A tech journalist for WiReD Magazine, Mat Honan, paid a steep price for the major security flaw over at Apple. A hacker, known only as Phobia, gained entry to Honan’s iCloud account and launched a massive attack on his digital identity. In mere minutes, the hacker gained access to his Gmail account and shut it down. Then proceeded to remotely wipe his iPhone, iPad, and MacBook Air.
In case that wasn’t bad enough, Phobia took over the Gizmodo Twitter account and his personal one too. Poor Honan could only watch as racist tweets were sent out to over 400,000 followers. To make matters worse, because he didn’t back his data up, over a year’s worth of photos, contacts, emails, and documents vanished. The impact of one compromised password is staggering.
So how did the hacker gain access to his iCloud account? It all started with social engineering and some crafty stolen information obtained by calling Amazon customer support. Then all it took was one more call to Apple Tech Support to convince them that he was actually Honan and they handed over the keys to iCloud and Honan’s entire digital life.
The biggest problem is without a doubt the login process. Without a two-step verification process, iCloud users can access all of their data with just one login. And so can hackers. Since iCloud connects to other social services like Twitter accounts and Google accounts, your entire life becomes an open book once the hacker cracks just one powerful password. It’s the perfect crime.
Thankfully, his Gmail account has been reinstated and his iDevices are being recovered according to his latest update. He’s even reached out to Apple about the security flaw and they’ve admitted to fault in not following their internal processes completely. They’re also reviewing their policies for resetting accounts to ensure customer privacy is protected. But they didn’t say if they’re planning on making any changes in the future.
So what can you do to stay safe? In the mean time, ensure you have strong and unique passwords for every account. Always back up your data on a device that’s not connected to the Internet (not just iCloud). Try not to link your accounts and enable two-factor authentication wherever possible. And lastly consider creating a private email address just for account recovery. It’s a lot harder for the hacker to break in when your email address is unknown.