Mat Honan, a tech journalist for Wired, has had his iPhone, iPad, and MacBook Air remotely wiped. Not only that but his Gmail was hacked which eventually lead to Gizmodo‘s Twitter account being taken over for a few minutes. How did this all happen? By Apple Support giving a hacker access to Honan’s iCloud account.
Here is an expert of the timeline of events Honan posted on his personal blog:
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere.[…]
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.
Honan first guessed someone had used a brute force attack to guess his password. However, he then learned brute force isn’t how a hacker gained access to his account — social engineering is. What happened is someone called Apple Support, convinced them that the hacker is Honan, and had Apple change the password on Honan’s iCloud account:
I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.
Once the hacker had access to Honan’s iCloud, he was not only able to wipe Honan’s devices (using Apple’s Find My iPhone‘s remote wiping service) but he was also able to reset Honan’s Gmail account password (since his iCloud e-mail was the recovery e-mail set in Gmail), which then allowed the hacker to access Honan’s personal Twitter and Gizmodo’s Twitter.
Of course once it was all revealed, Honan was able to reset all his passwords and restore access to his iCloud, Gmail, and Twitter. However the damage was literally already done with Honan’s data being wiped. As MacRumors rightly points out, Honan is somewhat of a public figure so guessing answers to security questions, etc. for his iCloud account to gain access probably isn’t as hard as it should be (although we would expect a tech journalist to use secure security questions to protect his very important iCloud account). However, the ball is in Apple’s court for this one; Apple needs to investigate how this happened, admit whatever mistakes were made, and clean up their act to prevent such things from happening in the future.