Apple responds to iCloud hack: Our internal policies were not followed completely

“After former Gizmodo reporter Mat Honan’s entire digital presence was hacked via a loophole in AppleCare, Apple now says it is looking into how users can reset their account passwords to ensure that their data is protected,” Dara Kerr reports for CNET.

“It all began when Honan took to his Tumblr blog on Friday, detailing the events that led to his online life being sabotaged — with his Google and Twitter accounts being deleted and his MacBook, iPad, and iPhone being wiped clean,” Kerr reports. “He blamed an AppleCare technician for allowing his accounts to be hacked, as well as the tech blog’s official feed.”

Kerr reports, “After deliberating over the ways it could have happened on his blog, Honan heard back from Apple. ‘Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password,’ Apple spokesperson Natalie Kerris told Wired, where Honan now works. ‘In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.'”

Honan’s long sordid tale via Wired, “How Apple and Amazon Security Flaws Led to My Epic Hacking,” explains how the hack occurred here.

39 Comments

  1. this all started because his billing data and email was publicly open to everyone on the internet and that allowed the hackers to hack his amazon account.

    instead of using wordpress he wanted to be cool and ran his own site for his blog which caused him to appear in whois

  2. But in the article Matt claims Wired was able to duplicate this hack themselves, even after Apple claimed it was merely an error. Sounds to me like Apple needs entirely new policies on the password reset process. Their identity questions are horribly inadequate (and easy to get wrong even if you are the real you) and I can imagine needing to bypass them which would require an Apple rep to do just what this “hack” did.

  3. Not good. There is entirely too much personal information requested and stored by numerous companies, including Apple. Our entire personal/”private” info used to authenticate is loose out in the world. Privacy in the US is supposed to be a “right,” but it is anything but. It should be covered by the 9th/10th Amendments, as well as in numerous state constitutions. But it is all meaningless. The government excludes itself from our privacy “protections.” But it is the government from which the Founding Fathers wanted to protect us, more than from each other. With all our info out there, it may be surprising there is not more of this going in on. And there’s plenty as it is. Bad.

  4. Ok… Enough of this “hack” already…. This was identity theft, plain and simple, mostly, admittedly, his own fault.. no one “hacked” anything…. Sheesh.

    1. He’s using “hack” in a generic sense. We know what he means by it. And identity theft is more serious than “simply” hacking into your on-line presence. You’re throwing it out like it’s no big deal, that nothing was “hacked.”

      Clearly, he messed up. Apple did, too. But this could have happened with anyone at any company.

  5. He knows he messed up not doing certain things, like backing up his computer. But what about those who are fully un-tech-savvy? They cannot be expected to have a clue about what is going on. Most wouldn’t even understand what he went through. Apple messed up. Honan messed up. But the system itself just isn’t put together well.

    Some places limit you to a small number of required questions that may be fully insecure. Or that are so obscure even you don’t have the answers. Hope not to attract attention from bad guys. Hoping works, doesn’t it?

  6. He was targeted because he is a “journalist” and public figure on the net. I really doubt there is a larger problem. All the rest is just hype – another anti-Apple smear campaign. Interesting timing as the Samsung trial heats up – right?

    1. He may have been targeted by this particular person because of who he is, but there are plenty of other “regular” people who have bad people who know them in their world. Students going after teachers, or after parents who disciplined them for one thing or another. Lots of others. Relegating this to this one person or instance is putting on blinders.

    2. One of the problems here is that he put the procedure out to the world. Everyone can more easily know how to go about this now. And companies are often too slow to change procedures. Smaller companies may never change anything. Hopefully, Apple & Amazon will make some internal changes to address the weaknesses on their parts quickly.

  7. I’m sorry but their whole thing smells of an apple hater publicity stunt.

    Whenever Wired and Gizmodo are mentioned (both known to “skew” the truth and “create” events to attempt to smear apple) I run get a half pound of salt before I read the rest.

    1. I hope you’re right. But the procedures he outlines are perfectly plausible so the damage was done.

      I’m also disgusted that he tells the guy (whether real or not) that he won’t prosecute. (He doesn’t have to back that up anyway.) May not be possible anyway, but how irresponsible to not go after him and his friend (to whom he made no promise). Is he naive enough to think they won’t do this again? Journalism notwithstanding, that was the wrong move.

        1. +10
          Apple hateing tech journalists get a double kick from this: first they will do (virtually) anything to smear apple (look at some of the recent stunts) and second, as you mention, it is a quick way to world wide publicity.

          1. Apple iPhone, iPad, Macbook … Hmmm … at home – with family pictures on it that he lost. This doesn’t sound like an Apple hater.

            Publicity is what got him in trouble besides not being careful enough about some thing. And the good out of it is Google is pushing their Double-check for logging on to their web services – and is pushing (well forcing) different passwords for email that you don’t even know / can’t (and shouldn’t) remember.

            I think it’s just great that we can learn from this guys experience as well as hopefully the companies involved will, and there will be improvements by us and companies from the lessons learned.

    2. An Apple rep, Natalie Kerris, was quoted admitted Apple’s own policies weren’t followed properly.

      It’s like a computer hack–even if it’s done by a hater or as a publicity stunt, an issue exists and must be fixed.

      1. Well yes BUT (and it is a huge but) like some of the security issues apple haters found with OSX (remember the “hack a mac” one where you had to install 3rd party wifi hardware and drivers for it to work) the real threat may be greatly exaggerated.

        If in fact, it was a set up (which given the circumstances is quite plausable) the “hacker” had lots of info that a real hacker wouldn’t have. They are spinning this as a real threat when it may just be a one in a million (or hundred million) anomaly.
        Yes, agents should be hard nosed (rather than trying to bend the rules to do someone (who may have seemed (if this was a ruse) very legitimates because he knew everything and never stumbled??) a favor

        1. “…even if it’s done by a hater or as a publicity stunt, an issue exists and must be fixed.” Agreed.

          It’s more dangerous to dismiss this and find the issue is a real one, than to accept that it have happened and ensure that it doesn’t happen going forward.

          1. I didn’t suggest ignoring something, what I said was putting this ONE incident in perspective, rather than running around after an acorn hits you the head, crying “the sky is falling, the sky is falling”

            This is a single incident in millions, possibly hundreds of millions. Claiming this is “dangerous” to the average user is just fomenting.

            1. Clearly, both Amazon and Apple thought otherwise when they both moved quickly to address the issue. They knew that a section of the sky near them had indeed fallen. The potential to the “average user” was there…and still is. Issues like these may not be common, but they are far more common than simply “a single incident in millions.”

              Fortunately, it is being addressed. So something good may be coming of this.

            2. Absolute nonsense
              Any developer will always close any insecurities (once discovered) as soon as they can, so the fact that amazon and apple “dealt” with it does not prove you conclusion that it was ever a real threat. Flawed logic, the exception does not prove the rule.
              You are beginning to seem more like a troll than anything else at this point, make me sorry I wasted time replying.

            3. But these aren’t just developers …. they are big companies. And this isn’t just software – it’s social engineering followed by a network attack using acquired credentials. And it really happened. Get that in your thick head. Those companies didn’t just respond because they got a rumor online … they got contacted by this guy. Google also responded LARGELY because of the Gmail part of the whole thing – as is now heavily pushing it’s TWO method of authentication … your password + something only you have …. your cell phone. And this causes you also to reset to safe passwords for Email as well. It sounds pretty serious to me. I reset all my stuff. Please go fill your cup half full and stop running around with it half empty and so damned negative. You don’t have to defend Apple …. they don’t need you to.

            4. Wow insults now?
              Dragging the bottom of the “troll’s barrel of tricks” now, I see
              You apple hating trolls have become pathetic, this is the thread you are hanging from now? An author who works for decidedly Anti-apple publications (likely a set up), has his iCloud files deleted.
              And you trolls are running around claiming the sky is falling?
              I have mixed emotions, on the one hand I feel sorry for someone like you who has so little in his life that he would hang out on a site for products from a company that he hates (even despises) and post nonsense, hoping to do what? Do you think people who actually use apple products (& services) don’t see right though you?

            5. I think you are the one running around with your chicken head cut off. You are the one that thinks the sky is falling.

              You are having this imaginary war with imaginary trolls and imaginary Apple Haters.

              By the way I don’t hate Apple. A lot of my friends are Apples … errr Apple-users. And I have a few Apples myself. And I just recently turned off my Apple iCloud services. I wasn’t “actively” using them anyway … what little I was using was forced on me by DEFAULTS.

            6. Suuuure you don’t hate apple.
              Dude, do you really think your posts are anything but transparent?
              You my friend need to begin pointing your efforts in a positive direction, negativity will get you nowhere in life.

            7. Richard Winters: Lieutenant Sobel does not hate Easy Company, Private Randleman. He just hates you.

              * I don’t hate Apple, Private Tessellator, I just hate you.

    3. You’re just as guilty of bias as you accuse Wired and Gizmodo.

      Neither iCloud nor Siri were ready for prime time and therefore Apple’s rush to market with them is now becoming a headache for everybody. Thousands of fires are being put out every day only to have more flare up tomorrow. They should have waited to move forward with these products, plain and simple. Your failure to admit this betrays your bias.

  8. iCloud is continually running into issues. One day they lose your notes, the next a chunk of emails, the next , the next, the next. I think we can declare both Siri and iCloud failures. Apple makes some excellent products but these two much-advertised items are unreliable at best and unusable at worst.

    1. Oh please, do you apple haters think that we don’t recognize a troll
      And… more importantly while you apple haters don’t really have a much of a clue about Apple’s products and services nearly all the rest of the people here use iCloud and most Siri. SO, we know what you are saying is complete crap

      1. How can it be “complete crap” when the headline of the article you’re posting under says that iCloud does, in fact, have issues? SO, we know what you are saying is disingenuous just to keep your Apple fandom, rather than intelligence, unsullied.

    2. lol – thanks for going to the effort of sharing your experience with us. Unfortunately we are here because we actually use Apple products. Why do we use Apple? Because it’s cheap, hip or the advertising? No because it is by far the best and we DON’T have issues like you claim.
      Most of the millions of people who use Apple don’t know about tech support or help forums, because they don’t need to. Those who do have an issue find that Apple is easy to deal with and fix the problem – no matter how small…
      So while what you wrote maybe plausible or normal in your fragmented, immoral world, for us it is laughable. My advice? Stop wasting your time trolling and work instead. Save the extra money and buy from the innovator. Keep up that type of lifestyle and give the extra time and money you save to people who need it. And remember Jesus loves you 😉

      1. It’s sad when you can’t tell your friends they have a problem. It’s even sadder when teenage boys (or those that write like them) defend the world’s largest company’s failures.

        Neither Siri nor iCloud are worthy of Apple, that’s all there is to it.

        For the record: I’ve bought every verison of the iPhone, own the latest iPad, a MacBook Air, and AppleTV, an airport extreme, three MacBookPros over the past 8 years and bought three different iPods way back when. Hardly a troll, tiny boys.

        It’s the height of adolescent inexperience by calling somebody immoral for pointing out a failure. There isn’t anybody I know who hasn’t had an issue with iCloud since it launched. There isn’t anybody I know who thinks Siri is all it’s been advertised to be. If your expereince has been 100% amazing, good for you, but we know you’re lying.

        Now, go to your room.

  9. I have an associate two offices down and the exact same thing happened. Somehow someone got his iCloud password and wiped everything everywhere–phone, laptop and iMac. Not sure how they did it, but I suspect they somehow got a keylogger installed on one of his machines.

    But I had no idea someone could wipe your computer data with iCloud, I thought it was just your iDevices.

    And BTW, this happened in the middle of the day while he was using his iPhone and he turned off his iMac within minutes of the attack, yet still lost everything. Managed to recover some stuff but it took months.

    So just beware.

  10. I for one am gravely concerned about the ability to delete important files with so little verification. Apple needs to change this (and quickly Amazon have already acted!) if they want people to take them seriously for cloud storage of personal information.
    The last 4 digits of a cc is far too easy…

    I am happy this has come to light (not for the journo

    1. Oh, so you’re friend HAS had issues with iCloud. My, my, what a dirty little ploth you are, mocking me for pointing out that iCloud isn’t a worthy addition to the Apple family just moments before you actually agree with me. CHILD.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.