How a Hacker Gained Access to a Reporter's iCloud Account

matHonan v4editWired reporter Mat Honan details the exact process by which hackers had gained control of his iCloud account. The hijacked iCloud account resulted in a remote-wipe of his iPhone, iPad and MacBook Air, as well as further intrusions into his Gmail and Twitter accounts.

As previously reported, the hackers were able to convince Apple Support to provide them with a temporary password to access Honan's account. Honan details exactly how this was performed.

Apparently, Apple Support only requires an iCloud user's billing address and last-four digits of the credit card on file in order to issue a temporary password. That temporary password grants full access to the user's iCloud account. Apple spokesperson Natalie Kerris issued this statement which claims that internal policies were not followed completely in Honan's case, but failed to specify exactly how:

“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”

Wired was able to confirm the reported policy themselves by successfully gaining access to another account using only those two pieces of information: a billing address and last-four digits of the credit card number.

As noted by Honan, a target's billing address is generally easy to determine by looking up a domain registration or by public white pages databases. As for discovering the last-four digits of Honan's credit card, Honan's hacker used a loophole in Amazon's security systems which don't protect the last-four digits of their user's credit card information. The hack requires a two-step phone call to Amazon. In the first call, Amazon allows you to add a second credit card to the account by simply offering the account's billing address, name and email address. Then, a second call allows you to add a second email address by verifying the previously added credit card. This second email address then has access to the account information including the last four digits of the original credit card.

Honan's intrusion seemed to be a result of a targeted effort to infiltrate his Twitter account, and a number of items had to line up just right for the hackers to gain access. The situation does reveal that the differing security processes between different providers could open up unwanted opportunities. It also seems to show that at present, a specific user's iCloud account access can be gained with those two pieces of only semi-private information.

Honan's full story about the sequence of events is an interesting read.

Top Rated Comments

faroZ06 Avatar
124 months ago
Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.

You must be constantly angered by MacRumors then.
Score: 35 Votes (Like | Disagree)
brentsg Avatar
124 months ago
This happens with a ton of Xbox Live accounts too. Microsoft doesn't seem to care. Also, since it's Microsoft and not Apple, the media doesn't care either.
Score: 15 Votes (Like | Disagree)
nagromme Avatar
124 months ago
Big, scary, simple failures here on the parts of Apple (using the credit card number as ID), Amazon (giving out that number!) and Google (giving out your alternate email address to strangers).

If I had to name 3 companies (that I actually use) which I trust the most to keep things secure, it would have been those 3... before today! (I know Google tracks me, but I’m surprised at this kind of lapse.)

I’m sure I’m not alone today in turning off Find My iPhone/iPad/Mac for the time being. And it’s probably smart to use different credit cards with different services, even if it means more bills to manage monthly. I do already use different (and hard to guess) passwords, and I back up in multiple ways including locally. Very important.

Something NEW is needed to make security usable AND effective for all of us, and incident this shines a light on the problems. What’s scary is, I doubt we'll see the changes (across MANY more companies than these 3) happening fast enough.

P.S. I hope the hackers spend some serious jail time after wiping out the guy’s family photos :mad:
Score: 12 Votes (Like | Disagree)
heov Avatar
124 months ago
Solution: apple needs better security. more than last 4 digits of CC and billing address should be required.
Score: 10 Votes (Like | Disagree)
Repo Avatar
124 months ago
Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.

Really?
Score: 9 Votes (Like | Disagree)
Mengele Avatar
124 months ago
A blogger is not a reporter!
Score: 8 Votes (Like | Disagree)

Popular Stories

intel vs m1 max chip purple

Benchmarks Confirm Intel's Latest Core i9 Chip Outperforms Apple's M1 Max With Several Caveats

Wednesday January 26, 2022 8:56 am PST by
Benchmark results have started to surface for MSI's new GE76 Raider, one of the first laptops to be powered by Intel's new 12th-generation Core i9 processor. Intel previously said that its new high-end Core i9 processor is faster than Apple's M1 Max chip in the 16-inch MacBook Pro and, as noted by Macworld, early Geekbench 5 results do appear to confirm this claim, but there are several...
General Dropbox Feature

macOS 12.3 Will Include Cloud Storage Changes Affecting Dropbox and OneDrive

Tuesday January 25, 2022 3:31 pm PST by
Dropbox today announced that users who update to macOS 12.3 once that software version becomes available may temporarily encounter issues with opening online-only files in some third-party apps on their Mac. In a support document and an email to customers, Dropbox said it is actively working on full support for online-only files on macOS 12.3 and will begin rolling out an updated version of...
Apple Watch Red Yellow Green Feature 1

Apple Launches Black Unity Braided Solo Loop With 'Unity Lights' Watch Face

Wednesday January 26, 2022 6:05 am PST by
Apple today announced the Black Unity Braided Solo Loop for the Apple Watch, as well as a new downloadable watch face, to celebrate Black History Month. Following the launch of the limited edition Black Unity Apple Watch Series 6 and Sport Band in 2021, Apple today launched the Black Unity Braided Solo Loop as part of its celebrations for Black History Month this year.Apple is launching a...
ios 15

Apple Releases iOS 15.3 and iPadOS 15.3 With Fix for Safari Bug That Leaks Browsing Activity

Wednesday January 26, 2022 10:00 am PST by
Apple today released iOS 15.3 and iPadOS 15.3, the third major updates to the iOS and iPadOS 15 operating systems that were released in September 2021. iOS and iPadOS 15.3 come almost two weeks after the release of iOS and iPadOS 15.2.1, minor bug fix updates. The iOS 15.3 and iPadOS 15.3 updates can be downloaded for free and the software is available on all eligible devices over-the-air in ...
iOS 15

Everything New in iOS 15.4 and iPadOS 15.4: Face ID With a Mask, Emojis, Apple Card Widget, Universal Control and More

Thursday January 27, 2022 12:08 pm PST by
Apple today seeded the first betas of iOS 15.4, iPadOS 15.4 to developers for testing purposes, adding a slew of new features to the latest iOS operating systems. iOS 15.4 is the biggest update that we've had to iOS 15 to date, and it brings Universal Control, Face ID with a mask, new emojis, and tons more. Face ID With a Mask With iOS 15.4, there is now an option to unlock your iPhone...
mobeewave

Upcoming iOS Update Will Allow iPhones to Accept Credit Cards Directly Using NFC

Wednesday January 26, 2022 6:00 pm PST by
Apple is working on a new payments service that will allow iPhones to accept payments directly on device with no additional hardware, reports Bloomberg. Right now, iPhones can accept credit cards with add-ons like the Square Reader, but Apple's new technology will eliminate the need for a third-party product. Individuals and small businesses will be able to accept payments with the tap of a...
macOS Monterey on MBP Feature

Apple Releases macOS Monterey 12.2 With Safari Vulnerability Fix

Wednesday January 26, 2022 10:19 am PST by
Apple today released macOS Monterey 12.2, the second major update to the macOS Monterey update that launched in October. macOS Monterey 12.2 comes over a month after the release of the 12.1 update, which brought SharePlay support. The ‌‌‌macOS Monterey 12.2‌‌ update can be downloaded on all eligible Macs using the Software Update section of System Preferences. Apple has also...