Amazon and Apple change their security policies after hackers tricked their support staff into helping them to break into a journalist’s online accounts.
Apple and Amazon are taking steps to change some of their
security policies after it came to light that hackers tricked staff members
into helping them change the passwords of Gizmodo journalist Mat Honan's online
In a first-person article published on Wired, Honan details
how a hacker was able to access his iCloud account and wipe everything from his
iPad, Mac and iPhoneall with an assist from the support staffs of Amazon and
Apple, whom the hacker tricked by impersonating Honan.
"We've temporarily suspended the ability to reset
AppleID passwords over the phone," Apple spokesperson Natalie Kerris told
"We're asking customers who need to reset their password to
continue to use our online iForgot system (iforgot.apple.com
). This system can reset a password in one
of two wayseither have a password reset sent to an alternate email address
already on record or challenge the customer to answer security questions
they had previously set up."
"When we resume over-the-phone password resets,
customers will be required to provide even stronger identify verification to
reset their password," she added.
Amazon said they made a change to their security approach Aug. 6.
According to Honan, who was able to get in contact with a hacker who goes by the name of
"Phobia" and was at the center of the scheme, the ultimate goal was
to seize control of his Twitter account. To do that, the hackers looked up his
Twitter and found that it linked to his personal website, which had his Gmail
address. He then went to the Google account recovery page.
Once there, Phobia entered Honan's Gmail address and was able to view the alternate email Honan set up for password recovery. Though the
email was partially obscured, the hackers were able to guess it and when they
saw it was a .me account the hackers knew Honan had an AppleID.
In order to get access to his AppleID, Phobia and his partner needed the last four digits of
Honan's credit card and billing address. The billing address was discovered
with a whois search of Honan's Web domain.
To get it, Phobia's partner called Amazon's support line pretending to be Honan and added a fake
credit card number to the account. Then they called Amazon again and claimed to
have lost the account password. After giving the fake credit card number as well as a name and billing address,
Amazon allowed them to add a new email address to the account. From there, they
sent a password reset to the new email and could see the last four digits of
all the credit card numbers on file for the account, Honan explained in the
With those last four digitsand his name and addressthe
hackers were able to get Apple to reset the account login. Because his online
accounts were linked together, the hackers now had the keys to his digital
"I shouldnt have daisy-chained two such vital accountsmy Google and my iCloud accounttogether.
I shouldnt have used the same email prefix across multiple firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org
," Honan wrote. "And
I should have had a recovery address thats only used for recovery without
being tied to core services."