Got a tip for us? Share it...

New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

How a Hacker Gained Access to a Reporter's iCloud Account

Wired reporter Mat Honan details the exact process by which hackers had gained control of his iCloud account. The hijacked iCloud account resulted in a remote-wipe of his iPhone, iPad and MacBook Air, as well as further intrusions into his Gmail and Twitter accounts.

As previously reported, the hackers were able to convince Apple Support to provide them with a temporary password to access Honan's account. Honan details exactly how this was performed.

Apparently, Apple Support only requires an iCloud user's billing address and last-four digits of the credit card on file in order to issue a temporary password. That temporary password grants full access to the user's iCloud account. Apple spokesperson Natalie Kerris issued this statement which claims that internal policies were not followed completely in Honan's case, but failed to specify exactly how:
“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
Wired was able to confirm the reported policy themselves by successfully gaining access to another account using only those two pieces of information: a billing address and last-four digits of the credit card number.

As noted by Honan, a target's billing address is generally easy to determine by looking up a domain registration or by public white pages databases. As for discovering the last-four digits of Honan's credit card, Honan's hacker used a loophole in Amazon's security systems which don't protect the last-four digits of their user's credit card information. The hack requires a two-step phone call to Amazon. In the first call, Amazon allows you to add a second credit card to the account by simply offering the account's billing address, name and email address. Then, a second call allows you to add a second email address by verifying the previously added credit card. This second email address then has access to the account information including the last four digits of the original credit card.

Honan's intrusion seemed to be a result of a targeted effort to infiltrate his Twitter account, and a number of items had to line up just right for the hackers to gain access. The situation does reveal that the differing security processes between different providers could open up unwanted opportunities. It also seems to show that at present, a specific user's iCloud account access can be gained with those two pieces of only semi-private information.

Honan's full story about the sequence of events is an interesting read.

Top Rated Comments

(View all)

26 months ago

Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.


You must be constantly angered by MacRumors then.
Rating: 35 Votes
26 months ago
This happens with a ton of Xbox Live accounts too. Microsoft doesn't seem to care. Also, since it's Microsoft and not Apple, the media doesn't care either.
Rating: 15 Votes
26 months ago
Big, scary, simple failures here on the parts of Apple (using the credit card number as ID), Amazon (giving out that number!) and Google (giving out your alternate email address to strangers).

If I had to name 3 companies (that I actually use) which I trust the most to keep things secure, it would have been those 3... before today! (I know Google tracks me, but I’m surprised at this kind of lapse.)

I’m sure I’m not alone today in turning off Find My iPhone/iPad/Mac for the time being. And it’s probably smart to use different credit cards with different services, even if it means more bills to manage monthly. I do already use different (and hard to guess) passwords, and I back up in multiple ways including locally. Very important.

Something NEW is needed to make security usable AND effective for all of us, and incident this shines a light on the problems. What’s scary is, I doubt we'll see the changes (across MANY more companies than these 3) happening fast enough.

P.S. I hope the hackers spend some serious jail time after wiping out the guy’s family photos :mad:
Rating: 12 Votes
26 months ago
Solution: apple needs better security. more than last 4 digits of CC and billing address should be required.
Rating: 10 Votes
26 months ago

Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.


Really?
Rating: 9 Votes
26 months ago
A blogger is not a reporter!
Rating: 8 Votes
26 months ago
When remote wipe was introduced I said it would be abused and got showered with downvotes.
Rating: 8 Votes
26 months ago
Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.
Rating: 8 Votes
26 months ago

Billing address and last four of the credit card on file are fine for most folks.

Fact is that this isnt really Apple's fault so much as it is the registrars fault for making those addresses public and Amazon for not protecting the credit card info. Without those two things the hacker wouldn't have gotten anywhere with Apple regardless of whether they did or didn't ask the previous purchases question that is in the script or whatever wasn't followed.


The is ABSOLUTELY apple's fault. I'm a pretty strong fanboy, but this is unacceptable.
Rating: 7 Votes
26 months ago

Google isn't even mentioned in this article?


Yes, they are. Click the first link (full details on what happened):

“...Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.

Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery."


I don’t see why Google has to EVER share your (insufficiently redacted) alternate email address with any random stranger. Bad call on Google's part, and it’s how the hacker hit the jackpot: getting the AppleID email address.

The is ABSOLUTELY apple's fault. I'm a pretty strong fanboy, but this is unacceptable.


It’s a lot of peoples’ fault, including Apple, Google, Amazon, the hackers, and the user himself.

But #1, first and foremost: Apple’s fault.

Amazon isn’t the only company to show the last digits of your CC# in the clear, and Apple should never have relied on that piece of data so heavily. That was true and obvious even before this incident.
Rating: 7 Votes

[ Read All Comments ]