As heavily discussed this weekend on Twitter and across the internet, Wired writer Mat Honan shared a real-life horror story about how his iCloud account was compromised, giving the hacker access to all of his data, and resulting in his iPhone, iPad, and MacBook Air being remotely wiped.
The most chilling part of this story isn’t that his account was hacked – it’s the fact that Apple unwittingly helped the hacker gain access to Honan’s account!
Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.
The hacker was essentially able to con Apple tech support into granting him access to the iCloud account, which in turn allowed access to his Gmail account, Gizmodo’s Twitter account, and other online accounts. Honan’s Apple devices were also remotely wiped right before his eyes.
Apparently the hacker convinced AppleCare that he was Mat Honan, and requested that they change Honan’s iCloud password – a request which they granted perhaps too eagerly.
Fortunately, the hacker, who has struck before, appears to only target accounts of high profile users, meaning the majority of users remain safe. Still, it strongly calls Apple’s account security into question, as it could have likely been prevented if Apple supported two-factor authentication, as Google does (allowing a user to link password resets to their mobile phone via text message, etc).
Apple needs to step up to the plate here. They need to explain what happened, and explain how users can protect themselves. Even more important, Apple needs to work on tightening up their security. It’s absolutely unacceptable for a hacker to be able to hijack someone’s digital life this way – all without ever cracking or discovering a password, or performing any real hacking of any kind.
Is our information really safe in Apple’s iCloud? Perhaps not. Will this make users think twice before using Apple’s services to store sensitive information, and could this affect Apple’s success if they decide to enter e-commerce, or the financial services market (perhaps via Passbook)? Probably.
Apple has so far remained silent about the issue.