Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How a Hacker Gained Access to a Reporter's iCloud Account

FYI to the google haters. The hacker would have never gained access to his gmail account if the idiot had set it up correctly. Google are one of the only 'big boys' to offer something very important in security: two phase authentication. Short of stealing his phone, it would be impossible for the hacker to gain access.

But then again, let's just continue being all grown up and blame Google....it can't possibly be that Apple have a crap security process now, can it. :rolleyes:
 
Obviouslly there is a security hole in the system here. However, I find it hard to believe that iCloud doesn't keep an online backup of these things even if a particular device is wiped?! i kinda thought that was the whole point of the service.. especially for things like photos and stuff which this guy has complained of losing.
 
I bet you it was an inside job. Gizmodo still has a huge chip on its shoulder and im sure this is them getting revenge.
 
I don't know.

If somebody with bad intent would get access to my billing address and my credit card number, a remotely wiped ipad/iphone/macBook would be my least worry.

True, sometimes I wish that Apple would separate my billing account from my mail/iCloud account. And I also would like to have different accounts for AppleStore and iTunes/appStore - the first dealing with large amounts of money (credit card) and the other with cents (gift cards).

But on the other hand, I could do it myself. I don't because it is so much more convenient to have one account for everything. I would never connect FB/Twitter/whatever to my Apple account, though.

----------
illpod.com said:
Obviouslly there is a security hole in the system here. However, I find it hard to believe that iCloud doesn't keep an online backup of these things even if a particular device is wiped?! i kinda thought that was the whole point of the service.. especially for things like photos and stuff which this guy has complained of losing.
Click to expand...

I have been trying now for quite a long time to delete some obsolete contacts from all my devices, but they always get re-synced. I can't believe either that it should be so easy to lose all information.

Besides, he claims he could not get access to his wiped devices - I don't understand this. And - if that "hacker" had changed the password on all email accounts, how could he contact him? Write a letter?

Too many unclear points here .... and after all, didn't it all start with a loophole in Amazon's account management?
 
...

How would they get the last 4 digits of your CC ?

This shows in the account info. but you need access to the account, something which had to be proved, unless he had physical possession of the card.

You can't prove by last 4 digits that are on file, if you don't have it, and need a password reset anyway to gain access.

Even so, I still agree, CSV should also be asked for proof as well as full CC number, as well as full expiry on card.
 
Last edited:
rmwebs said:
FYI to the google haters. The hacker would have never gained access to his gmail account if the idiot had set it up correctly. Google are one of the only 'big boys' to offer something very important in security: two phase authentication. Short of stealing his phone, it would be impossible for the hacker to gain access.

But then again, let's just continue being all grown up and blame Google....it can't possibly be that Apple have a crap security process now, can it. :rolleyes:
Click to expand...

I think you mis understood without logging into his gmail account it revealed his alternative email account which was his iclould address.
 
I find it interesting to see the amount of people who feel they have to defend Apple against unreasonable attacks (usually by attacking someone else).

Even if the story was made up, which there is no indication of, it still calls attention to the problem of using the four last digits of your CC number as authentication along with your home address. They really aren't that secret, and what's worse is that they aren't considered sensitive.

Sure, Amazon has a more serious issue and Google can maybe approve on their password recovery solution but Apple is at fault here. The reason Google was used at all was to see if the alternative email was insecure. It was. That's Apple's fault.

Seriously, you believe that the story is made up? Even though Apple would immediately take action if that was the case? Do you guys ever listen to yourself? It's like talking to moon landing hoax people.
 
macsmurf said:
I find it interesting to see the amount of people who feel they have to defend Apple against unreasonable attacks (usually by attacking someone else).

Even if the story was made up, which there is no indication of, it still calls attention to the problem of using the four last digits of your CC number as authentication along with your home address. They really aren't that secret, and what's worse is that they aren't considered sensitive.

Sure, Amazon has a more serious issue and Google can maybe approve on their password recovery solution but Apple is at fault here. The reason Google was used at all was to see if the alternative email was insecure. It was. That's Apple's fault.

Seriously, you believe that the story is made up? Even though Apple would immediately take action if that was the case? Do you guys ever listen to yourself? It's like talking to moon landing hoax people.
Click to expand...

Agreed, the tin-foil hattery in this thread is embarrassing.

There is plenty of fail to go around here. But on topic, the most relevant one is that you never, ever, ever use the first four or last four card digits for secure verification. Ever.

Hopefully Apple steps up on this very quickly.
 
So is the guy at the photo the reporter or the hacker???

Cause either, he looks quite ****ed up IMHO
 
Zmeiler said:
Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.
Click to expand...

You take website names that literally? You must get pissed off visiting pretty much any site then. "Facebook? I don't see any faces on books here, wtf!", "Microsoft? There's nothing small and soft on the damn site! outrage!"

----------
ironsienna said:
So is the guy at the photo the reporter or the hacker???

Cause either, he looks quite ****ed up IMHO
Click to expand...

Yeah, he was hit pretty bad in a drive by pixellation...dark times man, dark times.
 
Tech198 said:
How would they get the last 4 digits of your CC ?

This shows in the account info. but you need access to the account, something which had to be proved, unless he had physical possession of the card.

You can't prove by last 4 digits that are on file, if you don't have it, and need a password reset anyway to gain access.

Even so, I still agree, CSV should also be asked for proof as well as full CC number, as well as full expiry on card.
Click to expand...

The reason the full CC number is never shown is for security purposes. Do you really want customer service people to have full access to your entire credit card number? No way!

Hopefully Apple will change their protocols and not use the last 4 digits of the CC as a validation item. That information is just too wide-spread. Think about every place that info is on file. And how many times you actually let your CC out of your hands like at restaurants, etc. The last four digits is one of the least secure pieces of info we have.
 
This just highlights the big difficulty of providing security for the masses - good security is about ensuring the confidentiality, integrity and availability of data. You can throw dual-factor authentication and whatever you like at the problem to make your security more robust, but you've got to accommodate that 'availability' issue - whether you like it or not you've got to work around the fact that most of your users are going to forget their passwords and are going to need to reset them; you can guarantee that the majority won't remember any authentication questions they set ther account up with, or their last 3 purchases etc. The only thing they might actually be able to recall will tend to be those things that, unfortunately, are also easy to come by such as their address etc.

Security is always a compromise between absolute security and usability, it's where you draw that line that's the challenge.
 
Love this "new" term "social engineering", what happened to the old term "******** artist"? People have always got info that they were not entitled to in such a manner. It happens all the time. And everyone should be worried- not just tech writers and celebs.

Best approach is sometimes to play the dummy (aka fool). Feign surprise and shock too. Works most of the time.
 
If the guy in the pic is the one who got hacked I can totally see why it happened. It was prob his co-workers playing a joke that went to far
 
After reading the full story, I now believe this happened...

I'm glad that I spread my eggs in several baskets (I don't use the same email for more than one thing).

Call me paranoid but this wouldn't happen to me. Also I still haven't got an apple ID, and finally, I don't trust the cloud (or even drop box), so I'm (for the time behing) more or less safe. (Also I backup up on external drives and spread one of those drives into different locations (tin hat alert :D )

Sad to know that he lost all his files, maybe he can recover it by using one of those recovery tools? (shame on him for not doing a propper backup).
 
One reason to change your dictionary listed icloud password with one of a combination of letters, capital letters, symbols, and numbers at least 8 characters long. I always thought I was the weak link in security. i suppose I'd better change my rather weak bank password too.

Lets hope the hacking is restricted to ex Gizmodo employees.

Back ups in 3 different locations here.
 
So the real story is: Amazon helps hackers steal person's identity(last 4 digits of cc).

Having your mail stolen and then getting signed up for a bunch of credit cards is similar to this situation. Amazon needs to set better security parameters before giving up your CC info at will.
 
Zmeiler said:
Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.
Click to expand...

Anyone with an iCloud account should care that his/her account can be compromised and everything lost.

The point is that people need to be aware, and this site can help to do that because this is not found on most news sites.
 
a0me said:
Seriously, you shouldn't toss away any document with your CC# on it in the first place.
Click to expand...

I was not talking about documents with full CC#, but like most people, I do toss away normal shopping tikets that disclose only the last numbers. The ones that are usually displayed and the only ones that people need.

I usually pay petrol or my groceries with my card, and sometimes I forget to keep the receipts until I can destroy them properly because they disclose the only number that Apple needs.

For people living in a residential area, it is very easy to identify paper trash with the address of the owner.
 
Apple is to blame for sure, but not ALL the blame. Spread the love Amazon's way for that credit card loophole. I'm guessing there are millions out there who use the same credit card for multiple sites.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back