Yesterday, the internet was abuzz with a new hacking scandal. Journalist Mat Honan was hacked, and not by any nefarious software, but by social engineering. As he detailed in a blog post and discussed on Wired, the hacker tricked his way past security and managed to wipe all of Honan’s data.
The hacker gained access to Honan’s Amazon account, and from that gained the last four digits of his credit card (and incredibly easy to find piece of information). From that and some other information, he got Apple Tech Support to send a password reset email. That gave the hacker access to Honan’s iCloud account, and following a similar daisy chain of password resets, his GMail and Twitter accounts, and was able to remotely wipe his iPad, iPhone, and MacBook.
There’s a lot more information about how it happened at the Wired discussion above, but it’s disturbing how easy the whole thing was. Here is Apple’s official response:
We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
Hopefully, this discussion will bring these security failings to light, and we’ll see the situation improve.
But for now? The security hole stands, and Wired has been able to replicate the hack on their own.