Security

How Did Apple Allow Hackers to Access iCloud Account?

Every time I’d contact Apple Support I would get the same default answers, and “solutions” that wouldn’t work. Apple Support would explain that my email address was already in use on another Apple ID account, and that until it was removed from that account I’d be unable to use it.

Exasperated, I’d explain again that I can’t remove the email address from the Apple ID account because I had no idea what the Apple ID account was, or how to access it. Eventually, I’d become frustrated and quit. After a month or two, I’d contact Apple support and try again.

After many conversations and attempts, I finally had a breakthrough…sort of. An Apple Support person “cracked” and gave me an email address of the Apple ID associated with my email address. It was my wife’s. However, we logged in to her Apple ID account to remove my email address and found no sign whatsoever of it being there.

Once again, I contacted Apple Support. I explained that I can prove it’s my domain, and I can prove it’s my email address, and I asked that my case be escalated to someone capable of simply deleting my email address from the other Apple ID forcibly. Then I was told it was actually attached to, or associated with four different Apple IDs, but Apple couldn’t do what I asked. I wasn’t pleased.

I got my email address back. After over a year of attempts, and probably seven or eight different sessions with Apple Support, one of them finally “slipped” and gave me a crucial bit of information. It turned out that I was the one who stole my own email address.

Apple is obviously not invulnerable, but it doesn't make it easy to get into an account.
The email address was associated with an Apple “me.com” address. Two of them, actually--and they were both mine. I never saw the reset confirmation emails because I’ve never actually used the “me.com” email addresses and I wasn’t set up to receive the messages. The date of birth verification and account security questions wouldn’t work, because I never set them up in the first place.

I do recall creating the “me.com” accounts to test some things out, but it wasn’t a problem immediately. My guess is that Apple changed some rules on the backend after I had used my email address as an alternate contact on these other accounts, and that locked me out from using it as my primary email address on the Apple ID I actually use.

The bottom line is that I found Apple Support to be tight-lipped to a fault, and I’m surprised the attackers in the Mat Honan / Gizmodo incident were able to social engineer their way into his iCloud account. It took me over a year to “social engineer” my way into my own Apple ID.

Perhaps that says more about my lack of social engineering skills than it does about Apple security measures, but I can vouch for the fact that accessing someone’s Apple account is no simple feat.

Subscribe to the Security Watch Newsletter

Comments