How a Hacker Gained Access to a Reporter's iCloud Account

[philipma1957]

Wow, great article. For those of you that see it as tldr;, four things:

1. Turn off Find my Mac.

2. Do not link your iCloud and GMail accounts

3. Turn on 2 step verification on gmail.

4. Do not give Amazon your credit card.

Don't use iCloud or any windows type hub in the sky. This type of tech it is the pot of gold for hackers. BTW it is also a big pie for apple and microsoft to cut up. It is nice when it works but it has serious security issues that are very difficult to remendy. If you really take a minute to think about most of what it offers is not needed. A large desktop in your home a removeable password protected osx card an {ipad/iphone} and a desktop at work. figner print reader on all 3 and just pull the osx card from one unit to the next.

you are mobile you are in sync with your own stuff. just have one restriction on the mobile device it only links to your two desktops not to apple.

so all downloads from the app store are onto your desktops. BTW to apple and or any hub in the sky if you do this i said it first I want a cut from the pie.

 

[Genetheninja]

I say we burn him! HE'S A WITCH!!!!

 

[Toadstall]

yep

I wonder what would happen if you haven't registered a credit card number with Apple and only use iTunes Gift Cards for your purchases?

yep - that would be me, but to be fair if I hadnt have been warned not to put CC on AppleID I would have.........9pm installing iTunes and wanting to get it all working etc.

 

[gregwyattjr]

Hope this motivates Apple to have tighter security processes.

 

[840quadra]

I see no reason to believe a small time journalist. He's just seeking his 15 minutes of fame.

Another faker:

http://www.newsday.com/news/nation/...orker-after-faking-bob-dylan-quotes-1.3872112

He has been in the industry for years, not exactly a new blip in the Tech news scene.

Regardless,

This incident brings up a key spotlight to the all too common lackadaisical attitude many (including myself at times) have with regards to personal security of their internet lifestyle.

Hoax or not, The overall benefit outweighs the potential fame this individual could have done.

The big picture item I took away from this incident is to NOT link my online accounts to a single point of failure. Making it harder for an attacker to gain access to a secondary email account, or other online service is a good point to take away from this.

Yes the Could was accessed, however, a few key things could have been done to make it harder for an attacker from also gaining access to his Twitter and Gmail.

Security is more than just Passwords.

 

[Puevlo]

I think that most surprising thing out of all this is that guy has kids.

 

[MonsterRain]

If Gizmodo has any sort of journalistic integrity...(they don't)

In a few days/weeks, when this story's died down, they'll explain what they did to leave themselves open. They'll take personal responsibility and fess up to where they went wrong.

But no one in the media does it, and I'm certainly not expecting it to happen here.

 

[webbuzz]

FYI to the google haters. The hacker would have never gained access to his gmail account if the idiot had set it up correctly. Google are one of the only 'big boys' to offer something very important in security: two phase authentication. Short of stealing his phone, it would be impossible for the hacker to gain access.

But then again, let's just continue being all grown up and blame Google....it can't possibly be that Apple have a crap security process now, can it.

Yahoo offers two factor authentication as well

 

[RHutch]

This whole thing seems fishy to me. Who ever heard of this guy, and why would someone go through all this trouble to access his account so they could wipe his phone? Could it be he is involved in this trying to make a name for himself, or just for the publicity? I don't really know, but it sure doesn't smell right. It's hard to believe there are people who would go through all that trouble just for the "joy" of wiping someones phone.

Read the whole article on Wired. According to the hacker, this was not about wiping the devices or about any of the accounts, but rather, getting the "@mat" handle.

----------

In a few days/weeks, when this story's died down, they'll explain what they did to leave themselves open. They'll take personal responsibility and fess up to where they went wrong.

But no one in the media does it, and I'm certainly not expecting it to happen here.

Did you read the article on Wired? The guy does say that there are several things he did wrong that allowed this situation or made it worse. So it won't be days or weeks; it has already happened, despite your expectations to the contrary.

 

[GoCubsGo]

Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.

Holy cow, you're nuts man! I'm glad this is being discussed here as a user of iCloud, Amazon, Gmail, Twitter, etc.

 

[Habakuk]

Read the linked articles on Wired…it's well worth reading

You obviously didn't read the article.

Please, read the whole article on Wired.

Have you read the Wired article?

Read the whole article on Wired.

That's exactly what they want you to do. It's the main reason of the whole story. Making PR for Gizmodo and Wired in the silly season.

After reading the full story, I now believe this happened...

And the trick worked obviously pretty well. The Wired article seems to be written good and believable (personally I've read only the MR wrap-up). No wonder, the guy is a professional writer and editor. I am too long in the media biz for being able to believe such stories. It's a typical Agent Provocateur act at it's best. Maybe it helps to improve security then there would be some benefit for us. Other than that: Let it be…

http://en.wikipedia.org/wiki/Agent_provacateur

 

[alent1234]

and yet after all this the guy didn't press any charges

 

[Porco]

There have been threads on this very forum before about how Apple needs to beef its security up, especially with their increasing focus on iCloud and the importance of your Apple ID. I hope this debacle acts as a serious wake-up call. You can blame the user for his errors, you can blame Amazon, you can everyone else in some way, but it's all irrelevant - Apple need to get their house in order too.

And for all you conspiracy theorists that this was some kind of set-up - it doesn't matter. The same applies. It doesn't matter what others did, unless the entire story is a lie, Apple messed up here, and need to improve their security.

 

[shiseiryu1]

Time Machine Dood!

I don't know why anyone with a Mac would not be using Time Machine?! Especially if you have anything remotely important on your machine. It's one of the best features about having a Mac IMHO.

 

[Thunderhawks]

Did you read the article on Wired? The guy does say that there are several things he did wrong that allowed this situation or made it worse. So it won't be days or weeks; it has already happened, despite your expectations to the contrary.

So, if he did several things wrong by his own admission, that is now Apple's, Google's and Amazon 's fault?

I do know that Apple accounts can be hacked. Either via a dishonest employee, error in processing (I know not a hack) or in some way.

Happened to me.

So, maybe a good idea is to switch all payments where possible to pay via Paypal.

For starters I think all companies should stop using an e-mail address as the log in ID.

It is too easy these days to get somebody's e-mail address.

 

[alent1234]

I don't know why anyone with a Mac would not be using Time Machine?! Especially if you have anything remotely important on your machine. It's one of the best features about having a Mac IMHO.

and what about the stories of all the time machines breaking around the end of the warranty?

 

[usamaah]

Big, scary, simple failures here on the parts of Apple (using the credit card number as ID), Amazon (giving out that number!) and Google (giving out your alternate email address to strangers).

I'm actually grateful Google gives a redacted version of one's email. My dad had forgotten his Gmail password (I made him one but he only used his old Hotmail) so I did the forgot my password for him and waited for the email to show up in his Hotmail account. I would have been waiting forever because he had listed an old and deleted Earthlink email as his recovery email. That way I knew where I needed to look to get him access again.

If the hacker saw @earthlink I don't know if he would have been able to use this method (not sure what sort of measures Earthlink requires).

There were two reasons the redacted email on Gmail hurt this victim. 1) appleID and 2) using the same I'd everywhere made it easy for the hacker to know what account to ask about

----------

I don't know why anyone with a Mac would not be using Time Machine?! Especially if you have anything remotely important on your machine. It's one of the best features about having a Mac IMHO.

Exactly.

 

[mrfrosty]

and what about the stories of all the time machines breaking around the end of the warranty?

These are not the droids you are looking for............

 

[KnightWRX]

I'm much more scared about the Amazon trick. Adding a second CC using only your billing address, name and e-mail over the phone ? Then using that added information to add a second e-mail address ? Now that is scary. There is no information required to add information to your account in the first call. Then the second call gives them full access based on the information added in the first.

Amazon needs this fixed.

Apple requiring the last 4 digits of the CC and a billing address is a bit better, but it's still weak. The last 4 digits are easily obtainable information. At least they don't require different levels of identification for account modifications. They should either increase the identification information they have or ask more questions with the information they do have (last few apps/songs purchased, services you use with Apple (iCloud/Developer/iTunes Music/App Store)). They probably will and this won't really make it less convenient.

 

[AbSoluTc]

Big, scary, simple failures here on the parts of Apple (using the credit card number as ID), Amazon (giving out that number!) and Google (giving out your alternate email address to strangers).

If I had to name 3 companies (that I actually use) which I trust the most to keep things secure, it would have been those 3... before today! (I know Google tracks me, but I’m surprised at this kind of lapse.)

I’m sure I’m not alone today in turning off Find My iPhone/iPad/Mac for the time being. And it’s probably smart to use different credit cards with different services, even if it means more bills to manage monthly. I do already use different (and hard to guess) passwords, and I back up in multiple ways including locally. Very important.

Something NEW is needed to make security usable AND effective for all of us, and incident this shines a light on the problems. What’s scary is, I doubt we'll see the changes (across MANY more companies than these 3) happening fast enough.

P.S. I hope the hackers spend some serious jail time after wiping out the guy’s family photos

Nothing is ever 100% secure. Nothing. Especially when it comes to the digital age. For you to trust ANY business or corporation (especially Google), is to set yourself up for disappointment. What happened was unfortunate but it was a TARGETED hack. Most people's accounts such as yours are not at risk. If you want a secure life, stay off the internet, cancel your credit cards and go back to cash only. With all this instant access and online freedom comes a certain risk that we all take. It's an accepted fact of life. It only gets realized that it can and will happen when we read about it in articles like these.

Again, this is isolated. Yes most everyone needs better authentication and better verification. Turning off find my iDevice is an excessive response to something that will probably never happen to you.

 

[Gemütlichkeit]

I shake my head at all these tin foil hatters out there. If you don't want to get hacked, move off the grid. Even then someone could still use identity theft on you. Just accept that when you're using the internet, there's chance you could get hacked. No matter how cautious you are.

 

[Gasu E.]

This whole thing seems fishy to me. Who ever heard of this guy, and why would someone go through all this trouble to access his account so they could wipe his phone? Could it be he is involved in this trying to make a name for himself, or just for the publicity? I don't really know, but it sure doesn't smell right. It's hard to believe there are people who would go through all that trouble just for the "joy" of wiping someones phone.

Not at all. There are many hackers who are actually well-motivated-- they are trying to find and publicize flaws in information security systems in order to force these problems to be addressed. It's not a coincidence that it was a reporter's account that was hacked.

 

[alFR]

Read the whole article on Wired. According to the hacker, this was not about wiping the devices or about any of the accounts, but rather, getting the "@mat" handle.

That's why it seems odd to me: what's the point doing that? It's pretty obvious that most well-known tech journalists could call someone at Twitter pretty quickly after this sort of thing and get their account reclaimed, which is exactly what happened here. So why would a hacker bother going to as much work as this guy did to get something he'd never be allowed to keep? Too stupid to think of the above?

Other odd things:

• Hacker contacts journalist to explain his hack in detail: doesn't fit with the "just wanted the twitter name" theory.
• Hacker claims he regrets journalist having his MBA wiped, but apparently won't give him the 4-digit passcode to reverse the wipe.
• Tech journalist apparently has no backups, despite irreplaceable pictures of his kids etc. being on his laptop. Seriously?
• Journalist posts full details of hack as a story on Wired rather than on his own Tumblr (which is where he first announced it), coincidentally raising his profile and getting a load of hits for his employer.
• Journalist just happens to be free to go on TWiT the day after this happens to talk about it, again coincidentally raising his profile etc.

Maybe this is all coincidence (and it sounds like this vulnerability is real and needs fixing), but was this set up to get a good, high-publicity story? I guess we'll find out in time...

 

[Gasu E.]

and what about the stories of all the time machines breaking around the end of the warranty?

Time Machine is a piece of software-- it doesn't have a warranty per se.
You may be confusing it with Time Capsule, and the early life failures for the first generation models of that were back in 2009-2010.

 

[pdjudd]

They should either increase the identification information they have or ask more questions with the information they do have (last few apps/songs purchased, services you use with Apple (iCloud/Developer/iTunes Music/App Store)). They probably will and this won't really make it less convenient.

I dunno how practical that would be given the way some people purchase things and how the transactions get posted. If you forgot your password and were locked out of everything you might not remember such information or have access to that information. I couldn't tell you the last 10 apps, or songs that I purchased were. They need something else that people can remember better.