How @Gizmodo Got Hacked And How You Should Defend Yourself

If you follow Gizmodo US on Twitter, you may have noticed its account started spewing some garbage last night. It got hacked. Here's how it happened and some steps you can take to keep it from happening to you.

The weak link in the security chain turned out to be the seven digit alphanumeric password to Gizmodo US's good buddy and former contributor Mat Honan's iCloud account. After presumably brute-forcing his way into iCloud, the hacker was able change the password of and gain access to Mat's Google account, remote wipe his Macbook Air, iPhone, and iPad, get into his Twitter and then use that to get access to the Gizmodo US account. While it managed to snatch the Twitter account back claws of evil, Mat's been having a bit more trouble. You can read more about his harrowing tale on his blog.

Awful as getting hacked always is, it's a learning experience. So what can you do to help avoid a similar fate? A few things.

Use super-secure passwords and use different ones for everything. Use numbers, symbols, uppercase letters, lowercase letters, all that jazz. You probably know how to make a secure password, it's just annoying to do. If you can't be bothered to memorise a whole bunch of alphanumeric gibberish, pick up a password manager like 1Password or LastPass and lock it down with one insanely secure (and unique) master password.

Whenever you have the option, turn on two-step authentication, especially on your Google account or any other account you use as a hub. That way, even if script kiddies manage to get your (super-secure) password, it'll be useless unless they have access to your phone or computer.

Check up on and clean out your permissions from time to time. There's pretty much a 100 per cent chance that somewhere in your web of accounts, something has access to account it doesn't need to have access to anymore. In Gizmodo US's case, Mat's Twitter still had access to it. By going through and cutting these deprecated ties, you can make it less likely that one of your less used, possibly less secure accounts can help a hacker get to one of your more important ones.

Don't rely on the cloud. It's great to have online storage you can get at from all your various devices, but when the shit goes down and you're under attack, nothing is more secure than a hard drive you can unplug and hide in a shoebox in the closet. It's not the most convenient way to back up, but you'll thank yourself for it.

No matter what steps you take, you can't totally rule out the possibility of getting hacked; if someone's really out to get you, they can probably get you eventually. You're going to want to take every step you can though, just be safe, because if you do get hacked, you're going to be kicking yourself hard for every little precaution you could have taken but didn't.


Comments

    heh.. hacking victim gives security advice.. I'd ignore most of what they said.

    I also assume you havent seen this - http://xkcd.com/936/ its the best password advice no money can buy.

    Also password managers are an epicly dumb idea, i dont think this needs an explanation to anyone who's thought about it for more than 3 seconds.

      That comic is what I try to tell people all the time.
      People have in their heads that hackers are like in the movies, sitting in front of a computer and putting random words into a password field.

      With passwords like this you may as well use abc123, cause that's how long they take me to break.
      The password used in the cartoon took just under 10 minutes to crack with a password disk on a Win 7 laptop. BackTrack cracked it on my wireless in less than 30 minutes. Compare that to my 16 character password which the password disk couldn't crack and Backtrack took 105 days to break.

        The cartoon also specified 1000 guesses per second as a plausible attack on a weak remote web server. How does that stack up to your system?

      Password manager? LOL! Who knows what it's sending back to base...

      If you can't remember a strong password, consider something like http://www.passwordcard.org/en

    Trouble is the convenience and simplicity of the net suddenly becomes bogged down in a cycle of long passwords, additional devices, passwords for passwords. I like the idea of the most important passwords as mouse click keyboards only, with lockout post x attempts revivable by phone or something. Yes everything can be hacked.

    Well no matter how I try to harden my wordpress site, it always seems to get hacked, so I'm back to a plain html based web page.

    > Use super-secure passwords and use different ones for everything. Use numbers, symbols,
    > uppercase letters, lowercase letters

    If we all do that... it will stop hackers from stealing Gizmodo's unprotected password database?
    How exactly?

    LOL! Serves him right. iCloud is apple, apple has no security. Sorry to say it, but Macs are no reliable computers.

      Wait, so if you only use Windows or Linux no one can figure out your password?

        Well I for sure wouldnt use something like a password manager. :/

        Not only that, but you get their passwords in return if they tried to hack yours.

    If the guy was a former contributor, I'm not sure how it works there at Gizmodo, but I reckon that they should have revoked his access when he stopped contributing...instead of blaming him that he should have given back his access

    Story's been updated. Apple tech support/Mat got social engineered by the hacker using publicly available information.

      So, password complexity was irrelevant to this hack then? As well as all other advice in this column? *sadface*

      I believe the best defence is to maintain a degree of paranoia at all times, sometimes to an antisocial degree. The Chinese, I find, are fantastic at this.

Join the discussion!

Trending Stories Right Now