On Thursday at around 5PM on Friday Wired reporter Mat Honan was with his daughter when his iPhone suddenly rebooted to the setup screen. At this point Honan had no idea that something was wrong, figuring it was a software glitch. He attempted to log in to his iCloud account to restore from a backup. Couldn’t get into his iCloud account. And now an extremely annoyed but still unaware Honan went inside to restore from a backup on his Macbook. As he powered his laptop an iCal message alerted him that his Gmail account information was wrong and then went to a screen asking him to enter a 4 digit pin. Now he was seriously worried. He grabbed his iPad and found that it too was at the setup screen. By now confused and unsure of what exactly was happening he unplugged his router, modem and his Media Center Mac Mini. He used his Wife’s iPhone to call Apple Tech Support. This was just the beginning of a truly hellacious weekend.
Honan talked to Apple Support for an hour and a half, but he couldn’t answer the security questions they had on file for him. About an hour into the call the rep said “Ok, so Mr. Herman…” and that was when Honan realized that Apple had been looking at the wrong account. As a bystander that is actually kind of funny but it most certainly just p****d Honan off even more.
As it turns out, the only forms of identification Apple requires to reset your iCloud account his your billing address and the last four digits of your credit card. The address for most people is fairly easily obtainable on the Internet using something similar to whitepages.com or, as in this case, looking up the WHOIS information for a personal domain. Finding out the last four digits of someone’s credit card is significantly more difficult, but unfortunately it is possible.
After Mat created a temporary twitter account he was contacted by someone claiming to be the hacker, and it turned out he was actually the guy who temporarily ruined Honan’s digital life. The hacker, who called himself “Phobia”, agreed to explain how he did it to Mat on the condition that the journalist not file charges. Honan agreed. The hacker said that in order to get into the Apple account he needed those two key pieces of information– the billing address and the last four digits of the credit card associated with the account. As I mentioned above he looked up Mat’s domain’s WHOIS information to find the billing address. But getting the partial card number was harder.
“Phobia” said a partner did this part of the elaborate hack. His partner called Amazon claiming to be the account holder wanting to add a new card to the account. All he needed was the name on the account, the email and the billing address. The hacker had all three of these. He added a new card, which I assume was bogus. He then hung up and called back saying he had lost access to the account. He was asked for a name, a billing address and a credit card number. Again, he provided the name and billing address then used the credit card number he had just given them. Then voila, he had access to Honan’s Amazon account.
This did not allow the hacker to see the full card numbers but you can easily view the last four digits of your card(s) in the billing information of your Amazon account. Or your hacked victim’s Amazon account.
The hacker then called Apple and reset his Apple account, wiped his iPad, iPhone and Macbook so that Mat couldn’t get back into his accounts easily. Honan normally uses Gmail but his backup email Google had on file was Honan’s @me.com email. Google had partially obscured it, (firstname.lastname@example.org) so you can’t get very upset at Google. But since his Gmail address was email@example.com the hackers figured it out pretty easily. They sent the “reset password” email to Honan’s Apple account which they had already gained access to. So they got into his Gmail account and locked Honan out of it. From his Gmail account they gained access to his Twitter account and twitter.com/mat went crazy with racist and horrible tweets. But the hackers were delighted when they found that Honan’s Twitter account was still linked to his former employer, Gizmodo’s Twitter account. The hackers briefly wreaked havoc on the tech blog’s Twitter feed. But Gizmodo regained control of the account within minutes and deleted the offensive tweets.
Mat asked “Phobia” about why he was hacked, to which the hacker replied that it wasn’t personal, he didn’t hate Honan, he just wanted Mat’s Twitter handle. “I honestly didn’t have any heat towards you before this. i just liked your username like I said before,” he told Mat. Yes, you read that right. The hacker totally ruined Honan’s weekend, destroyed some of his reputation, and Mat likely has an extremely sore throat from yelling at tech support and the hacker just wanted a freaking Twitter handle?! What the heck?! I mean, @mat is a pretty good handle but… Oh, man. I don’t even know what to say. Just WOW.
But the hacker(s) could most certainly have done a lot more damage. With access to Honan’s Google account they could have gotten banking details and also found contact info for some pretty influential people that Honan has met from his years as a journalist. But no, they just wanted to tweet. Just to use Twitter. Twitter. They totally destroyed the man’s weekend so they could write racist comments of 140 characters each. And now I can’t think of anything to write here that’s not seriously explicit. I’m mad at them and I can’t even imagine how Mat must feel.
Honan says that the worst part is that he likely has lost a year’s worth of data from his laptop that wasn’t backed up. Most notably pictures of his daughter that he will likely never see again. Apple currently has his laptop and is attempting to recover data from it.
And while Honan says that he is kicking himself for not backing up his data more often (I’d be kicking him too if he hadn’t just gotten hacked so badly) he also says that Apple and Amazon need to drastically refresh their security measures. And he’s right. This process is actually not that hard, which means that just about anyone who can use the Internet can do it. And that’s bad. Very bad. Like, very, extremely, incredibly bad.
Wired said they completed a similar hack twice in just minutes. So, hey! Apple, Amazon, get your act together!
Update: Amazon has changed their policy so you may no longer change account details over the phone. Via Wired
Update 2: Apple has suspended password resets via phone, at least for right now. Via TechnoBuffalo