On Friday night, Wired reporter Mat Honan’s recounted how his iCloud account was hacked.
The hackers who gained access to Honan’s iCloud account remote wiped his iPhone, iPad and MacBook Air after hijacking the iCloud account. They also managed to get access to his Gmail account and to his former employer Gizmodo’s Twitter account.
It wasn’t clear how hackers had gained access to the iCloud account. Yesterday, Honan explained how his digital life was destroyed in one hour.
The hacker apparently called Apple Support posing as Honan and requested for a temporary password. Apple support issued the temporary password after the hacker provided them with Honan’s billing address and last-four digits of the credit card on file. The temporary password granted the hacker full access to his iCloud account.
According to Honan, the hacker probably obtained the billing address by looking up a domain registration or from public white pages databases.
But the scary part was how the hacker managed to get access to last-four digits of the credit card on file. The hacker used a loophole in Amazon’s phone-based security system. In the first call, Amazon apparently allowed the hacker to add a second credit card to the account by simply offering Honan’s billing address, name and email address. The hacker then added a second email address using the previously added credit card. This second email address was then used to gain access to the last four-digit digits of the credit card.
Once the hacker gained access to the iCloud account, he used it to remote wipe his iPhone, iPad and Mac. They also managed to use his iCloud account (which was the alternative email address) to gain access to his Gmail account, which in turn was used to get access to his and Gizmodo’s Twitter account.
This is a very scary story and should serve as a wake up call to all of us. Honan admits that he could have prevented some damage by setting up a two-factor authentication for his Gmail account, but the issue also highlights how hackers managed to use the gaps in Amazon and Apple’s security system to gain access to Honan’s account. Let’s hope that the tech giants take a hard look at their security systems and take immediate steps to ensure that such cases are prevented.
You can read the entire story over at Wired and if you haven’t already, take a few minutes to setup the two-factor authentication for your Gmail account.