Apple Responds To Journalist Victim of “Epic” Apple ID Hack

Apple Responds To Journalist Victim of “Epic” Apple ID Hack

Mat Honan of Wired.

Last week, Wired columnist Mat Honan’s digital life was destroyed by hackers who were able to connect to his Apple ID and remotely erase all of the data on his iPhone, iPad, and MacBook.

Apple responded today to Honan via a spokesperson, Natalie Kerris. In a statement to Wired, where Honan posted an account of his experiences, Apple promised to look into how users can protect their data and security better when they need to reset their account passwords.

“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password,” said Apple, via Kerris. “In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”

This all happened because the hackers were able to get a hold of Honan’s email address, his billing address and the last four digits of a credit card he has on file. Once the hacker had this info, he or she called Apple, asked for a reset to the iCloud account in Honan’s name, and was given a temporary password.

“In many ways, this was all my fault,” Honan wrote. “My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.”

The real problem here, he noted, is that the companies he relied on to keep his data safe have competing security practices. “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” he wrote. “The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”

This echoes a statement today from Steve Wozniak, who predicts many “horrible problems” our reliance on the cloud will cause within the next five years.

As Mat Honan found out today, our interlinked, cloud-based computing utopia can, like many tools before, be used for good or evil. We’ll all need to be personally careful with our security practices, as well as demanding better accountability and more viable practices from the industry leaders we trust with our data, which is sometimes another word for “precious photos and memories.”

  • TalkinMac

    “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,”

    I think that quote says it all. Scary.

  • marioyohanes

    Well, that’s why we need to be more careful in daisy chain our internet account and avoid using same password for all accounts and stop using predictable secret questions and so on…

  • jfc123

    Why would a hacker want to do this???

  • jfc123

    Why would a hacker want to do this???

  • hanhothi

    Why would a hacker want to do this???

    As stated “to take over Twitter account and cause havoc”. Some one who has a big Twitter following can send a lot of spam!

  • MrSarcy

    (2nd post, nice going Cultofmac… bodytext disappears if you log in after writing your reply .. also, this doesn’t work on my iPad.)

    So they used his Apple ID to restore his profile to a new iDevice and got into his Gmail? I activated double sign-in today so now I have a specific password for mail on my iPhone, but that isn’t helping if the password is restored as well. Yep, I’m disabling iCloud backups for my devices.

  • technochick

    So they used his Apple ID to restore his profile to a new iDevice and got into his Gmail?

    Nope. They didn’t have to. Go read the article and you’ll see what Honan says he was told that they did.

    Basically they tried to reset his gmail and saw his recovery email was an Apple ID (first fail, thanks google) and thanks to the partial and the letter count figured out it was just his name

    on a shot they looked up his domain name registry and got his billing address (second fail, thanks registar).

    took a shot that one of the two emails was his Amazon account (and that he uses amazon which he might have hinted at in a blog at some point). go them to expose the credit card on file which they hoped was the one on file with the Apple ID as they hoped was linked to his itunes (third fail, thanks Amazon)

    they were right and got the password reset for the Apple ID. (fourth fail, but not possible without the first 3). From there they just did password reset by email to get into gmail and then into twitter.

  • technochick

    Why would a hacker want to do this???

    Teach this so called tech expert a lesson. It likely started off just wanting access to his twitter but then they got so much more cause of how not so smart Honan was.

    I’m no tech blogger but even I don’t have my itunes and my icloud on the same id. and I don’t have crisscrossing recovery emails etc.

    and I certainly don’t skip backing up my computer

About the author

Rob LeFebvreAnchorage, Alaska-based freelance writer and editor Rob LeFebvre is Cult of Mac's Culture Editor. He has contributed to various tech, gaming and iOS sites, including 148Apps, VentureBeat, and Paste Magazine. Feel free to find Rob on Twitter @roblef

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , , , |