Apple gave hackers access to user’s iCloud account

By , Aug 5, 2012

As we continue to upload more and more of our lives to the web, the dangers of being hacked multiply. Our credit card numbers, our home addresses — they’re all there for the taking. That’s why so many security experts preach using a complicated password.

But sometimes, using a strong password isn’t enough. Just ask former Gizmodo writer Mat Honan. Mat’s world was turned upside down this weekend when a hacker gained access to his iCloud account, wiping his Mac, iPhone and iPad, thanks to Apple…

If you follow Mat Honan or Gizmodo on Twitter, you would have seen quite the show Friday night. Hackers gained access to both accounts and started their reign of terror.

Honan explains how it all went down:

“At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years.

The backup email address on my Gmail account is the same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:04, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.”

And because he didn’t have any backups, Mat says he lost more than a year’s worth of photos, emails, and documents. Ouch. And apple said that none of this is recoverable without serious forensics.

So how did all of this happen? A brute force attack? A key logger? Nope, Apple essentially handed the hackers Mat’s iCloud password.

 ”Update three: I know how it was done now. Confirmed with both the hacker Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.”

Apparently, if someone can convince Apple that they are you, they can gain access to your iCloud account with very little effort. Granted, Mat Honan’s life is a little bit more public than most people’s (he’s also worked for Wired magazine). But this attack still highlights a very real weakness in Apple’s security.

In fact, we expect the company to make a statement regarding this situation at some point, if for no other reason then to reassure folks that this won’t happen again. Some people store their entire lives on iCloud. And if Apple ever wants to, at some point, become a medium for wireless mobile payments, it needs to feel safer.

  • Share:
  • Follow:
  • Mohamed Hassabo

    Wow, that seriously sucks :(

  • http://www.facebook.com/second.love Nhân Phan

    This is why I don’t use iCloud

    • Manuel Molina

      Agree. Putting your life on a server is not a good idea; like Facebook and young teenagers these days. Still, I feel bad for him.

      • http://twitter.com/MCaudebec Maxim∑

        icloud backups are encrypted and stored securely. Even if the hacker obtained his icloud he wouldn’t have been able to deleted the backups without stealing the physical device….

        when you rely on that much data you make a backup of a backup, but the stupid guy at gizmodo didn’t even make a backup so he got what he deserved

        and I hope those hackers loose all there data one day and see how it feels

      • http://www.iTechBlog.in/ taran

        You can use another iphone and restore that iclud backup on it…you dont really need his particular iDevice..:|

      • Techpm

        This has nothing to do with putting data on the server. It was his local data that was wiped and he didn’t keep backups.

  • http://www.facebook.com/profile.php?id=100000258418252 David Gitman

    Damn apple

  • chjode

    Hrm… did Apple really “give hackers access” or did the hackers simply have enough biographical information about Mat to answer all the questions asked by the phone rep in order to get a password reset?

    • http://www.facebook.com/people/Steven-Cannan/100000630162509 Steven Cannan

      Ya got scared a little lol

      • http://twitter.com/shannonNullCode ►Shannon Code

        it’s really cool visiting a blog that’s a daily read and seeing my son commenting :)

    • http://www.GoldenGateDomains.com/ Golden Gate Domains

      What is even “easier” is for criminal organizations to get “inside men” hired at these various call centers, then their “man” can even have easier access to allow their Hacker Team to have login access.

      What gets even scarier, this doesn’t have to be just for Apple and iCloud – this can be for Credit Card companies and other Financial Organizations.

      And to throw a little more “gas on the fire” lets not even go in to those companies that outsource this kind of customer service to third-world nations where bribes and corruption flow much easier!

      Is there an easy solution to this security question? Maybe you have suggestions or ideas?…

      • @dongiuj

        Give a saliva sample by spitting on the computer.

      • http://twitter.com/javiwankenobi Javier Vázquez

        Yes, cause we all know there isnt any corruption on developed first world countries.

  • http://twitter.com/kingmoe738 Kingmoe738

    so sue them now?:)

    • goofygreek

      lol, class action lawsuit coming up

  • http://twitter.com/thundiyils Jacob S

    All I can see is that another law suite towards Apple :)

    • http://www.facebook.com/profile.php?id=1380073379 Quang Truong

      The problem is how he convinced Apple Support. If he could answer correctly all identity questions Apple asked, that’s not Apple fault. That’s user fault because he made those info leak

      • http://twitter.com/thundiyils Jacob S

        Apparently you are right. This is an isolated issue, I believe.

      • http://www.facebook.com/profile.php?id=1162278746 Ingmar Sdlr

        Well no, actually that guy at Apple Tech gave reset the password without asking his secutiry question. Apple Support should change it’s way of resetting the password to something better.
        For instance always asking the Social Security Number or Insurance number (depending on the country you’re living in).

  • http://twitter.com/redevil1987 Damian W

    I use icloud moderately, I just dont want to rely or be dependent on it. My main storage is on other cloud services such as sugarsync, dropbox, skydrive, box and 2 hard drives. I feel pretty safe with this.

    • goofygreek

      Same here, i dont have one service for everything. icloud for my ipad. box for my android phone and my win 7 laptop. the only thing that i have that actually syncs between everything is google chrome. and i never save passwords for important websites either.

  • http://twitter.com/WrightsCS Aaron Wright

    My primary storage is the 2TB drive sitting on my desk. I don’t use iCloud.

    • http://www.facebook.com/profile.php?id=1231341527 Sakis Nikopolidis

      Life sucks and as you know shit happens….. A small fire or a thief can happen…. my only fear is i will lose 4 years of photos from the day my kid was born!

      • http://www.iTechBlog.in/ taran

        You are right…!!…betta b safe den sorry…

  • Daff Yheng

    Gizmodo? Nope.

  • Leo Sack

    And that’s why I use a PC. No big brother able to destroy your computer anytime they want.

    • http://www.facebook.com/rohitzsingh Rohit Singh

      FUD RAT and your PC is all gone :)

      • http://www.facebook.com/DamaniJB Damani Brown

        Leo you’re a retard. Yes a FUD rat, or Worm would easily rip you a new a**hole. ;)

      • Leo Sack

        Your ignorant enough to think I don’t know what I’m doing. I bet you don’t even use an AV or know wtf BlackShades is or have any idea there’s a thing called a mac rat or sandboxie.

      • Leo Sack

        You have more dislikes than likes lol :)

    • http://twitter.com/toumi2 Mounir Toumi

      seriously man ? you got it all wrong -_-’

      • Leo Sack

        You don’t see a corporation letting you wipe out a PC as soon as a mac.

    • goofygreek

      ???? pc has a shit ton more vulnerabilities than mac does. way easier to loose shit. i use a pc, but i dont keep important stuff on it. i keep it on a external drive.

      • Leo Sack

        It has less vulnerabilities than a mac because you can do stuff to it that you want to unlike a mac where you have to pray to saurik for cydia for mac.

  • http://www.facebook.com/Dcastro1313 Danny Castro

    Ok so why wasn’t his info backed up? U get hacked that sucks but back ur digital life up bro! Simple

  • http://twitter.com/Jsal017 Javier Salinas

    I called apple a few weeks ago about an issue on my wife’s account, I was able to get the issue fixed but I was also able to make some changes to her account. I didn’t think nothing of it til now that I read this story but that’s how easy it is to gain access to anyone’s account

  • tyrone

    This couldve just been apple getting back at gizmodo for the whole iphone 4 leak..
    “Apple tech support how can I help you”
    “My name is james I am a hacker trying to access the account of Mat Honan an employee at gizmodo, can you help me?”
    “Gizmodo? Just give me one second while I pull up the information sir…>:]”

    • Ronald Weaver

      That’s pretty funny! Does anyone still change IOS root password? I do so if anyone wants to learn let me know its easy.

  • Dre Adams

    As a previous apple tech support rep I know this isn’t true. You call apple with a password issue, we say email iTunes because that isn’t tech support and no tech support company I’ve ever worked at assisted with passwords. If u insist on immediate assistance we start an immediate chat with iTunes that really isn’t immediate at all. Once iTunes finally reviewed our request they need you to verify your name, iTunes user name, address, credit card info, and phone number and occasionally ur DOB, after that they do not give u the password it is reset to something like Apple and today’s date. Since this is practice for

    • Dre Adams

      Resetting passwords your concern is not about ur digital info but instead who had this much info about you and what else they plan to do…..

    • goofygreek

      so your saying that apple couldnt make the mistake of hiring some idiot and that idiot gave away info without fully verifying the person?

      • Dre Adams

        Thats exactly what I am saying Tech Support over the phone doesn’t have that information at all….. You or the representative would have to e-mail iTunes and they never give the password just ask verification question to assist you with resetting the password

  • Dre Adams

    Resetting passwords your concern is not about ur digital info but instead who had this much info about you and what else they plan to do

  • Irfan Tarique

    After this artical I switch off find my iPhone services from every device.

    • Techpm

      And then you lose your phone and really wish you hadn’t…

      Seriously, whatever security hole there was will be plugged soon if it wasn’t already. Also if you aren’t a public figure no one is going to spend their time trying to hack you.

    • http://www.iTechBlog.in/ taran

      You acted stupid…:p

  • Techpm

    Umm Mat wasn’t picked because he writes for wired, but because he wrote for Gizmodo and still had access to their Twitter account, which the hackers quickly took over.

    If you look up the hackers, Clan vv3, you’ll find taking over high profile Twitter accounts is what they’ve been doing in the past months.

  • http://twitter.com/SammyWeinberg Sam Weinberg

    Incredibly misleading title.

    • Impeach Obama

      To be fair, they didn’t get it from MSBC they got it from Apple

  • http://www.facebook.com/DamaniJB Damani Brown

    It’s called social engineering. He simply “Doxed” the victim. Very easy to do, which gave him all the information he needed to answer any questions. Then, he simply thought up a story to tell the tech support. It’s hard to avoid this, as there is always a way to spoof the information needed to gain access. The world of hackers is limitless. No one is safe. I suggest everyone RUN!

  • Daniel Levi

    i always thought iCloud was bad for some reason because it syncs everything at once,and i’m the kind of dude who is picky on what i sync,i still dont use it and i’m happy now that i heard this,and i’m also sad because thousands of users like mat honan lost all their data:( but if you think about it someone famous like mat honan who could get the word out just saved thousands or maybe millions of people losing their data

  • http://twitter.com/rud0lf77 Rudolf Lichtner

    This is something Apple should be sued for, they can’t handle Personal Data like this…

  • http://www.facebook.com/profile.php?id=557279411 Brandon XIao K

    Apple gonna face the challenge same as Microsoft, as 1 company getting famous and famous, more vulnerability to virus and malware…

  • Emre SÜMENGEN

    Oh c’mon! Get real man… Any social engineered hacking is not the fault of that company, but rather a result of a reckless customer!