Late last week, Wired reporter Matthew Honan's digital life was shaken like a squirrel in the mouth of pit bull. With the unwitting help of Apple and Amazon, a group of hackers gained access to Honan's online identity and proceeded to have their way with it.
Honan wrote a long account of his ordeal for Wired, which has since boomeranged around the InterWebs:
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
[ Also on InfoWorld: Cringely already named the 10 worst tech screwups of 2012 (so far). Does this one take it to 11? | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]
Scary? You bet. And the hackers couldn't have done it without the massive and total failure of both Apple and Amazon to safeguard their customers' data.
A few hours after Honan blogged about his virtual buggering on his Tumblr page, one of the hackers -- a guy calling himself "Phobia," from a group called Clan Vv3 -- got in touch with him and told him how they did it.
It started with Honan's Twitter account, which linked to his personal website, where Phobia found Honan's Gmail address. Using Google's account recovery page, Phobia gleaned Honan's alternate email, which was an Apple @me address. As Honan wrote:
Since he already had the e-mail, all he needed was my billing address and the last four digits of my credit card number to have Apple's tech support issue him the keys to my account.
Phobia got Honan's billing address via a Whois search on Honan's domain, then used a bit of social engineering to get Amazon's tech support to provide him with the last four digits of Honan's credit card number. (I won't get into all the nitty-gritty; Honan does a fine job summarizing it himself.)
Once Phobia and friends gained access to Honan's Apple account, it was game over. They could do whatever they wanted to him -- and they did, proceeding to wipe out every photo Honan had ever taken of his two-year-old daughter, to name just one example.
Why did they do this to Honan? Because they coveted his Twitter handle, @mat. That was all it took.
To prove it wasn't an isolated failure caused by some clueless support tech, other Wired reporters duplicated the hack twice on other accounts using the same techniques (but without causing any damage, obviously).
After this story went viral, Amazon quietly closed the loophole the hackers used to make a hash out of Honan's life, forbidding users from adding credit cards or changing passwords over the phone. Apple suspended its practice of allowing password resets over the phone pending further investigations into the hack. The fact that these two companies -- normally arrogant beyond belief and impervious to most criticism, especially when it comes from journalists -- moved so quickly tells you just how serious a breach this was.