Two days after Wired technology writer Mat Honan revealed in a 6 August Wired article that a hacker had eviscerated his online persona, Apple, which played a role in the drama, announced that it has temporarily cut off customers’ ability to reset their passwords by talking to a live customer service rep. “We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com),” said Natalie Kerris, an Apple spokeswoman, in a written statement. ‘This system can reset a password in one of two ways – either have a password reset sent to an alternate e-mail address already on record or challenge the customer to answer security questions they had previously set up.” Apple assured customers that when it does return to password resets over the phone, customers will face more stringent identity verification before they’re allowed to make any account changes.
The move comes too late for Honan, whose online accounts were taken over after hackers used an accumulation of security lapses—his own and those of the companies entrusted with securing his data—to break in and pillage. The result, in a nutshell:
“In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.”
According to Honan, the hacker first broke into his account at Amazon.com, which gave the cybercriminal access to the last four digits of a credit card. Unfortunately for Honan, not only he had used the same credit card to sign up for his Apple iCloud account, but the hacker, who uses the screen name “Phobia,” was aware that Apple customer service considered that bit of information sufficient to positively identify customers (well, at least until earlier this week). Also serendipitous for “Phobia” was the Honan’s Apple account was set up as the fallback for password recovery for Honan’s Gmail account, giving him access to that as well. The Gmail account was linked to Honan’s Twitter account in the same way. And with access to these accounts, the hacker was able to prevent Honan from retaking control of his Twitter account by remotely wiping the journalist’s cellphone, tablet, and laptop. Doing so had the maddening effect of erasing documents and e-mails including “more than a year’s worth of photos, covering the entire lifespan of my daughter, [and] documents and e-mails that I had stored in no other location.”
He accepts his share of the blame, admitting that, “In many ways, this was all my fault. My accounts were daisy-chained together.” Though Honan went on to lament this and his failure to back up his data, that doesn’t let Amazon, Apple, and Google off the hook for creating an avenue that “Phobia” so deftly navigated.
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.
