With nearly all our information online these days, we are extremely vulnerable to hacking. This is especially true for people who are somewhat public personalities. While we may think that strong passwords will protect us, it wasn’t enough to prevent journalist Mat Honan’s iPhone, iPad and MacBook Air from getting remote wiped.
Honan himself explains what happened:
“At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years.
The backup email address on my Gmail account is the same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:04, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.”
Trusting in Apple to keep his information secure, Honan did not even have backups hence this stunt may well have resulted in permanent loss of quite a lot of information, photos and the like. Apple has told the journalist that the remote wipe is probably irrecoverable without ‘serious forensics’.
However, all this wasn’t done via brute force or his password being compromised. A person claiming to be the hacker itself contacted Honan and informed him that, “[I] didn’t ur password or use bruteforce. I have my own guide on how to secure emails”.
Honan himself confirmed that the breach was not password related later:
“Update three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.”
Basically, the hacker called up Apple support, convinced them that he was Honan himself and had Apple Support change Honan’s password, giving the hacker full access to everything. AppleCare has since been able to confirm this claim made by the hacker by going through an Apple employee. This highlights a very real security weakness. No comment has been made by Apple yet, although Honan contacted both Apple Corporate and Apple’s PR team.