zmeiler

macrumors newbie
Sep 29, 2011
1
0
Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.
 

pwhitehead

macrumors 6502
Jul 19, 2011
338
99
new jersey
This happens to a lot of facebook accounts, this is why they made all accounts @facebook.com Back when aol and aim first were around and facebook rolled around; people registered email addresses that, they dont have a need to log into anymore. This is because they used facebook to community on another level. With no activity to these email accounts for a year or so without loging in, the account becomes inactive. So i can actually register the same email as if it were my own, and then do a pw recover on the facebook account and your in.
 

brentsg

macrumors 68040
Oct 15, 2008
3,414
775
This happens with a ton of Xbox Live accounts too. Microsoft doesn't seem to care. Also, since it's Microsoft and not Apple, the media doesn't care either.
 

nagromme

macrumors G5
May 2, 2002
12,546
1,186
Big, scary, simple failures here on the parts of Apple (using the credit card number as ID), Amazon (giving out that number!) and Google (giving out your alternate email address to strangers).

If I had to name 3 companies (that I actually use) which I trust the most to keep things secure, it would have been those 3... before today! (I know Google tracks me, but I’m surprised at this kind of lapse.)

I’m sure I’m not alone today in turning off Find My iPhone/iPad/Mac for the time being. And it’s probably smart to use different credit cards with different services, even if it means more bills to manage monthly. I do already use different (and hard to guess) passwords, and I back up in multiple ways including locally. Very important.

Something NEW is needed to make security usable AND effective for all of us, and incident this shines a light on the problems. What’s scary is, I doubt we'll see the changes (across MANY more companies than these 3) happening fast enough.

P.S. I hope the hackers spend some serious jail time after wiping out the guy’s family photos :mad:
 

faroZ06

macrumors 68040
Apr 3, 2009
3,387
1
This happens with a ton of Xbox Live accounts too. Microsoft doesn't seem to care. Also, since it's Microsoft and not Apple, the media doesn't care either.
That's because the media needs a surprise to get people's attention. Microsoft accounts got hacked? Every person I know who uses MSN has had their MSN account broken into, so no surprise there.
 

fawlty

macrumors regular
Jun 17, 2003
108
0
New Zealand
One thing Apple could consider in response to this - split "Find My Device" and "Allow Remote Wipe" into separately switchable options?
 

Marcus-k

macrumors regular
Nov 17, 2011
111
0
Big, scary, simple failures here on the parts of Apple (using the credit card number as ID), Amazon (giving out that number!) and Google (giving out your alternate email address to strangers).

If I had to name 3 companies (that I actually use) which I trust the most to keep things secure, it would have been those 3... before today! (I know Google tracks me, but I’m surprised at this kind of lapse.)

I’m sure I’m not alone today in turning off Find My iPhone/iPad/Mac for the time being. And it’s probably smart to use different credit cards with different services, even if it means more bills to manage monthly. I do already use different (and hard to guess) passwords, and I back up in multiple ways including locally. Very important.

Something NEW is needed to make security usable AND effective for all of us, and incident this shines a light on the problems. What’s scary is, I doubt we'll see the changes (across MANY more companies than these 3) happening fast enough.

P.S. I hope the hackers spend some serious jail time after wiping out the guy’s family photos :mad:
Google isn't even mentioned in this article?
 

faroZ06

macrumors 68040
Apr 3, 2009
3,387
1
One thing Apple could consider in response to this - split "Find My Device" and "Allow Remote Wipe" into separately switchable options?
Or have the whole "Find my iPhone" service be separate from iCloud in that you can make it require a different password and/or some other info.
 

unplugme71

macrumors 68030
May 20, 2011
2,768
719
Earth
I really think there needs to be more security questions asked by Apple. Like name 3 of the last 10 songs purchased, or last 2 movies, etc. Then also ask your name, address, date of birth, etc. I rather be annoyed at answering 3-5 questions, then having someone hack my account that's my email, cloud storage, iTunes, access to wipe my iDevices, etc.
 

heov

macrumors regular
Aug 16, 2002
249
580
Solution: apple needs better security. more than last 4 digits of CC and billing address should be required.
 

faroZ06

macrumors 68040
Apr 3, 2009
3,387
1
Given the standards of journalistic ethics these days I am 90% sure that this entire "crisis" is invented, there is no hacker, and it's a PR student for Google.

It's already established that 50% of TV news is faked, not that the general public knows or cares any more.

http://prwatch.org/spin/2011/03/10471/fox-be-fined-fcc-fake-news-cmds-complaint-video-news-releases-nets-new-fines
Is this TV news? And if a Google account reportedly got hacked, would you also say that you are 90% sure that it was a fake set up by Apple? I don't see anything fishy or overly surprising here. If you can see my earlier comment, some Apple security employees aren't doing their jobs right.
 

MacDav

macrumors 65816
Mar 24, 2004
1,031
0
Fishy

This whole thing seems fishy to me. Who ever heard of this guy, and why would someone go through all this trouble to access his account so they could wipe his phone? Could it be he is involved in this trying to make a name for himself, or just for the publicity? I don't really know, but it sure doesn't smell right. It's hard to believe there are people who would go through all that trouble just for the "joy" of wiping someones phone.