Honan’s iCloud account gave the hacker access to the Find My Phone feature, thus allowing them to remotely wipe all the data on his iPhone, iPad, and worst of all, his Mac. Honan’s Gmail account was also deleted in the process, and he’s been locked out of other services, including his phone, which he linked with Google Voice through Sprint.
Initially, Honan thought the hacker broke into his account using brute force, despite a seven character alpha-numeric password that he felt was pretty secure. Apparently, this wasn’t the case.
“I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions,” Honan wrote via his Tumblr page. “Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.”
Two-factor authentication, which requires confirmation via both an email message and usually a text message, would have probably prevented the hacker from deleting Honan’s Gmail account and kept people off the Twitter accounts, he said. Unfortunately, Honan didn’t have the two-factor authentication turned on. So, if there’s a moral to this story, it’s that you should go enable two-factor authentication whenever possible. (Do it now!)
This still doesn’t fix the problem of fooling the Apple Care technician over the phone. The computer giant needs to step up its security for verifying user accounts if it plans on seriously taking on the likes of Google, Yahoo, and Microsoft with its iCloud service — not to mention the growing number of cloud-based storage services like Dropbox and Box.net.
Hacked password image via Raywoo/Shutterstock
VB's research team is studying web-personalization... Chime in here, and we’ll share the results.