August 3, 2012, 5:00pm: Wired author Mat Honan went dark from the internet. It started with his iPhone displaying a setup screen, followed by his MacBook asking for a four-digit pin that was remotely set by iCloud. His iPad was then wiped. Mat was disconnected from the internet, unable to find out what was happening.
Luckily, he was able to use his wife’s phone to call Apple. After speaking with Apple for about an hour and a half, they concluded that his account had been compromised. The hackers were able to gain access to Mat’s iCloud account and remotely wipe his iPhone, iPad, and MacBook. With access to his iCloud account, the hackers were able to find the credentials to his Twitter and Google accounts. Mat’s Google account was quickly deleted and his Twitter account was flooded with repulsive tweets.
The hackers first called Amazon tech support, pretending to be Mat. Amazon tech support released the last 4 digits of Mat’s credit card number to the hackers. The hackers continued by calling Apple tech support. Apple was ready to reset Mat’s Apple ID password if two pieces of information were given: Mat’s billing address and the last 4 digits of his credit card number. The hackers had both pieces of the puzzle and therefore were able to gain access to Mat’s iCloud account. And thus the series of hacks began.
Because of this incident, Mat has now lost all of the data on his MacBook since he did not have a backup. While not having a recent backup wasn’t smart, resetting an Apple ID password based on a billing address and last 4 digits of a credit card isn’t smart either. Therefore, Apple is shutting down over-the-phone Apple ID password resets until they can resolve the security issue. Amazon has already taken similar steps by not allowing any calls to change account settings. Both Amazon and Apple are requiring that password resets be attempted online. It seems that Apple wants to revise their policy to eventually allow over-the-phone password resets once they can find a more secure method.
Mat isn’t the only person who has experienced this type of hacking; multiple account hacking is becoming more popular now that we are storing more and more information in the cloud. The lesson learned today is to never store passwords to other services in your email inbox. It will also help to ensure that you have additional email addresses on file for all services that allow you to enter multiple email addresses. In the event that the primary email address is compromised, you can use the alternate email addresses to reclaim access to your accounts.