In one night, Wired technology writer Mat Honan saw his entire digital existence horrifically erased before his eyes. Using security loopholes in Amazon, Apple, Google, and Twitter, hackers were able to piece together enough information to remotely wipe clean his iPhone, iPad, and MacBook — including irreplaceable pictures he had stored of his baby's first year of life. "Those security lapses are my fault," says Honan, detailing the cautionary tale on Wired. "And I deeply, deeply regret them." Here's what you should know to better protect yourself:
How did Honan find out he was hacked?
The first sign came about 5 p.m. on Friday, Aug. 3. He was playing with his daughter when his iPhone suddenly powered down. Honan assumed it was nothing more than a glitch in iOS, but when he plugged his iPhone into his MacBook to restore from backup, he realized something weird was going on. "When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four-digit PIN," says Honan. "I didn't have a four-digit pin." Later that night, he learned that two hackers had infiltrated his Twitter account, @Mat, which was also linked to the Twitter account at Gizmodo (his former employer). The perpetrators used the accounts to troll thousands of followers with racist and incendiary messages touting their hacking exploits.
Who was behind it?
Honan was able to contact one of the hackers with a temporary Twitter account, at first exchanging direct messages and, eventually, AIM messages. He learned that one hacker was a 19-year-old who called himself Phobia. Honan agreed not to press charges if Phobia agreed to detail exactly how they were able to break into his accounts.
How did they do it?
In order to break into his iCloud account, the hackers needed three things: His Apple .me email, his billing address, and the last four-digits of his credit card information. First, they found his Gmail address on Honan's personal website where he hosts his portfolio. Then, they went to Google's account recovery site using his Gmail, and were able to glimpse the alternate email Honan provided: firstname.lastname@example.org. The rest of the letters were easy to guess.
How did they get his billing address and credit card number?
They got his billing address by doing a search on whois.com using his personal website. "Getting a credit card number is trickier," says Honan, "but it also relies on taking advantage of a company's back-end systems." You can read in detail how they did it here, but basically the hackers were able to call Amazon support pretending to be Honan using his other emails. With little effort, they were granted enough access to learn the last four digits of the credit card linked to his Amazon account.
Then what did they do?
With Apple's .me email, Honan's billing address, and the last four digits of his credit card, they were able to call AppleCare and lay his digital life to waste. After they'd changed his Twitter and Gmail passwords, they used iCloud's "Find My" tool to remotely wipe everything on his iPhone, iPad, and MacBook. Then they deleted his Google account to prevent him from regaining access. Honan says he lost "irreplaceable pictures" of his family, including his "child's first year and relatives who have now passed." These weren't elite hackers using advanced techniques to break into an account, says Paul Wagenseil at Laptop Magazine. The attacker "simply placed a call to Apple tech support and convinced Apple to give him control of Honan's Apple account."
Why did they target him specifically?
Phobia said he simply wanted access to Honan's three-character Twitter handle. "That's all they wanted," until they realized they could do so much more, says Honan. "They just wanted to take it, and fuck shit up, and watch it burn. It wasn't personal."
Did he back up his files?
He didn't. "I should have been regularly backing up my MacBook," says Honan. "I'm ultimately to blame for that loss… but I'm also upset that this ecosystem that I've placed so much of my trust in has let me down so thoroughly."
How can I ensure that this doesn't happen to me?
The scary thing is that this all could have been avoided if Honan had turned on Google's two-step verification, which would have prevented hackers from gleaning his Apple email, says James Fallows at The Atlantic. It's a bit more time consuming, yes, but "similarly, it is less convenient to carry keys around and have to lock and unlock your front door, compared with just leaving it open." Many online exploits are the result of weak passwords, says Laptop Magazine's Wagenseil. But thanks to loopholes in how Amazon, Apple, and Google conduct business, the strongest password in the world wouldn't have saved him.