Blog Linkblog News

Mat Honan’s weekend horror story

Mat Honan “Yes, I was hacked. Hard.“:

So maybe you saw my Twitter going nuts tonight. Or you saw Gizmodo’s Twitter account blow up. Or you saw this in AllThingsD. Or this in the DailyDot. Although embarrassing, Twitter was the least of it. In short, someone gained entry to my iCloud account, used it to remote wipe all of my devices, and get entry into other accounts too. 


I still can’t get into Gmail. My phone and iPads are down (but are restoring). Apple tells me that the remote wipe is likely irrecoverable without serious forensics. Because I’m a jerk who doesn’t back up data, I’ve lost at more than a year’s worth of photos, emails, documents, and more. And, really, who knows what else.

First lesson: Create backups. Especially if you’re using a Mac, setting up an external harddrive to use Time Machine is a really simple thing to do. Stop reading here, and create a backup now.

Done? Good, because the story gets worse. Since Mat restored his access to iCloud, Twitter, etc. he got in touch with the hacker and Apple. Guess how they got his password? Brute force, you ask? Nope. The hacker social engineered their way into Mat’s account by calling Apple’s hotline:

Your password can be as safe, as cryptic and as long as you want it to be, if Apple or whoever can simply reset it once you call them, it doesn’t really matter all that much anymore. That obviously doesn’t mean you should use “password” as your password on every site you visit.

For those using Google accounts for anything: Go ahead and enable 2-step verification. For your own safety. I wish Apple would implement something like this.

Oh and once again: Please, create a backup. Now!

Here are two great books about social engineering I’ve read many years ago and are worth getting back to every once in a while to remind yourself of common mistakes.

Update: Mat Honan published the whole story on Wired.