Security

How Did Apple Allow Hackers to Access iCloud Account?

The Internet is abuzz this weekend as a result of the Gizmodo Twitter account getting hijacked. That incident was traced back to the hack of an Apple iCloud account--allegedly accomplished through social engineering.

A Forbes.com story from Adrian Kingsley-Hughes explains that a former contributor for Gizmodo, Mat Honan, was the original victim of the attack. Hackers were able to access Honan’s iCloud account, and remotely wipe his iPhone, iPad, and MacBook. The original theory was that the hackers used a brute force attack to crack Honan’s iCloud password, but further investigation revealed that social engineering was used to convince Apple the attackers were Honan, and Apple gave them the keys to walk right in.

It took me months to "social engineer" my way into my own Apple ID account.
Color me incredulous!

Why? Well, I have my own story of Apple woe--and it’s the exact opposite experience. I somehow lost access to my own email address for use on iTunes, iCloud, and other Apple services, and it took months of fighting with Apple Support to finally get to the bottom of things and get into my own account. I couldn’t get Apple Support to give me access to my own account, never mind someone else’s.

I had originally set up my Apple ID using my primary email address. I didn’t have any problem for months, maybe even years. Then, one day it simply wouldn’t work. The Apple system claimed it was already in use on another Apple ID account.

I assumed I’d been hacked somehow. It’s my email address. I own the domain. Nobody else could possibly use my email address with a different Apple ID account “on accident”.

Initially, Apple Support directed me to just use a different email address. I did that as a temporary solution to enable me to access iTunes and other Apple services, but it was a Gmail address that I created just for that purpose. I don’t use Gmail, and I had no intention of starting, so I was still determined to get my own email address back.

In my experience, Apple security was almost too tight. I tried repeatedly to reset the password for my email address, but the reset confirmation emails never arrived. The reason? The confirmation emails are sent to an emergency rescue backup email address. I had no idea what account was using my email address, so I had no way of knowing where those emails were being delivered.

No problem. You can also verify your identity to reset your Apple ID by answering security questions. The first one--the gateway to get to the actual security questions--is your date of birth. I entered my date of birth, and the Apple system told me I was wrong…about my own date of birth.

Every time I’d contact Apple Support I would get the same default answers, and “solutions” that wouldn’t work. Apple Support would explain that my email address was already in use on another Apple ID account, and that until it was removed from that account I’d be unable to use it.

Exasperated, I’d explain again that I can’t remove the email address from the Apple ID account because I had no idea what the Apple ID account was, or how to access it. Eventually, I’d become frustrated and quit. After a month or two, I’d contact Apple support and try again.

After many conversations and attempts, I finally had a breakthrough…sort of. An Apple Support person “cracked” and gave me an email address of the Apple ID associated with my email address. It was my wife’s. However, we logged in to her Apple ID account to remove my email address and found no sign whatsoever of it being there.

Once again, I contacted Apple Support. I explained that I can prove it’s my domain, and I can prove it’s my email address, and I asked that my case be escalated to someone capable of simply deleting my email address from the other Apple ID forcibly. Then I was told it was actually attached to, or associated with four different Apple IDs, but Apple couldn’t do what I asked. I wasn’t pleased.

I got my email address back. After over a year of attempts, and probably seven or eight different sessions with Apple Support, one of them finally “slipped” and gave me a crucial bit of information. It turned out that I was the one who stole my own email address.

Apple is obviously not invulnerable, but it doesn't make it easy to get into an account.
The email address was associated with an Apple “me.com” address. Two of them, actually--and they were both mine. I never saw the reset confirmation emails because I’ve never actually used the “me.com” email addresses and I wasn’t set up to receive the messages. The date of birth verification and account security questions wouldn’t work, because I never set them up in the first place.

I do recall creating the “me.com” accounts to test some things out, but it wasn’t a problem immediately. My guess is that Apple changed some rules on the backend after I had used my email address as an alternate contact on these other accounts, and that locked me out from using it as my primary email address on the Apple ID I actually use.

The bottom line is that I found Apple Support to be tight-lipped to a fault, and I’m surprised the attackers in the Mat Honan / Gizmodo incident were able to social engineer their way into his iCloud account. It took me over a year to “social engineer” my way into my own Apple ID.

Perhaps that says more about my lack of social engineering skills than it does about Apple security measures, but I can vouch for the fact that accessing someone’s Apple account is no simple feat.

Subscribe to the Security Watch Newsletter

Comments