The Mac Security Blog

Recommended + Security & Privacy

4 Security Lessons Learned from Mat Honan’s iCloud Account Hack

Posted on by


This past week, writer Mat Honan had the unthinkable happen. Someone got into his iCloud account, and they were able to remotely wipe his iPhone, iPad and Macbook Air and delete his Google account that was attached to his iCloud account. The initial assumption was that this happened because the hacker brute-forced his way into Honan’s account. After some further digging, it came to light that the hacker was simply able to use social engineering to trick Apple Support into resetting his password.

As much as we like to trumpet the use of good passwords, this is one instance in which this would not have made a difference. You can use the best password in the world, but if someone can socially engineer you or someone from the site or service itself to reveal your password, it will make no difference. That isn’t to say that strong passwords are not important; having a strong password will protect you against the majority of common attacks. But you should definitely not bet the farm on a password.

There are a number of questions that this brings up, of course:

  • What can you do to recover from a catastrophic data loss incident?
  • What can you do to protect yourself against this sort of attack?
  • What is the likelihood of this happening to me?

Honan learned the answer to this first question the hard way: Make regular backups in multiple locations. Do not just rely on the Cloud to store your backups–websites are not bulletproof, companies go out of business, disasters happen. Honan may recover the accounts that were compromised during this hack, but that is in no way certain in every case. He may not be able to recover the year’s worth of data he hadn’t backed up in another location. (Though he was fortunate that the remote wipe did not complete, so it may not all be lost.)

For the second question, we’ll define the attack as a compromise on any online account that contains a whole lot of your important data; whether that be your contacts, your calendar, entire backups, or selected files, or just links to a lot of your other accounts (social networking, banking, online shopping, etc). This could be iCloud, this could be Google, it could be any number of different services.

We have to assume that you can’t trust the protection of your password alone, as that could be stolen by social engineering or hacking of some other sort. But this is another place where a layered defense strategy comes in handy. We already covered the need to back up your data in multiple places. But what else can you do?

  1. Encrypt as much of the online data as you can. This will keep someone breaking into your account from being able to use the data they find.
  2. Seriously consider whether you really need to link accounts. Is the convenience of linking your accounts worth the possibility that someone phishing/hacking into that account would now have access to the linked account? Or would it be preferable to give the hacker one more hurdle to jump over in order to compromise your accounts?
  3. Use two-factor authentication as often as possible. This makes it more difficult to gain access to your accounts as it relies not just on what you or the hacker knows (your password), but on something that you have (your phone or a dongle, for instance). This would not have stopped the remote wipe that happened to Honan, but it would have kept his Google account from being deleted.
  4. Use an email address that is not known to others. If hackers don’t know what email address you’ve used for your account, it makes it harder to socially engineer their way into them.

And lastly, how likely is this to happen to you? The exact situation that Honan describes is fairly unlikely. Most of us are in more danger of our devices being stolen than of having someone go to the trouble of gaining access to our important passwords and then destroying the data. This was a very clear case of a targeted attack. And hopefully this is something that Apple will address by strengthening the requirements for remote wipes. You should not be able to destroy your data by an accidental mis-click or two.

As this story is still unfolding, it will be interesting to hear what changes this may bring and how Apple responds to this incident, and whether any more information comes to light about how exactly the hacker conned the support rep into resetting Honan’s password.

What questions do you hope are answered after this incident? Have you gone to Apple’s support for a password reset request? If so, what was your experience?