Compromised iCloud password leads to nightmare (updated)
Updated. Former Gizmodo writer & current Wired Gadget Lab staffer Mat Honan is having a pretty bad day. As you can read on his Tumblr post (not to mention elsewhere), hackers compromised his iCloud account. They used that access to reset his iCloud password, reset his Gmail password, gain control of his Twitter account (which in turn gave them access to Gizmodo's Twitter feed and 400K followers) and generally wreak mayhem.
Unfortunately, Honan's iCloud account was tied to his iPhone and iPad, which both had Find my iPhone/iPad turned on. In the attackers' hands, the FMI utility was turned against Honan and both devices were remotely wiped. It got worse: his MacBook Air had Find My Mac enabled, which meant the hackers could erase his SSD... and they did.
Honan's iCloud password was unique to that service, but it was also only seven characters long and hadn't been changed in years. [This turns out not to be a key to the puzzle, see update #2 below.] Given the many points of exposure when iCloud accounts are compromised -- and the potential risk of serious consequences if remote wipe utilities like Find My Mac are controlled by malicious actors -- we recommend using a memorable but strong password for iCloud. (Strong and unique passwords are a good idea in general, but while Google's accounts have options for two-factor authentication with SMS or the Google Authenticator app, iCloud doesn't.)
[Honan was targeted by a hacker group that had previously gone after high-profile Twitter users, which is an unlikely scenario for most of us. However, the risks of an unintended or malicious data wipe if you lose control of your iCloud password are real whether you're an Internet celebrity or not. –Ed.]
The easiest way to come up with a strong password is to use a tool such as Diceware, but as our Twitter followers point out you do need to be able to enter your iCloud password quickly and easily on iOS devices if you plan to install or update App Store apps. It's not always simple to balance security and convenience, but it's important to consider the risks before you go with an easy-to-crack password.
Unfortunately there's no easy way to segregate the Find My Mac feature from the other Mac iCloud features like Photo Stream, Documents in the Cloud and Back to My Mac; if there was, you could have a 'shadow' iCloud account used only for that, with no email or App Store exposure at all. You can, however, set up separate iCloud accounts for email, calendars and contacts and/or App Store purchases -- but that rapidly defeats the "all your data, anywhere" advantages of iCloud in the first place.
A toggle switch to disable Find My Mac's remote wipe capability could also it a little more consumer-friendly, with a separate PIN code to turn the feature off or on; alternatively, with FileVault 2 Apple could replace the drive wipe with an encryption/lock pass to prevent thieves from accessing the data. But the odds of encountering a determined hacker clan set on wiping your computer remotely are arguably far lower than those of losing your MacBook to carelessness or theft; good backup strategy plus Find My Mac is a better choice for the latter risk.
Our sympathies to Mat; we wish him luck in recovering his data and piecing his digital life back together.
Update: Mat reports that he is working with Google to restore his account access (and, since his phone was linked to his Google Voice number, his ability to receive and send text messages) and has a Genius Bar appointment today to review his options for data recovery on his MacBook Air.
Update 2: Mat has determined that the hackers did not brute-force his password or cobble together answers to his security questions; they apparently did some clever social engineering on Apple's support reps and managed to wrangle a password reset without those answers. Mat told his story on TWIT Sunday and will detail all the machinations in a story for Wired that comes out on Monday. He has contacted Apple corporate and PR to give them an opportunity to address the policy issues brought to light by this incident.
Subscribe to Newsletter
Software Updatesmore updates
- Dropbox adds file/folder renaming and Office document editing to iOS app
- Vizzywig 8xHD price tag now a very affordable $49.99
- Automatic targets teen drivers with License+ service
- Dropbox adds support for TouchID
- YouTube for iOS gets updated with full support for iPhone 6 and 6 Plus
- iOS 8.0.1 update now available (Updated -- Don't update!)