Very scary news coming from Wired’s Mat Honan. As well publicized over the weekend, Honan’s iCloud account was hacked. ‘Bad’. This quickly led to Honan’s Twitter account, and in turn Gizmodo’s Twitter account (where Honan used to work). Honan’s Twitter profiles were attached to his iCloud email, and a simple Twitter password reset allowed those with access to his iCloud account to enter the Twitter accounts.
Even worse, access to his iCloud account gave access to Find my iPhone. With that, his Mac, iPhone, and iPad were remotely wiped…his Gmail and everything else he had was gone. He’s working with Apple and Google to get everything back but clearly this is a scary situation.
So, how did the hackers enter his iCloud account in the first place? Honan originally thought they broke through his old, seven character password. However, Honan says that something much worse actually happened. Apparently, the hackers were able to call up AppleCare support, and reset Honan’s password:
I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.
Obviously, a user being able to enter someone’s else’s iCloud account with the help of AppleCare support – and destroy their digital life – is a catastrophe and scary for all of us that use iCloud. In fact, many have been questioning why iTunes accounts are cracked so frequently and this could be a similar attack vector.
What can you do to protect yourself?There isn’t much if Apple Support is giving out iCloud resets to hackers over the phone. Only disabling iCloud on your Macs and iOS devices can prevent that type of attack. Luckily, Apple is now aware of this and you probably aren’t as high profile of an attack target as Honan.
Apple, per usual, probably won’t comment but I think in this case, it would be a good thing to clear up. There are a lot of scared Apple users out there
We hope that Apple comes up with a more secure password reset for AppleCare iCloud support callers…and soon.