It’s a tech-head’s worst nightmare. But it became reality for former Gizmodo employee and tech reporter Mat Honan last weekend, when his iCloud account was accessed by a hacker – who promptly wiped the content of his phone, laptop and Google accounts from existence.
The story has spread like wildfire over the internet, but local security experts say there is a lesson for business here.
“It demonstrates the integrated nature of everything,” says AVG security advisor Michael McKinnon.
“Whenever there are overlaps, or dependencies, this can happen. We have a case where once the attacker had access to one account, he was able to compromise several other accounts.”
The entire saga has been documented by Honan on his blog.
Honan noticed his iPhone went dead, rebooted and then asked for a four-digit PIN which he never set. Immediately, he found his Gmail password had been changed, along with the password for his iCloud account.
While Honan was on the phone to Apple, he found they weren’t able to stop his MacBook being wiped, or even give him a pin to access the device.
“In the space of one hour, my entire digital life was destroyed,” he says in a piece on Wired.
“Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location.”
“Those security lapses are my fault, and I deeply, deeply regret them.”
The story is an extraordinary one. The hacker – who got in touch with Honan – was able to access Honan’s password simply by calling up Apple, and got the password changed through “some very clever social engineering”. Honan’s Gmail address was also used as the backup address for his iCloud account, so the hacker was able to access that as well.
Honan says the incident highlights security flaws in Apple and Amazon, especially in how tech support was able to just hand over the iCloud account password. Amazon tech allowed the hacker to see a partial credit card number.
The hacker, called “Phobia”, told Honan he was able to access his iCloud password by using just that four-digit number.
But while experts say the incident definitely highlights some problems with cloud technology, it also demonstrates how risky it can be for someone whose products are integrated in just one or two services with a single password – and no backups.
“The situation is very similar to people who are using the same password for everything,” says McKinnon.
He recommends businesses take note of the story and implement back-up systems as soon as possible.
“Whenever you can, look at third party solutions for backing up your data. It’s removing your dependencies and ensuring you have a separate, independent way of storing your data.”
“There are a lot of variables in how you go about doing that. But it’s just about noticing those dependency points, and then ensuring they’re all taken care of.”
The incident also comes as the Privacy Commissioner has confirmed it will be investigating internet provider AAPT over a hack that occurred two weeks ago. Hacking group Anonymous has taken responsibility.