Phone password resets for Apple ID are frozen for 24 hours as Apple faces a hacking crisis.
Last weekend Wired reporter Mat Honan had his Apple ID hacked, and everything went to hell in a handbasket. His Google account was deleted, his Twitter used to broadcast racist and homophobic messages, and all data was erased on his iPhone, iPad, and MacBook. Honan admits that part of the problem was his habit of using the same security details for each account – something that more than a few people do – but says that the bigger issue was the Cloud and Apple support, which gave the hackers access to everything they wanted so long as they provided Honan’s name, address, and email account.
Apple’s response has been to freeze all Apple ID phone support password changes while it works out what to do next. The problem is with their phone verification system, as the tech support gurus apparently give out the keys to the kingdom provided the person asking provides a billing address and the last four digits of a credit card. Neither of these pieces of information are that difficult to get; it’s thought that Honan’s hackers got their information from his Amazon account. Once the hackers have this information they can get access to the Cloud, and once they have Cloud access they can do pretty much whatever they like.
Amazon, though it was unwilling to comment directly on Honan’s situation, has since plugged at least one of the security holes. Honan’s hackers first got access by phoning Amazon claiming to be him and asking for some account setting changes, all of which were to be emailed to an account of their choosing. That was how they got to his Amazon account and learned the information they needed to fool Apple. Amazon no longer allows account changes to happen over the phone. Apple has yet to decide exactly what to do; it may or may not take the same steps as Amazon.
According to Honan, this is what happened:
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me e-mail – which, of course was my .Me e-mail.
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.
At 4:50 p.m., a password reset confirmation arrived in my inbox. I don’t really use my .Me e-mail, and rarely check it. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password.
At 4:52 p.m., a Gmail password recovery e-mail arrived in my .Me mailbox. Two minutes later, another e-mail arrived notifying me that my Google account password had changed.
At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack.
Honan blames himself for not backing up his MacBook – thus losing a lot of data he’ll never get back – and for daisy-chaining his accounts. He ought to have had a recovery email address for his accounts, he acknowledges, one that wasn’t linked to anything else. “I have only myself to blame,” he says, for those mistakes. The rest was down to Apple, and its security verification procedure that could apparently be fooled with just a few bits of easily obtained information and which ignored security question verification procedures. “I’m also upset that this ecosystem that I’ve placed so much of my trust in has let me down so thoroughly.”
UPDATE: Apple’s freeze on over-the-phone password changes continues, but there has been no clear indication as to how Apple intends to proceed.
The hackers have since revealed that their primary target was Honan’s Twitter account, which was three letters long and therefore highly prized. The other accounts were deleted in order to prevent Honan from recovering his Twitter account.