8:07 p.m. Aug. 6 | Updated Adding comment from Apple.
The break-in of a journalist’s Apple iCloud account serves as a cautionary tale about how vulnerable people can be to malicious hackers, no matter how digitally sophisticated they are. Mat Honan, a seasoned technology writer, was spectacularly hacked over the weekend.
On Friday evening, the password for Mr. Honan’s iCloud account was reset. Later the bad guys broke into his Gmail account, and eventually they erased the data on his iPhone, iPad and MacBook Air using Apple’s remote-wipe feature — a self-destruct mechanism of sorts designed for use when a device has entered the wrong hands. To make matters worse, they also gained access to his personal Twitter account, as well as the account belonging to the tech blog Gizmodo, where he used to work.
Mr. Honan published a detailed account of the story on Wired. He says the hackers gained entry by phoning Apple’s tech support and using some clever “social engineering” to let them bypass security questions. That may point to a weakness in Apple’s identity verification process. But the root of the issue was brought to light when Evelyn M. Rusli and I reported on iTunes account hacks back in March: Apple encourages customers to use the same Apple ID and password for just about everything. That’s a concern because iTunes is no longer just a music store; it’s also a place to buy e-books, apps and TV shows. And the same credentials are used to log in to iCloud, Apple’s cloud service, where confidential documents could be retrieved or a remote wipe done, as in Mr. Honan’s case.
A security expert pointed out back in March that this would be a problem:
“Apple wants to pretend that everything is magic,” said Alex Stamos, co-founder of iSEC Partners, a security firm. “They need to admit that their products can be used by bad people to do bad things.”
One problem, Mr. Stamos said, is that iTunes customers use a single account and password for access to all Apple services. For example, the same login can be used to download a $1 game or buy a $2,000 laptop through the Apple Store app. He said that Apple could adopt a two-step verification method like Google’s. For example, if a user wanted to log in to the iTunes store on a new device, Apple could send a message to his iPhone containing a code, which he would enter to verify his identity.
To be fair, iTunes is successful largely because it was one of the first friction-free ways to purchase digital content. But perhaps iTunes has grown too big and too powerful to be so simple.
In a statement issued late Monday, Apple said that it had made a mistake when resetting Mr. Honan’s Apple ID password because it had not completely followed protocol.
“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password,” said Natalie Kerris, an Apple spokeswoman, in a statement. “In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
However, Mr. Honan challenged the idea that an Apple employee had not followed protocol. He said a colleague was able to reset an Apple ID password by replicating the hacker’s technique.