Hackers Got Into Reporter's iCloud Account With Deception, No Password Required

We may earn a commission from links on this page.

When Mat Honan was hacked, and the @Gizmodo Twitter account was compromised, we all assumed the weak link in the chain was on the user end. Turns out it may not have been; the hackers didn't even need a password to get started.

When everything first went down, the way the hackers made their way in was hazy. The assumption was that, since the password wasn't known to have been leaked, it must have been brute forced. Now it's become clear that instead, the hackers called Apple tech support and posed as Mat to bypass the security questions. It worked.


From Mat's blog:

"I know how it was done now. Confirmed with both the hacker and Apple. It wasn't password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions."


If the hackers didn't answer the security questions, but merely managed to socially engineer their way around the questions with other bits of personal information, that lays a bit of the blame — a lot of it — in Apples lap. Any unauthorized access to an account is problematic, and when fallout of such a breach includes the remote deletion of several extremely important devices and the ability to request new passwords for several other accounts, doubly so.

Mat might have a bit more information floating around out there than the average iCloud user, but if that information wasn't literal answers to his security questions, that shouldn't really have mattered. Until the gritty details of the deceptive conversation come out, there's not much users can do to protect themselves from something similar. Just don't go around tweeting your mother's maiden name. And never, ever rely on the cloud. [Emptyage]


Image by olly/Shutterstock