Security

How Did Apple Allow Hackers to Access iCloud Account?

The Internet is abuzz this weekend as a result of the Gizmodo Twitter account getting hijacked. That incident was traced back to the hack of an Apple iCloud account--allegedly accomplished through social engineering.

A Forbes.com story from Adrian Kingsley-Hughes explains that a former contributor for Gizmodo, Mat Honan, was the original victim of the attack. Hackers were able to access Honan’s iCloud account, and remotely wipe his iPhone, iPad, and MacBook. The original theory was that the hackers used a brute force attack to crack Honan’s iCloud password, but further investigation revealed that social engineering was used to convince Apple the attackers were Honan, and Apple gave them the keys to walk right in.

It took me months to "social engineer" my way into my own Apple ID account.
Color me incredulous!

Why? Well, I have my own story of Apple woe--and it’s the exact opposite experience. I somehow lost access to my own email address for use on iTunes, iCloud, and other Apple services, and it took months of fighting with Apple Support to finally get to the bottom of things and get into my own account. I couldn’t get Apple Support to give me access to my own account, never mind someone else’s.

I had originally set up my Apple ID using my primary email address. I didn’t have any problem for months, maybe even years. Then, one day it simply wouldn’t work. The Apple system claimed it was already in use on another Apple ID account.

I assumed I’d been hacked somehow. It’s my email address. I own the domain. Nobody else could possibly use my email address with a different Apple ID account “on accident”.

Initially, Apple Support directed me to just use a different email address. I did that as a temporary solution to enable me to access iTunes and other Apple services, but it was a Gmail address that I created just for that purpose. I don’t use Gmail, and I had no intention of starting, so I was still determined to get my own email address back.

In my experience, Apple security was almost too tight. I tried repeatedly to reset the password for my email address, but the reset confirmation emails never arrived. The reason? The confirmation emails are sent to an emergency rescue backup email address. I had no idea what account was using my email address, so I had no way of knowing where those emails were being delivered.

No problem. You can also verify your identity to reset your Apple ID by answering security questions. The first one--the gateway to get to the actual security questions--is your date of birth. I entered my date of birth, and the Apple system told me I was wrong…about my own date of birth.

Subscribe to the Security Watch Newsletter

Comments