Mat Honan, technology writer based in San Francisco, got hacked over the weekend. He describes his experience in a blog post (it is quite a story):
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and yearsago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years…
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.
Honan confirmed with the hacker and Apple that it happened when the hacker got in touch with Apple tech support and via “some clever social engineering” let the hacker bypass the security questions. I want to know more details about this clever social engineering. Because I have an iCloud account of my own and it shouldn’t be this simple to have the password reset. I wonder if Apple will make a formal acknowledgement of the issue and provide some guidance on how iCloud will be made more secure.