Saturdays with Stephen: Horrific iCloud Password Hack

Saturdays with Stephen is an interesting and equally opinionated weekly series that provides a closer analysis of news related to both Apple and the wider technology industry. So turn off the weekend cartoon marathon and join Stephen each Saturday for detailed insight on a trending topic. Be sure to leave your own opinion in the comments and get involved in the open, healthy discussion.

One former Gizmodo employee had a pretty bad day yesterday, being hacked nearly out of internet existence with almost nothing he could do about it. It all started when hijackers seemingly part of a hacking group named “Clan Vv3” got access to his iCloud account, reset his password, and sent the confirmation message to the trash.

Mat Honan, the poor soul who had his identity violated, doesn’t know how the hackers got into his account in the first place, saying “My password was a 7 digit alphanumeric that I didn’t use elsewhere.” Losing access to your iCloud account, your email, contacts, calendars, and iWork documents is scary enough, but that was just the beginning of what became a nightmarish afternoon.

Mat’s backup email for his Gmail account was that same .mac email address. The hackers sent a Gmail password recovery email to the .mac account, which in turn lead to an email notifying him that his Google account password changed.

Less than 10 minutes after losing access to his Google account, the hackers took true advantage of what they were able to do with his iCloud account. First, they remote wiped his iPhone and his iPad. After first noticing that his iPhone was being reset, Mat wasn’t all too concerned yet and “assumed it was a software glitch.” Upon having to set up the device anew, he entered his iCloud credentials, but they were of course denied.

Mat went to his MacBook to restore his iPhone to the most recent backup, and an iCal alert popped up saying that his Gmail credentials were incorrect. His MacBook’s screen then went gray and asked for a 4-digit pin. He didn’t have one. The hackers had also wiped his MacBook Air.

At this point, Mat knew something was horribly wrong.  His first reaction was to call Apple support, but they proved not to be able to offer any immediate help.

Apple tech support couldn’t verify any of my information—my address, my credit card number, anything — as supporting information. They had me log into the website, where I was able to again change my password. After nearly an hour and a half on the phone, I realized they were spelling my last name incorrectly. They were looking at someone else’s account. Once we cleared that hurdle, well, actually not very much changed. They weren’t able to stop the wipe on my Macbook. Or give me a pin to log into it. Or give me immediate access to my phone. They couldn’t do much of anything, actually.

Not long after deleting all the data on his iPhone, iPad, and MacBook, they used their access to his Gmail to take over his Twitter. Not only were they were able to post obscene tweets to his account, they got access to Mat’s former employer Gizmodo’s twitter account as well. They posted many since-deleted racist and offensive messages to the official Gizmodo twitter feed, which has nearly 500,000 followers.

Luckily, Mat soon got a call from Gizmodo editor Joe Brown making sure that he was aware of the situation.  He and Gawker’s Scott Kidder were able to reach some contacts at Google and Twitter to try and stop the madness. Mat has been able to get his Twitter account back, but his Google account is still “deleted.”

The intentions behind the hack are not clear, but the story of losing control of your entire internet identity, not to mention the precious pictures and personal data on his laptop, is nothing less than a nightmare. Hopefully, most of us can let this be a reminder that backups are actually a valuable resource. In this situation, online backup services would have done him little good because they would have been tied to his email address, leaving them vulnerable the same way his Twitter account was. Long story short: make physical backups of your data. It may seem trivial to go out your way to create a backup to prevent something that may or may not happen to you in the future, but as the cliche saying goes, it is truly better to be safe than sorry.

Post a response / What do you think?