BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Apple: We Screwed Up!

This article is more than 10 years old.

iCloud (Photo credit: Wikipedia)

Is your iCloud account secured by a good password? That’s not going to help you if Apple sidesteps your security and hands hackers access to your account.

The the other day I posted Mat Honan’s tale of woe. Hackers got into his iCloud account and used that to remote wipe his iPhone, iPad and MacBook before going on to create more mayhem. At the time it was assumed that the hackers had used bruteforcing – trying passwords until they got lucky — but it turns out that Apple gave the hackers access to his iCloud account.

I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass  security questions.

“Social engineering” is a fancy word for tricking the person on the other end to do what you want by making them believe that they are you.

Apple has now admitted that it screwed up, and that "internal policies were not followed completely".

"Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password," said an Apple spokeswoman. "In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer.  In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected."

However, according to Honan, the problem remains:

As of Monday, both of these exploits used by the hackers were still functioning. Wired was able to duplicate them. Apple says its internal tech support processes weren’t followed, and this is how my account was compromised. However, this contradicts what AppleCare told me twice that weekend. If that is, in fact, the case — that I was the victim of Apple not following its own internal processes — then the problem is widespread.

Got an iCloud account? Got it set up so that your devices can be wiped remotely? Sleep tight ...