Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

How did hackers bypass Apple to access an iCloud account?

Based on my experience with Apple support, that is not an easy thing to do

Article comments

The Internet is abuzz this weekend as a result of the Gizmodo Twitter account getting hijacked. That incident was traced back to the hack of an Apple iCloud account - allegedly accomplished through social engineering.

A Forbes.com story from Adrian Kingsley-Hughes explains that a former contributor for Gizmodo, Mat Honan, was the original victim of the attack. Hackers were able to access Honan's iCloud account, and remotely wipe his iPhone, iPad, and MacBook. The original theory was that the hackers used a brute force attack to crack Honan's iCloud password, but further investigation revealed that social engineering was used to convince Apple the attackers were Honan, and Apple gave them the keys to walk right in.

Colour me incredulous!

Why? Well, I have my own story of Apple woe - and it's the exact opposite experience. I somehow lost access to my own email address for use on iTunes, iCloud, and other Apple services, and it took months of fighting with Apple Support to finally get to the bottom of things and get into my own account. I couldn't get Apple Support to give me access to my own account, never mind someone else's.

I had originally set up my Apple ID using my primary email address. I didn't have any problem for months, maybe even years. Then, one day it simply wouldn't work. The Apple system claimed it was already in use on another Apple ID account.

I assumed I'd been hacked somehow. It's my email address. I own the domain. Nobody else could possibly use my email address with a different Apple ID account "on accident".

Initially, Apple Support directed me to just use a different email address. I did that as a temporary solution to enable me to access iTunes and other Apple services, but it was a Gmail address that I created just for that purpose. I don't use Gmail, and I had no intention of starting, so I was still determined to get my own email address back.

In my experience, Apple security was almost too tight. I tried repeatedly to reset the password for my email address, but the reset confirmation emails never arrived. The reason? The confirmation emails are sent to an emergency rescue backup email address. I had no idea what account was using my email address, so I had no way of knowing where those emails were being delivered.

No problem. You can also verify your identity to reset your Apple ID by answering security questions. The first one--the gateway to get to the actual security questions - is your date of birth. I entered my date of birth, and the Apple system told me I was wrong...about my own date of birth.

Every time I'd contact Apple Support I would get the same default answers, and "solutions" that wouldn't work. Apple Support would explain that my email address was already in use on another Apple ID account, and that until it was removed from that account I'd be unable to use it.

Exasperated, I'd explain again that I can't remove the email address from the Apple ID account because I had no idea what the Apple ID account was, or how to access it. Eventually, I'd become frustrated and quit. After a month or two, I'd contact Apple support and try again.

After many conversations and attempts, I finally had a breakthrough...sort of. An Apple Support person "cracked" and gave me an email address of the Apple ID associated with my email address. It was my wife's. However, we logged in to her Apple ID account to remove my email address and found no sign whatsoever of it being there.

Once again, I contacted Apple Support. I explained that I can prove it's my domain, and I can prove it's my email address, and I asked that my case be escalated to someone capable of simply deleting my email address from the other Apple ID forcibly. Then I was told it was actually attached to, or associated with four different Apple IDs, but Apple couldn't do what I asked. I wasn't pleased.

I got my email address back. After over a year of attempts, and probably seven or eight different sessions with Apple Support, one of them finally "slipped" and gave me a crucial bit of information. It turned out that I was the one who stole my own email address.

The email address was associated with an Apple "me.com" address. Two of them, actually--and they were both mine. I never saw the reset confirmation emails because I've never actually used the "me.com" email addresses and I wasn't set up to receive the messages. The date of birth verification and account security questions wouldn't work, because I never set them up in the first place.

I do recall creating the "me.com" accounts to test some things out, but it wasn't a problem immediately. My guess is that Apple changed some rules on the backend after I had used my email address as an alternate contact on these other accounts, and that locked me out from using it as my primary email address on the Apple ID I actually use.

The bottom line is that I found Apple Support to be tight-lipped to a fault, and I'm surprised the attackers in the Mat Honan / Gizmodo incident were able to social engineer their way into his iCloud account. It took me over a year to "social engineer" my way into my own Apple ID.

Perhaps that says more about my lack of social engineering skills than it does about Apple security measures, but I can vouch for the fact that accessing someone's Apple account is no simple feat.


Share:

More from Techworld

More relevant IT news

Comments

Johndoe said: Rediculous post - check your facts The password was lifted from his computer which had spyware

Xalman Xhan said: Security should be a part of cloud providers core Philosophy If security isnt part of the DNA good luck bolting it on later After Amazon SalesForce and DropBox now iCloud has also hit the news putting another question mark on Cloud securityBut in my opinion cloud is strongly secured There are many other factors that we sometimes neglect to consider before jumping to the decisionHeres an article on Cloud security that I found very informative and may address most of your questions regarding cloud-securityhttpwwwdincloudcomblogCI hope you will find it useful



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *