AppleCare Social Engineering Allowed A Hacker To Ruin A Journalist’s Night

Current Wired journalist and previous Gizmodo employee, Mat Honan had a rough night a few days ago. Not only was his iCloud account hacked, but this in-turn led to his Twitter account, followed by Gizmodo’s Twitter account. The hacker then used Gizmodo’s Twitter, with nearly half a million followers, to tweet racist messages. This was possible because Honan’s Twitter profiles was attached to his iCloud email, and doing a simple Twitter reset allowed “Clan Vv3,” the group the hacker belongs to, to gain control of both accounts.

AppleCare Social Engineering Allowed A Hacker To Ruin A Journalist's Night

But wait, it gets even worse. The hacker then used Find my iPhone to remotely wipe Honan’s iPhone, iPad and Mac computer. Not even his Gmail account was left standing. Currently Honan is working with both Apple and Google to recover some of his lost data.

As I am sure you are already thinking, this is a pretty big ordeal to go through, but how was it possible? Well, all it took was some clever social engineering on the hacker’s side. Originally it was predicted by Honan that the hacker guessed his old seven character password by brute force. Now however, it looks like the situation is actually Apple’s fault, as the hacker used some clever social engineering to exploit AppleCare support staff.

I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass  security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.

This is pretty scary to think that if it was that easy to gain access to Honan’s iCloud account, it could happen to any Apple customer who uses iCloud. Just like with Honan’s case, someone could literally destroy all your non-backed up digital data within minutes.

AppleCare Social Engineering Allowed A Hacker To Ruin A Journalist's Night

Apple was not available for comment, and will probably not release an official statement on the matter. As such, at this time there is not much you can do to protect yourself from being effected by this social engineering exploit, besides disabling iCloud on your Apple devices. I wouldn’t be very worried however, I have a feeling most of you aren’t as high of a target as Mat Honan.

Are you worried by this? Share your responses and further thoughts in the comments section.

Don't forget to follow on Facebook, Twitter and Google+.
  • FuckApple

    Fuck ye its a concern and we all should be worried

  • Ryan Kruger

    You’re missing the point. Apple has very strict policies regarding privacy, and doesn’t give out information to anyone who just calls in.

    Nowhere does it say WHAT information was given to Apple to deem it worthy to reset the password, for all we know, the hacker had adequate information to give to retrieve said passwords, it could have been harvested through Facebook, twitter, and the victim was brilliant enough to use the same passwords/security questions for several accounts… I haven’t read anywhere that this isn’t the case.

    Unless you’re able to look at the big picture, it’s pretty pointless to point out that people’s information is just available out in the open.

  • Justin

    We shouldn’t all be worried.. Do you have half a million followers on your Twitter account? Didn’t think so. Chances are you’ll never be a target, sorry :)