Journalist Mat Honan recently announced that hackers had accessed his iCloud account, and used it to take over his Gmail account and remotely wipe his iPhone, iPad and MacBook Air. "A few minutes after that, they took over my Twitter," Honan wrote in a blog post. "Because, a long time ago, I had linked my Twitter to Gizmodo's, they were then able to gain entry to that as well."
Later, Honan added, "I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions."
"Simply put, the hacker -- forget that, the criminal -- called up Apple support and tricked them into handing over control of Honan's iCloud account," writes Sophos' Paul Ducklin.
"If the hackers didn't answer the security questions, but merely managed to socially engineer their way around the questions with other bits of personal information, that lays a bit of the blame -- a lot of it -- in Apple's lap," writes Gizmodo's Eric Limer. "Any unauthorized access to an account is problematic, and when fallout of such a breach includes the remote deletion of several extremely important devices and the ability to request new passwords for several other accounts, doubly so."
"In the early '90s, famed hacker Kevin Mitnick found that the best way to get into any secure system was to simply telephone the system's administrators and convince them you were an employee who'd forgotten his password," writes SecurityNewsDaily's Paul Wagenseil. "Twenty years and thousands of successful hacks later, the same method still works on the world's most valuable and most high-profile technology company."
"The fact a hacker was able to access Honan's iCloud account with the help of AppleCare support is very worrying," writes ZDNet's Emil Protalinski. "Remember: the hacker then proceeded to destroy Honan's whole digital life. That's something iCloud users need to be very wary of, and something Apple should address, but knowing Cupertino, it probably won't even comment."