This may have been the most bizarre security story I’ve heard all year. It is also one of the most chilling.
You may have heard by now: A former Gizmodo reporter named Mat Honan discovered that everything on his Apple devices disappeared and passwords for his Gmail and .Mac account were changed. All of this was done through his iCloud account.
How it all happened is what makes the story both bizarre and chilling. This was no normal hack into iCloud. Instead, allegedly, a hacker called Apple tech support and bluffed his way into Horan’s account. Honan said on his blog:
Someone claiming to be my hacker has been in touch. I can’t be at all certain of his authenticity, but he says he “didnt guess ur password or use bruteforce. i have my own guide on how to secure emails.”
Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.
I’m really curious now to see how this plays out. Why would the hacker get in touch with Horan — and why would he do this at all? Why would tech support let the security questions slide? What kind of social engineering did this hacker employ to fool tech support?
Hopefully, some of those questions will be answered in the coming days. For now, this is yet another major blow for Apple security. It’s also another blow to cloud security and perhaps even to BYOD. The mobile work force depends on the cloud for so much, but as Honan’s experience shows, one brash hacker can wipe out everything on multiple devices.
Here are my takeaways from Honan’s experience.
1. Have an email backup that is totally separate from your primary accounts.
2. Back up and maybe back up again. I’ve been told several times over that by backing up data to the cloud, you are safe. Honan’s experience proves that might not be so.
3. Re-visit BYOD policies, including where data is stored and how it is accessed. Would your company information be at risk if one of your employees experienced a hack like Honan’s?
4. Look at the access your employees have to other company accounts, especially social media. Honan’s Twitter account was connected to Gizmodo’s and the hacker had access to both accounts.
Honan was attacked in his comments section for being an Apple fanboy and getting what he deserved. I’m no fan of Apple products, but no one deserves what Honan went through. In fact, we should all be concerned about what happened with Honan. Who is to say it can’t happen to any of us?