A leading tech writer has revealed how easy it was for his ‘entire digital life’ to be destroyed in less than an hour – and how Apple security lapses mean it can happen to you.
Mat Honan, who writes for Wired, was hacked because Apple only requires basic security questions in order to access your Apple ID.
From there the hackers were able to delete his Google and Gmail account, stop his iPhone from working and take control of his Twitter page.
Along the way everything on his laptop, including every photo he had of his one-year-old daughter, was wiped.
In a disturbing article on Wired.com, Honan reveals how he actually spoke to the hacker who carried out the attack.
After telling him how he did it Honan was then able to repeat the same steps – and carry out his very own mock hack.
In the story Honan writes that on August 3 he realised something was wrong when all of a sudden his iPhone powered down.
When he tried to connect it to his computer he was asked for a four digit pin – which the hackers had already put on the machine to stop him from accessing it.
During the hour-and-a-half long phone call with Applecare – during which they initially got his name wrong and looked at the wrong account – the full story emerged.
Between 4.33pm and 5.12pm the hackers had gone from having no information to taking over his whole digital life – and posting a message on his Twitter page claiming credit for doing it.
Honan writes: ‘It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account.
‘Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.’
From there the hackers were able to access his other accounts as they were all linked to one another – they went to his Gmail account and asked for the recovery password to be sent to his mac.com email, which they already had access to.
Once they had access to his Gmail account, they were able to get control of his Twitter page too.
After accepting what had happened Honan set up a temporary Twitter account – and was shocked when one of the hackers messaged him.
Identifying himself as Phobia, he explained how he hacked Honan just because he ‘liked his username’ and claimed that ‘you honestly can get into any email associated with apple’.
Honan discovered that the hack began when Phobia got his billing address by searching his web domain on Spokeo or WhitePages, which includes details of where a person lives.
His credit card number was obtained by taking advantage of another security breach – this time on Amazon.
Honan writes: ‘First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account.
‘All you need is the name on the account, an associated e-mail address, and the billing address.
‘Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
‘Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account.
‘From here, you go to the Amazon website, and send a password reset to the new e-mail account.
‘This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.’
Honan admits that he only has himself to blame for being hacked and wishes he had taken better security steps, such as not ‘daisy chaining’ his accounts together.
He wishes he had not set up ‘Find my Mac’, which allowed the hackers to set up a pin and freeze him out of his computer.
But he also believes that it is still too easy to hack into an Apple account, and claims that anyone could repeat what Phobia did.
Honan said: ‘My experience leads me to believe that cloud-based systems need fundamentally different security measures.
‘Password-based security mechanisms – which can be cracked, reset, and socially engineered – no longer suffice in the era of cloud computing.’
In a statement to Wired, Apple spokesman Natalie Kerris said: ‘Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password.
‘In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer.
‘In addition, we found that our own internal policies were not followed completely.
‘We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.’
MailOnline has asked Amazon for comment.