How a Hacker Gained Access to a Reporter's iCloud Account

[theBB]

I really think there needs to be more security questions asked by Apple. Like name 3 of the last 10 songs purchased, or last 2 movies, etc. Then also ask your name, address, date of birth, etc. I rather be annoyed at answering 3-5 questions, then having someone hack my account that's my email, cloud storage, iTunes, access to wipe my iDevices, etc.

This is a pretty good idea. Companies need to provide some way for people who forgot their passwords gain entry to their accounts without making it possible only with easily farmed information. Recent purchase activity would be a good gatekeeper for Amazon and Apple. Even Gmail should ask the names of frequent contacts.

I thought last 4 digits of a credit card is way too easy until I read that Amazon only required a billing address. It is difficult to believe. Every dumpster diver and neighbor has that info.

 

[Mike Oxard]

This whole thing seems fishy to me. Who ever heard of this guy, and why would someone go through all this trouble to access his account so they could wipe his phone? Could it be he is involved in this trying to make a name for himself, or just for the publicity? I don't really know, but it sure doesn't smell right. It's hard to believe there are people who would go through all that trouble just for the "joy" of wiping someones phone.

He's a journalist for Wired, I don't think he needed any publicity. He was targeted because the hacker liked his twitter name.

 

[671417]

Is this TV news?.... I don't see anything fishy or overly surprising here.

Journalists of all stripes are behaving badly. Just look at Jonah Lehrer, who was fired for inventing Bob Dylan quotes. We're in a different era now, where journalists are selling themselves to the highest bidder, not just on TV but everywhere.

 

[Technarchy]

This whole thing seems fishy to me. Who ever heard of this guy, and why would someone go through all this trouble to access his account so they could wipe his phone? Could it be he is involved in this trying to make a name for himself, or just for the publicity? I don't really know, but it sure doesn't smell right. It's hard to believe there are people who would go through all that trouble just for the "joy" of wiping someones phone.

All you need to know

I'm Mat. I make magazines and websites.

I'm a senior reporter for Gizmodo

Does Gizmodo have a history with Apple.

There are no coincidences.

 

[iSee]

...
P.S. I hope the hackers spend some serious jail time after wiping out the guy’s family photos

I agree the hacker should get in serious trouble for this kind of malicious destruction, but Mat Whats-his-name was not backing up his data so it was just a matter of time before he lost it anyway.

 

[ugahairydawgs]

This whole thing seems fishy to me. Who ever heard of this guy, and why would someone go through all this trouble to access his account so they could wipe his phone? Could it be he is involved in this trying to make a name for himself, or just for the publicity? I don't really know, but it sure doesn't smell right. It's hard to believe there are people who would go through all that trouble just for the "joy" of wiping someones phone.

You obviously didn't read the article.

You might want to at least skim it so you don't sound quite so ridiculous when talking about it.

 

[Broph]

This whole thing seems fishy to me. Who ever heard of this guy, and why would someone go through all this trouble to access his account so they could wipe his phone? Could it be he is involved in this trying to make a name for himself, or just for the publicity? I don't really know, but it sure doesn't smell right. It's hard to believe there are people who would go through all that trouble just for the "joy" of wiping someones phone.

Please, read the whole article on Wired.... It says exactly why they did it.... The quote from the hacker was that he wanted Mat's twitter username (@Mat), and that was it... The rest was just a bonus.

 

[ckintz6]

Google isn't even mentioned in this article?

No, but it is mentioned in the original article.

 

[JohnDoe98]

I agree the hacker should get in serious trouble for this kind of malicious destruction, but Mat Whats-his-name was not backing up his data so it was just a matter of time before he lost it anyway.

Even with a backup, with back to my mac on in your time capsule, you can remotely erase the backup file too if you like.

 

[cuestakid]

This is a good example of why two factor authentication things like what blizzard use are better than any password method. They could break his password but without the key fob they would get nowhere

 

[Mengele]

A blogger is not a reporter!

 

[charlituna]

I really think there needs to be more security questions asked by Apple. Like name 3 of the last 10 songs purchased, or last 2 movies, etc. Then also ask your name, address, date of birth, etc. I rather be annoyed at answering 3-5 questions, then having someone hack my account that's my email, cloud storage, iTunes, access to wipe my iDevices, etc.

Billing address and last four of the credit card on file are fine for most folks.

Fact is that this isnt really Apple's fault so much as it is the registrars fault for making those addresses public and Amazon for not protecting the credit card info. Without those two things the hacker wouldn't have gotten anywhere with Apple regardless of whether they did or didn't ask the previous purchases question that is in the script or whatever wasn't followed.

 

[Joe-Diver]

.... this entire "crisis" is invented, there is no hacker, and it's a PR student for Google.

WTF is a "PR student"?

 

[autrefois]

When remote wipe was introduced I said it would be abused and got showered with downvotes.

Maybe you've discovered the reason why they got rid of down votes?!

 

[Repo]

Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.

Really?

 

[scarred]

Wow, great article. For those of you that see it as tldr;, four things:

1. Turn off Find my Mac.

2. Do not link your iCloud and GMail accounts

3. Turn on 2 step verification on gmail.

4. Do not give Amazon your credit card.

 

[tirerim]

Billing address and last four of the credit card on file are fine for most folks.

Fact is that this isnt really Apple's fault so much as it is the registrars fault for making those addresses public and Amazon for not protecting the credit card info. Without those two things the hacker wouldn't have gotten anywhere with Apple regardless of whether they did or didn't ask the previous purchases question that is in the script or whatever wasn't followed.

Is it also the white pages' fault? Physical addresses are just not that hard to come by. And if you have a physical address, last four of credit card is probably pretty easy if you're willing to look through someone's trash. Good security means not relying on information that's easy for other people to obtain, whether or not it *should* be easy for other people to obtain.

----------

I lost my security question answers, emailed Apple, and had them reset with no kind of verification.

It was asking me for the answers because I knew my password and was buying an app on my grandma's iPad using my account. The point was to verify that someone didn't just take my password. In the end, I didn't even need anything but my password to reset them, so that defeats the purpose. Someone was cutting corners.

But I'm glad the security wasn't so tight because I was extremely annoyed when it asked me what my first car was... I don't have a car.

Yes, the Apple "security questions" are terrible. I had to basically make up something for one of them because I couldn't find three of their possible questions with valid, memorable answers.

 

[scarred]

Billing address and last four of the credit card on file are fine for most folks.

Fact is that this isnt really Apple's fault so much as it is the registrars fault for making those addresses public and Amazon for not protecting the credit card info. Without those two things the hacker wouldn't have gotten anywhere with Apple regardless of whether they did or didn't ask the previous purchases question that is in the script or whatever wasn't followed.

The is ABSOLUTELY apple's fault. I'm a pretty strong fanboy, but this is unacceptable.

 

[a0me]

I’m sure I’m not alone today in turning off Find My iPhone/iPad/Mac for the time being. And it’s probably smart to use different credit cards with different services, even if it means more bills to manage monthly. I do already use different (and hard to guess) passwords, and I back up in multiple ways including locally. Very important.

I wonder what would happen if you haven't registered a credit card number with Apple and only use iTunes Gift Cards for your purchases?

 

[Roller]

I feel sorry for Mat's loss of the photos of his daughter and other documents, but I find it amazing that someone who's so tech-savvy didn't have them backed up. Even if your Mac isn't on the net, stuff happens.

 

[a0me]

The is ABSOLUTELY apple's fault. I'm a pretty strong fanboy, but this is unacceptable.

Have you read the Wired article? It really shows a failure on all parties involved, Apple -of course- but also Google (why do they show your alternate contacts to anyone?), Amazon, etc...

 

[Roc P.]

So if someone uses their Gmail account AS their Apple ID then they are asking for trouble? Even with 2 step verification and 2 different passwords for their Gmail and Apple ID?

 

[MacinDoc]

Most companies only require your address for verification. It's good that Apple requires additional verification, but obviously not good enough in this case. The problem, of course, was that the hacker was able to get credit card information off of Amazon.

Now Apple could have required something else other than credit card information for additional verification. But I, for one, could not name the last three purchases I made off iTunes, as some have suggested. My credit card, OTOH, is always with me.

I hope the hacker gets nailed for this. And he might - he had to give Amazon verified credit card information to do the hack into Mat's Amazon account to retrieve Mat's credit card info. So, unless this was done by someone with access to a working stolen credit card number, or he was given a credit card after falsifying an application for it, there should be a trail leading to him.

 

[freefall722]

Is it also the white pages' fault? Physical addresses are just not that hard to come by. And if you have a physical address, last four of credit card is probably pretty easy if you're willing to look through someone's trash. Good security means not relying on information that's easy for other people to obtain, whether or not it *should* be easy for other people to obtain.

----------



Yes, the Apple "security questions" are terrible. I had to basically make up something for one of them because I couldn't find three of their possible questions with valid, memorable answers.

If it is so easy then why did they have to go through the trouble of hacking the guy's Amazon account first?

(also they give you the option to make your own questions and answers)

 

[scarred]

Have you read the Wired article? It really shows a failure on all parties involved, Apple -of course- but also Google (why do they show your alternate contacts to anyone?), Amazon, etc...

Ya, the whole thing.

* Apple doesn't have proper 2 step authentication.

* Find my mac is not setup with a fail safe validation system.

* Apple gives out passwords like candy. If I wanted to, I could easily get ahold of someones address and last four digits of their CC number.

* Google has 2 step verification. I just turned mine on. Agreed, they shouldn't be sending out extra information. Remove your alternate emails from google.

* The credit card company protects me from fraudulent CC charges. I'm not overly scared that amazon has my number or gives me the last four digits to validate which card I have on file.