Mat Honan saw his Google account deleted and Apple devices wiped
Apple and Amazon have said they will overhaul their security procedures after the embarrassing double blunder that saw a technology journalist’s digital existence wiped out.
Mat Honan, who wrote for Gizmodo, was hacked and as a result saw his iPad, iPhone and MacBook remotely wiped, his Twitter account compromised and his Google account, including Gmail, deleted. Fortunately he has been able to recover most of the devices and accounts.
According to Honan, who detailed the experience on his blog and in Wired, the hackers gained access to his accounts by exploiting vulnerabilities in Amazon’s security procedures to find out his address and credit card details.
That information was then used to access his iCloud account, when the hackers called Apple’s tech support and requested password resets, which Apple allowed to happen over the phone.
As Honan put it: "Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information."
"In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification," he added.
In response, Apple has suspended the policy of allowing users to reset their Apple ID over the phone. The company had previously admitted it should not have allowed the hacker to succeed in resetting the Apple ID information over the phone.
"Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password," the company told Wired. "In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected."
Now people familiar with the situation have confirmed to Wired that the policy of allowing Apple ID password resets over the phone has been stopped. It is not clear at the moment if this is a permanent change or a temporary suspension designed to give Apple time to review and change its security policies.
Similarly, Amazon has moved to shore up its defences. The vulnerability used by the hackers, which involved calling Amazon’s customer support and resetting the password with only the name, email and mailing address of the victim, has now been fixed, the company said.