The hack was first thought to be a simple brute force attack on Honan's seven-digit alphanumeric iCloud password, which he has used for "years and years," though in the process of reconfiguring accounts it was confirmed that the issue wasn't a password, but the "social engineering" of an Apple tech support employee.
In recounting the experience on his blog, Honan first realized something was amiss when his iPhone rebooted to the default setup screen. He couldn't log in to iCloud to restore the handset's previous settings from the device itself, so Honan connected the iPhone to his MacBook Air which displayed an iCal error message before its screen went gray and asked for a four digit PIN.
"I didnât have a four digit pin," Honan wrote. "By now, I knew something was very, very wrong. I walked to the hallway to grab my iPad from my work bag. It had been reset too. I couldnât turn on my computer, my iPad, or iPhone."
Things got progressively worse from there as Honan's Google account was deleted, the only way to restore it would be via text message to the iPhone he no longer had access to. The tech writer's Twitter feed, along with his previous employer Gizmodo's, were also compromised. Perhaps most troubling was that his MacBook Air was being remotely wiped, along with his iPad and iPhone, using Apple's Find My Device feature. The wipe may be recoverable, however, as Honan stopped the process by powering the MacBook Air down before an over-write began.
Find my iPhone on iOS 5.
Honan noted in a blog update that a person claiming to be the hacker made contact and told him "[I] didn't ur password or use bruteforce. i have my own guide on how to secure emails."
From Honan's blog:
I know how it was done now. Confirmed with both the hacker and Apple. It wasnât password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. Iâm back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.
In the last update to Honan's saga, AppleCare was able to confirm the hacker's claims of bypassing iCloud's password protection by going through an employee. A more detailed account of how this was done will be made public in a Wired report on Monday.
Honan reached out to Apple Corporate as well as the company's PR team, though no response has been given at the time of this writing.
121 Comments
Now that should not be possible. If it's true then I'll bet Apple are scrambling to roll out some new training.
A brave new world, this "cloud." Makes me long for the days when I owned my own data. Oh wait, I still do (pats Snow Leopard on the head).
Just wondering, If you set really easy questions for the "confirm it's you" bit, then Google searches may have the answers. (E.G. if you haven't got a private FaceBook account, quite a lot of info will be publicly avaliable, therefore making it very easy for a clever person to bluff their way through proving that they're "you"!
Having said that, I have backups of important data that is stored in iCloud (Contacts, photos etc), since if iCloud dies, or goes offline, I don't want to loose it all.
I work in IT, and I keep having to tell users than you can never have too many backups!
ICloud as a service is extremely flawed. If nothing else the service should have a way to backup to an owners Mac OS machine. Further saving a copy of an iCloud file locally shouldn't be so damn difficult. ICloud is like 80% of the way there but Apple certainly missed important use cases and seems to have forgotten about user control.
I smell a rat.