How a Hacker Gained Access to a Reporter's iCloud Account
Wired reporter Mat Honan details the exact process by which hackers had gained control of his iCloud account. The hijacked iCloud account resulted in a remote-wipe of his iPhone, iPad and MacBook Air, as well as further intrusions into his Gmail and Twitter accounts.
As previously reported, the hackers were able to convince Apple Support to provide them with a temporary password to access Honan's account. Honan details exactly how this was performed.
Apparently, Apple Support only requires an iCloud user's billing address and last-four digits of the credit card on file in order to issue a temporary password. That temporary password grants full access to the user's iCloud account. Apple spokesperson Natalie Kerris issued this statement which claims that internal policies were not followed completely in Honan's case, but failed to specify exactly how:
“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
Wired was able to confirm the reported policy themselves by successfully gaining access to another account using only those two pieces of information: a billing address and last-four digits of the credit card number.
As noted by Honan, a target's billing address is generally easy to determine by looking up a domain registration or by public white pages databases. As for discovering the last-four digits of Honan's credit card, Honan's hacker used a loophole in Amazon's security systems which don't protect the last-four digits of their user's credit card information. The hack requires a two-step phone call to Amazon. In the first call, Amazon allows you to add a second credit card to the account by simply offering the account's billing address, name and email address. Then, a second call allows you to add a second email address by verifying the previously added credit card. This second email address then has access to the account information including the last four digits of the original credit card.
Honan's intrusion seemed to be a result of a targeted effort to infiltrate his Twitter account, and a number of items had to line up just right for the hackers to gain access. The situation does reveal that the differing security processes between different providers could open up unwanted opportunities. It also seems to show that at present, a specific user's iCloud account access can be gained with those two pieces of only semi-private information.
Honan's full story about the sequence of events is an interesting read.
Popular Stories
Apple's annual iPhone event is in the rearview mirror, but rumors suggest the company plans to release a handful of additional products before the year ends.
Will there be another Apple event this October? We discuss the possibility below.
Apple in October
Apple's most recent October events were in 2021 and 2023.
In 2022 and 2024, Apple did not host an October event. Instead, it...
In select U.S. states, residents can add their driver's license or state ID to the Wallet app on the iPhone and Apple Watch, providing a convenient and contactless way to display proof of identity or age at select airports and businesses, and in select apps.
Apple recently revealed that the feature would soon be available in North Dakota, and starting today, the feature has officially gone...
A handful of upcoming Apple products leaked yesterday, through a combination of YouTube videos out of Russia and U.S. Federal Communications Commission (FCC) documents that were released, despite Apple's confidentiality requests.
The leaked products include an iPad Pro with an M5 chip, as well as updated MacBook Pro and Apple Vision Pro models. All of these devices had already been rumored...
An apparent unboxing video for an unannounced iPad Pro with the M5 chip was uploaded to YouTube today by Russian channel Wylsacom.
The same YouTube account leaked the 14-inch MacBook Pro with the M4 chip before it was announced by Apple last year, so this is likely a legitimate leak.
Based on the box shown in the video, this appears to be a 13-inch iPad Pro with an M5 chip, 256GB of...
The United States Federal Communications Commission (FCC) has seemingly confirmed Apple's work on an updated version of the Vision Pro headset.
One of several documents the FCC shared today references an Apple-designed "Head Mounted Device" with a model number of A3416. An included image confirms the device is a Vision Pro.
The FCC's uploads are transmission tests, SAR test reports, and...
The United States Federal Communications Commission has confirmed Apple's work on a new version of the MacBook Pro and several other products, leaking details on the devices ahead of launch.
The FCC published documents that reference model numbers that do not correspond with existing devices. A3434, for example, references an unreleased MacBook Pro, while other numbers are likely for...
iOS 26 was released last month, but the software train never stops, and iOS 26.1 beta testing is already underway. So far, iOS 26.1 makes both Apple Intelligence and Live Translation on compatible AirPods available in additional languages, and it includes some other minor changes across Apple Music, Calendar, Photos, and Safari.
More features and changes will follow in future versions,...
Nearly two weeks after the iPhone 17 series launched, analysts at investment banking firm Morgan Stanley said demand for the devices has been "modestly stronger than we originally expected," based on a combination of extended shipping estimates on Apple's online store and information it gathered from Apple's supply chain.
There has been strong early demand for the iPhone 17, iPhone 17 Pro,...
Apple's two big yearly events, WWDC and the iPhone launch, are done and over with, but there are still some new products that we're expecting to see before the end of the year.
Apple TV
The Apple TV hasn't been updated since 2022, so it's due for a refresh. It doesn't look like Apple is going to change the design of its set-top box, but we can expect a faster chip
Apple code suggests...
Apple today released iOS 26.0.1 and iPadOS 26.0.1, the first updates to the iOS 26 and iPadOS 26 operating systems that came out earlier this week.
The new software can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update.
According to Apple's release notes for the update, iOS 26.0.1 addresses a bug that could cause aberrations in...
