When former Gizmodo US writer Mat Honan was hacked, and the Gizmodo US Twitter account was compromised, we all assumed the weak link in the chain was on the user end. It turns out that may not have been the case — the hackers didn’t even need a password to get started.
When everything first went down, the way the hackers made their way in was hazy. The assumption was that since the password wasn’t known to have been leaked it must have been brute forced. But now it’s become clear that the hackers called Apple tech support and posed as Mat to bypass the security questions. It worked.
From Mat’s blog:
“I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.”
If the hackers didn’t answer the security questions but merely managed to socially engineer their way around the questions with other bits of personal information, that lays a lot of the blame in Apple’s lap. Any unauthorised access to an account is problematic — doubly so when fallout of such a breach includes the remote deletion of several extremely important devices and the ability to request new passwords for several other accounts.
Mat might have a bit more information floating around out there than the average iCloud user, but if that information wasn’t literal answers to his security questions, that shouldn’t really have mattered. Until the gritty details of the deceptive conversation come out, there’s not much users can do to protect themselves from something similar. Just don’t go around tweeting your mother’s maiden name. And never, ever rely on the cloud. [Emptyage]