Black cloud looms over Apple online service after high-profile hack

Black cloud looms over Apple online service after high-profile hack

Summary: The hacking of a tech journalist has exposed a massive hole in Apple's iCloud security. Here's what you can do to protect your account until Apple gets its act together.

TOPICS: Apple, Amazon, Cloud, Security

If you haven't already, read the story about the epic hack of Mat Honan that he wrote for Wired. It's a cautionary tale that every iCloud user needs to read.

The hacker's presumed motive was Honan's @mat Twitter account which they wanted to broadcast spam vitriol to his 15,000 followers -- but what they got was much more. 

They started with his iCloud account and once in control of it they were able to recover the passwords for his Google and Twitter accounts.

Using Apple's Find My iPhone and Find My Mac services the hackers were able to remotely wipe his iPhone, iPad and his MacBook Air. Oh, and they deleted his Google/Gmail account for good measure. 

During the Mayhem the hackers also discovered that Honan had linked the Gizmodo Twitter account to his own, so in addition to Honan's 15,000 followers, the hackers were able to tweet to @gizmodo's 400,000+ followers.

But what's most stunning is how they hacked him in the first place. According to Honan's account on Wired, Hackers simply called Apple and -- get this -- gave his name, address and the last four digits of the credit card he had on file. That's it. 

Most people's physical address is pretty easily obtained via creative Googling and Honan's hackers were able to obtain the last four digits of his credit card number from Amazon. According to MacRumors:

Honan's hacker used a loophole in Amazon's security systems which don't protect the last-four digits of their user's credit card information. The hack requires a two-step phone call to Amazon. In the first call, Amazon allows you to add a second credit card to the account by simply offering the account's billing address, name and email address. Then, a second call allows you to add a second email address by verifying the previously added credit card. This second email address then has access to the account information including the last four digits of the original credit card.

With this information Apple technical support reset Honan's iCloud account and issued the hackers a "temporary password." Sounds innocuous enough, but it was the equivalent of them giving hackers the keys to his digital life.

It's not all Apple and Amazon's fault though.

Honan did a couple of foolish things along the way, like using his iCloud address as the recovery address for his Gmail and Twitter accounts and not backing up the baby photos on his MacBook Air. But none of this would have happened if an Apple representative had not given hackers access to his Apple ID with simple social engineering. 

Until Apple fixes its porous iCloud security, here are some things you can do to protect yourself:

  1. Make sure that you have a strong iCloud/Apple ID password. (Here's how to change it).
  2. Use unique passwords to protect different accounts (I recommend 1Password for this). If you're using the same password for your online banking as your webmail account you're asking to be hacked. At a minimum, use tiered passwords: a superstrong one for anything financial, another one for your email and a third for everything else.
  3. Use a throwaway email address (that's not linked to anything) for forms and retail-related spam. The less personal information that's in it, the better.
  4. Enable two-step verification on your Google account and protect it. Don't use your primary email address for every retailer and web form that asks for it. (See #3 above.)
  5. Buy a domain name, host it with an ISP you trust and set up email accounts on that domain for your high security/financial accounts. Use email accounts you control (not webmail) for high security applications and for password recovery.
  6. Use different credit cards for Amazon and your Apple ID.
  7. Back up your most important data to physical media that you control. Ideally two copies on-site and one off-site (at work, your parent's or a friend's house).

Apple needs to address this breach swiftly and definitively or it risk losing the goodwill and trust that it's built up in iCloud. 

Update: Apple spokesperson Natalie Kerris gave this statement on the issue (via CNET):

Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected.

Topics: Apple, Amazon, Cloud, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • UnF'Nbelievable...

    Putting most of the blame on Apple!! He did so much wrong security wise and Apple gets the blame. UNF'NBELIEVABLE!!
    Arm A. Geddon
    • Umm no...

      Apple gets the blame because their support rep helped the guy break into the account!

      In reality, it is mostly unqualified techs that cause this problem and they are pretty much in every company period!
      • I think that Mat Honan...

        isn't telling the whole story. There are always two sides to every story; his, theirs and the truth!!
        Arm A. Geddon
        • Oops.

          Correction, that's 3 sides.
          Arm A. Geddon
        • And we all know...

          which one of those *three* fan boi's don't like to hear... :-\
      • You missed one vital piece of evidence.

        "Most people's physical address is pretty easily obtained via creative Googling and Honan's hackers were able to obtain the last four digits of his credit card number from Amazon."

        Apple was at fault in not requesting the answers to Honan's security questions, Amazon was at fault for giving the last 4 digits of his credit card on file, AND Honan was at fault for using the same info and password as well as linking everything together.
        • Honan did nothing wrong. His "fault" is not evidence of a crime.

          The day "using the same info and password as well as linking everything together" became a fault is the day that using cloud services is unsustainable for every day use. To be fair to Honan, he did nothing wrong. He didn't give burglars the keys. They made their figured out the grooves and picked the lock with Apple pointing them the way. This is why I continue to rail against ultrabooks. I need my optical BluRay drive wherever I go to write my data to physical storage. SkyDrive, iCloud, Google Drive, etc. just aren't the right way to go.
          • @theNewDanger

            Honan was at fault in that he did not ever change his password... and he's heavily involved in tech - going by his time at Gizmodo and Wired - and he should know good password security practices.

            Of course the lion's share of the blame should rightfully go to the hacker who did this.
          • Good Point....

            I totally agree with what you said.

            Instead of a BluRay drive why not a flash drive? They are realy cheap now, and i have never had a problem with them. Should look into it...
    • So Apple has no fault in this?

      Honan admitted repeatedly where his user error occurred. But to defend Apple as if their system is perfect and it's the humans who are the problem is ridiculous. Apple has some flaws in keeping our info secure. Thats a big deal and it shouldn't be swept under the rug simply because you love Apple more than you love people.
      • Did I say Apple was perfect?

        Try rereading my post.
        Arm A. Geddon
        • RE: Love of Apple and people.

          Too F'N funny!! Nothing like being able to judge someone by their posts.
          Arm A. Geddon
        • Deflecting blame

          Just a suggestion, but maybe you should reread your posts to see why anyone is thinking you're coming off way too aggressive against humans and way too forgiving to Apple.

          "Putting most of the blame on Apple!! He did so much wrong security wise and Apple gets the blame. UNF'NBELIEVABLE!!"

          "Mat Honan is one of those people that shouldn't even be around computers. SHEESH, what anF'N idiot!!"

          You're calling the guy an idiot, you're cursing as if YOU were the one being attacked and your laser focused on defending Apple rather than accepting a clearly laid out security issue that affects multiple companies INCLUDING Apple. So rather than trying to prove how much smarter you are than Honan or the rest of the world, why not look at it from the perspective of average users who could easily fall victim to an attack like this with only a few key bits of easily accessible info.
          • He is an idiot!!

            What part of idiot don't you understand? The guy's in tech so you'd think he'd know something about security, especially that he pretty well has his whole life out onto the internet. Would you prefer I call him a wanker?
            Arm A. Geddon
      • Hacking Apple

        It just works.

        Easy to use, easy to crack.
        • Cracking?

          Not in the true sense. Not that Microsoft is in the blog but a lot of people fall for the Microsoft tech help scam too.

          Arm A. Geddon
    • Good god.

      One of these days, Im just hoping that one of these days (as unlikely as it seems) that just for once an Apple apologist will admit the same kind of thing that would have quickly gotten Microsoft fried for poor security also means Apple has to be fried for the same kind of thing.

      Just once.

      Just once put down the Apple flavored Kool-Aid.

      Just once admit to an actual flaw in Apples mighty plan as opposed to only acknowledging that you "know Apple isnt perfect"; only to go on to dispute every and any actual flaw in Apples products or company.

      Just once say the words, Apple blew it.

      Just once.

      But no. We know its not going to happen. Once you drink the Apple flavored Kool-Aid….your done.
      • I would

        but you Apple haters seem so damned determined to blame Apple for everything from the meteor strike that took out the dinosaurs to the conflicts in the Middle East...

        Sure Apple shares some of the blame. So does Amazon and Mat Honan.

        Just say the words "Apple was not totally at fault".

        Just once.

        But no, we all know the Apple Haters are gonna hate with their quasi-religious frothing at the mouth fervor and zealotry that is only matched by the fanatical frothing at the mouth die hard Apple Faithful.
      • Just once

        Just once, indicate you know the difference between "your" and "you're."

        I just love it (not) when illiterate folks trash others as though the Web is a big Jerry Springer show. Very few people seem to know the difference between "it's" and "its" anymore, for example (it's means "it is", period. It is not a posessive, so you wouldn't say "It's color is red"). It's not very compelling to read reactive diatribe full of grammatical and spelling errors. I just assume a nit-wit has written the comment, because if they didn't take the time to spell check and grammar check, they likely didn't fact check, either.

  • One more thing...

    Mat Honan is one of those people that shouldn't even be around computers. SHEESH, what anF'N idiot!!
    Arm A. Geddon