updated 11:06 am EDT, Tue August 7, 2012
'Internal policies were not followed'
Apple has issued an official response to reports about Wired writer Mat Honan having his iCloud account broken into via AppleCare. "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password," the company tells Wired. "In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected."
Wired adds, though, that on Monday it successfully tried the same scheme on a different iCloud account. "This means, ultimately, all you need in addition to someone's e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file," the magazine explains. The person who cracked Honan's account did so by simply calling AppleCare and convincing a staffer to bypass security questions and ultimately reset Honan's iCloud login.
Honan notes that the hacker destroyed a tremendous amount of his digital existence, although he takes some of the blame. "First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
"In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it's possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc." He also notes that because he hadn't been regularly backing up his MacBook, he lost a year of photos -- including all the photos of his daughter -- as well as documents and emails that weren't saved anywhere else.
Honan points out that Amazon is also partly at fault, since it was that site that let the hacker see a partial credit card number of Honan's that was then used to trick Apple. Other people have stepped forward as well, claiming to have been victimized in a similar way.