|(Image credit: Getty Images via @daylife)|
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years.
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.
Although he made the security mistake of using the same password for years, that wasn't what allowed the hacker to gain access to the accounts. It was clever social engineering on the part of the hacker. From update 3 in the blog post:
I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.
It also turns out that in order to perform the social engineering, the hacker had obtained Honan's Amazon account information first which included his credit card number, then he took that number and passed it onto Apple's iCloud team to gain access to Honan's accounts to wipe out his iPhone, iPad and Macbook Air. Via Mashable:
The hackers obtained the last four digits of Honan's credit card number by breaking into his account on Amazon, which is now also tightening its security features. Amazon had required even less than Apple to change a password -- only a user's name, email address and mailing address. The hackers found the final digits of Honan's credit card once they reset his Amazon password.
Because of this Amazon and Apple are changing their security policies. According to the Mashable post:
Apple users can no longer reset their Apple IDs over the phone. Previously, Apple ID passwords could be swapped in exchange for the email address, billing address and the last four digits of the credit card associated with the account.
Wired reported on the change Amazon made quietly. According to Wired:
Previously, Amazon allowed people to call in and change the email address associated with an Amazon account or add a credit card number to an Amazon account as long as the caller could identify him or herself by name, email address and mailing address — three bits of personal information that are easily found online.
On Tuesday, Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.
What do you think Apple and Amazon could have done better to prevent this? Do you think these changes are going to make these types of attacks less likely? Let us know what you think in the comments.