Hackers use possible Amazon and Apple security holes to delete tech writer's data
Hackers use fairly basic techniques to accomplish the hack
Apple: "We found that our own internal policies were not followed completely"
On Friday night, Wired technology journalist Mat Honan was brutally hacked. In a chain of events that Honan would unravel in the following days, hackers took advantage of security holes at Amazon and Apple to gain access to his iCloud account. They then took over his Gmail account, remotely wiped all data from his MacBook Air, iPhone and iPad, and took over his Twitter account as well as the Twitter account of his former employer, Gizmodo.
The incident might seem small on its surface – just one person’s information, not a huge data breach of credit card numbers. But this one very public incident, thoroughly documented by Honan in a Wired article, could be a wake-up call to many who store their information with cloud-based services, including Amazon, Apple and Google.
“My experience leads me to believe that cloud-based systems need fundamentally different security measures,” said Honan. “Password-based security mechanisms — which can be cracked, reset and socially engineered — no longer suffice in the era of cloud computing.”
The hackers used fairly basic techniques to accomplish the hack. They found Honan’s home address and e-mail address online, and after some back and forth with Amazon tech support, used it to get the last four digits of Honan’s credit card number. They called Apple customer support pretending to be Honan and used those four numbers along with same billing address to verify his identity, gaining access to Honan’s iCloud account and the associated .Me account. The .Me account was Honan’s backup e-mail for his Gmail account. Once they were in his Gmail, the hackers could reset passwords for all the key accounts that used Gmail, including Twitter accounts.
Once in, the hacker spammed Honan’s Twitter followers and deleted all the data from his various devices. The remote wipe option is a security service offered by Apple as part of its Find My Mac/iPhone/iPad feature. If devices associated with the Apple ID are stolen, the owner can execute a remote wipe to prevent their data from falling into the wrong hands.
The motivation for the crime seems to be rather banal. In conversations with Honan, one of the hackers responsible revealed he just wanted Honan’s three-letter Twitter handle, @mat. “I honestly didn’t have any heat towards you before this. i just liked your username like I said before,” he wrote Honan. Remotely wiping Honan’s computers and mobile devices, permanently erasing data including a year-and-a-half of photos of his young daughter, was also done without any real reason. “yea i really am a nice guy idk why i do some of the things i do,” the hacker wrote.
Apple responded with an official statement on Monday night, saying, “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
However, while investigating the breach over the weekend, Honan said he confirmed twice with Apple tech support that only two pieces of information are required to get access to an iCloud account: a billing address and the last four digits of the credit card associated with the account. Wired reporters say they tested the hacker’s approach by successfully trying it on another account themselves.
Amazon has not yet commented on the report.