
Yes, I was hacked. Hard. - thibaut_barrere
http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard
======
thaumaturgy
Damn, poor dude. The remote wipe was a pretty big asshole move.

I'm pretty curious about the initial break-in on his .mac account. I suspect
that either he's misremembering and he has used the password elsewhere (and it
was compromised there -- easy to happen over so many years of use), or it
wasn't very strong to begin with and it got guessed after a handful of
attempts.

There are a handful of takeaways from this:

\- Backups, obviously. A lot of people here so far are mentioning online
backup services, but those would be just as vulnerable to this kind of attack,
since they're accessible online and use an email account for password resets.
Online backup services and physical offline backups solve different problems
and it's a good idea to use both.

\- Since I haven't seen this mentioned anywhere else: I wonder if it's time to
consider keeping a "secret" email account that's only used as the password-
reset account for all of your services? Something that you never use for
communication, never publish anywhere, something with its own entirely
separate password.

\- Be careful about owning multiple devices from a single vendor that provides
remote access and other kinds of control to those devices. Mobile devices are
inherently insecure; they shouldn't carry sensitive personal information,
ever. There are a lot of really good reasons for going with a single vendor,
and remote wipe is a really valuable tool in case of theft, but the downside
is ... well, this.

\- Use some kind of password storage mechanism. (I prefer something that's not
tied in to a publicly-accessible service.) I've made a game out of memorizing
horrible passwords, and can recall quite a few without any patterns or
mnemonics or the like. Still, I use KeePass every day anyway.

And maybe most of all: I doubt there's a single one of us that has a moral
high horse to ride on this. Everybody always has something better to do than
set up a new backup system or dick around with something that will only maybe
hurt them someday. I'm constantly harping on other people about backups, but
only a couple of days ago got my development machine on our network backup
system; I'm pretty anal about passwords, but still I'll panic pretty badly if
my laptop is ever stolen, because in there, somewhere, is probably a plain
text password stored in a file that I've forgotten about, and there'll be a
chance that I'll forget to change that particular password if I find myself
having to suddenly change every single password for everything I've got access
to.

~~~
strictfp
+1 for the moral high horse. Everytime something gets hacked the hacker
community blames the victim for using less-than-optimal security. Well guess
what? There is no foolproof system. The same reactions are seen when sites go
down. 'Oh, but they should have used a distributed, redundant buzzword
compliant system in a multitude of nuclear bunkers and this would never have
happened'. Every system has weaknesses. And every person or team is imperfect.
Sure there are lessons to learn, but lets show some sympathy and ask the
persons involved what they would improve, not assume that we understand
everything and dictate what they should have done.

~~~
mchanson
Not having any backup is, for a technically capable user, indefensible.

~~~
hnriot
How is it even possibl? iOS devices back themselves up every time they are
plugged into a Mac automatically, and it's really difficult not to have a Mac
backup, time machine just does it automatically whenever it feels like it. I
find that within the Mac ecosphere, it's hard not to have backups.

I backup gmail with gmvault to a thumb drive, which I suppose is beyond many
non technical people, but I'm sure google will figure out how to restore his
account without much difficulty.

I wish I knew how this person knew how his password was compromised, it sounds
reasonably secure.

~~~
egypturnash
I suspect a lot of people ONLY have the devices, and have not spent the extra
few hundred on any kind of backup. A Time Capsule? A third-party remote backup
service? An external HD? That costs MONEY!

I personally haven't plugged my iPad into my Mac in ages. Then again I've also
made damn sure it's backing itself up to the cloud. I'm not sure if this is
the default setting. It should be, IMHO.

(And I gotta say, it's really freeing to know that even if all my possessions
are destroyed, I will have lost at most a day or so of work.)

~~~
lparry
Backing up to the cloud isn't going to help in this guys situation. The
malicious user had access to his iCloud account to remote wipe his devices,
they would (did?) just as easily delete his cloud backups

------
rickmb
One thing that worries me about iCloud is that it puts a lot of data and
services behind one single password.

Said password is therefor used a lot, with a lot of chances for interception.
But most of all, it's used for trivial matters in which password typing is a
nuisance (installing a cheap iPhone app), which pretty much invites people to
use a weak, easy to type password.

iCloud should have multiple, completely separate forms of authentication for
services like Find My Mac, instead of using the same login for wiping all your
Apple hardware as you use to download Angry Birds...

~~~
TazeTSchnitzel
Same reason why I worry about Google Accounts.

Your email, contacts, calendar, location, phone security, documents, files,
music, videos, games, apps, credit card details, merchant account, search
history, web app hosting, etc., all on one account.

~~~
nl
Turn on 2-factor auth.

I thought about it and worried about it and thought about it some more, and
finally did it.

And I had no problems at all - it works really well.

~~~
klodolph
Dedicated attackers routinely bypass two-factor auth. If your second factor is
your phone, then they simply attack via the phone carrier first.

~~~
spindritf
Don't use texts for the two factor auth, use the Google's app
[https://play.google.com/store/apps/details?id=com.google.and...](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en)
and print out the one time codes when prompted (for when your phone is
unavailable for whatever reason).

As a bonus, you can also use it for when logging in over ssh with password
[http://askubuntu.com/questions/159727/how-can-i-use-a-
passco...](http://askubuntu.com/questions/159727/how-can-i-use-a-passcode-
generator-for-authentication-for-remote-logins/159728#159728)

Anything can be hacked but it's a really solid system, even against a targeted
attack and motivated attacker.

~~~
Andrex
Thanks for the link, but could you explain why texts are non-optimal?

~~~
lallysingh
Phone companies are often quite stupid about letting phone numbers (with their
texts) get redirected. Like you don't have to know any private information,
just have a good story stupid.

------
mtkd
"He and Gawker’s Scott Kidder then got on the phone with contacts at Google
and Twitter trying to help me put the brakes on."

Of all the issues surrounding this event, this one concerns me most. Most
users would not be able to escalate like this. Hosted services need to be
providing this level of support to all customers 24/7/365 - or at least offer
it as a premium option.

~~~
mhansen
For Google Apps paid users:
[http://googleenterprise.blogspot.com.au/2011/11/24-x-7-phone...](http://googleenterprise.blogspot.com.au/2011/11/24-x-7-phone-
support-for-all-issues-and_14.html)

~~~
mtkd
I have this - and I had reason to call it recently due to a technical issue.

In short: I'd advanced paid for a 1 year Apps account a month before the
monthly billing came in to place. My credit card expired with 11 months of the
contract left, but they suspended the account as that appears to be policy
with new monthly billing system. I received no email asking to update the card
prior to suspension. This suspended all the services it was connected to. Call
centre couldn't help, account was down for 18h - they just said wait for new
card to propagate.

I'm sure if a journalist from Gawker had posted this to HN it would have been
resolved with more urgency.

------
tylermenezes
Everyone's focusing on the security of the password and iCloud, but I just
wanted to take a second to say: fuck who did this. Yes he should have backups,
but erasing someone's things is such a juvenile thing to enjoy.

Edit: Surprised to see Cloudflare is proxying their website. I understand
wanting to be impartial, but I think it's fairly easy to draw the line at
groups breaking the law.

~~~
cstross
_erasing someone's things is such a juvenile thing to enjoy_

I don't know what part of the world you're in, but here (in the UK) it'd
actually be a criminal offense carrying a multi-year prison sentence under the
Computer Misuse Act.

I'm wondering at what point the police or law enforcement get involved in the
US?

~~~
tylermenezes
Generally if the person is important enough.

This is the only case I can think of where non-classified information leaks
were prosecuted: <http://en.wikipedia.org/wiki/Sarah_Palin_email_hack> (There
are probably more, but I can't imagine any would actually disprove my point.)

~~~
cstross
This isn't solely about an information leak, though -- it's about willful
destruction of property (i.e. all the victim's data getting vaped).

~~~
pyre
Usually the FBI is the agency that you go to with this stuff, and they usually
don't help unless you can claim X hundreds of thousands of dollars in losses.
Basically, they only care about rich people and corporations. Hackers are
given a blank cheque so long as they only do small amounts of financially
quantifiable damage.

------
pilif
If he really hasn't used that password anywhere else and it was not based on a
dictionary word, then I highly doubt OP's password was brute-forced.

Brute-forcing the iCloud password is an online attack and would probably
(hopefully) be caught by apple.

What is more likely is a keylogger or similar malware at which point even a
longer password would not have helped. The days where macs are free of malware
are unfortunately over.

~~~
0x0
Or maybe there's a problem with the iCloud auth protocol, and it was snooped?
For example, that in-app purchase hack (which involved a MITM attack after
installing a custom SSL CA) revealed passwords were being sent "in the clear"
inside the SSL transport.

This is just speculation.

~~~
nikcub
My first impression is that either a session token or password was intercepted
from iCloud either via malware or MITM. But the post mentions that the iCloud
password was reset, which means the account may have been hacked via Apple ID
security questions[1]

When I just did this for my own account, the first security question is your
date of birth, which is easy to find for anybody via Facebook. The second was
a generic security question.

These are easy to guess or to find out via social media. You could spearfish a
user by sending them a free account to a web service and asking them the same
security questions on registration.

The security isn't adequate, considering the data that is held behind an Apple
ID. I also can't believe they have a delete feature that can not be undone.

For my own account I have done a few things. First I have a secret email
address for online accounts that require higher security. These emails are
unique for each service and are not published anywhere. I have also removed
all of my personal information from my social accounts, such as date of birth,
name of school, etc. and my security answers are always random strings.

The other option is that malware was used, or a transparent proxy. If iCloud
doesn't verify the server certificate it would be straight forward to proxy
the HTTPS requests. iCloud will also always send out connection attempts every
x minutes, so if you accidentally connect to a public WiFI hotspot or personal
network with an intercepting proxy setup, you can have your password stolen in
a matter of minutes.

I am also not super-confident about two-factor auth. I noticed that with
Google Apps the verification SMS messages can be read using the web interface
for my telco provider. A web interface that is protected by nothing more than
an email address and password with the same weak security questions.

I think it is very feasible to hack around second-factor SMS notifications by
first hacking the telco provider web interface and reading then deleting the
SMS alerts. You are only as secure as the weakest link in the chain.

[1] [https://iforgot.apple.com/cgi-
bin/WebObjects/DSiForgot.woa/w...](https://iforgot.apple.com/cgi-
bin/WebObjects/DSiForgot.woa/wa/iforgot)

~~~
wamatt
Wow, I wonder if people realize just how scary this is. Security Questions are
a terrible idea.

~~~
TwoBit
The solution is to intentionally answer the security questions wrong. For
example, always spell your mother's maiden name backwards.

------
emptyage
Hi, I'm Mat Honan (the guy who was hacked). I've been in touch with the person
who hacked my account. He says it wasn't brute force, or guessed. I'll publish
more when I know more.

To be clear, the password was unique. I use 1password as a password manager
and even double checked to make sure that I wasn't using it anywhere else.

~~~
tricolon
Have you considered (temporarily) disabling comments on your blog? Many of
them are quite hostile, and might as well be deleted.

~~~
emptyage
They're rabid. But I think it's kind of an interesting side note at this
point.

~~~
ninguem2
What have you done to elicit so much hate (from the hacker and the
commenters)?

~~~
emptyage
I genuinely don't know. The hacker said it wasn't personal. My guess is that I
was a waypoint to get to Gizmodo.

------
0x0
That's it, I'm disabling "Find my mac". I guess it wouldn't work anyways if a
thief is far away from my home or work wifi. So in essence, it's a remote wipe
backdoor for when the device is in my possession, and useless if it's stolen.

FileVault2 should take care of the theft problem anyways.

Too bad you can't partially-enable Find my mac for the location service, while
disabling the remote wipe and lock services.

~~~
Zr40
Instead of only disabling Find my Mac, please make sure your backups are
functional and enabled. That way, if your machine fails or gets wiped (whether
it's by you, a thief or someone with your iCloud password), you can still
recover everything.

~~~
0x0
Sure. But should something like this happen, I'd prefer to not waste time
having to sit through a complete reinstall before I can start damage control
by changing passwords online, etc.

~~~
lotyrin
That's what live CDs are for. If your system gets owned, you can't trust it
anymore.

~~~
0x0
I don't think getting hold of the iCloud password would let anyone "own" my
mac. (The only things they should be able to do with that would be messing
with my synced address book, notes and photostream - and if "find my mac" was
enabled, perform a remote wipe).

------
dbecker
The hostility towards this guy in the comments is astounding. I already had
low expectations for comments on blogs, but this took it to a whole new level.

~~~
ricardobeat
Impressed by that too. It gives the impression that some of the commenters are
involved with the stunt.

~~~
masterzora
Honestly, it gives the impression that some of the commenters are from the
internet. As sad as it is, you can kind of expect shit like that from
completely disinterested parties who just want to be assholes.

~~~
slantyyz
It's not much different than driving - the nicest guy can turn into the worst
a-hole on the road.

The internet, like a car, somehow makes people feel like they have an
invincibility cloak on that lets them behave badly.

~~~
jmacdotorg
Wandering a bit OT, admittedly, but I feel obliged to push back against this
notion. I know you didn't mean it this way, but I see it too often to wave
away worse examples of abusive behavior, and it's just not healthy.

The "nicest guy" would not use language like "bitch" or "fag" in comments (to
pull the first example I saw in that post's responses), because this implies
an assumption that comparing the target to a woman or a gay man should be
received as a deeply cutting insult. And this alone acts as enough of a cover
for me to judge that book, really.

No, these are in fact rather horrible little people, and it wouldn't surprise
me if they were in league with the perps who erased this guy's stuff for teh
lulz or whatever.

~~~
slantyyz
Yeah, you're right, the behaviour is intensified on the Internet, probably
because of a greater perceived sense of anonymity. On the road, you've got
license plates, people with cameras, cops, the risk of getting into an
accident, etc. to occasionally keep people in check.

But to clarify my earlier point, if the nicest guy can turn into a bad person
on the road, imagine what a not-so-nice person can turn into.

------
smadam9
_> >7 digit alphanumeric_

...could mean anything from _myacct1_ to _iS2xd45_

Since the password is no longer in use (only assuming), it would be
interesting to know what it was - perhaps the reason that it was hacked was
that it simply was easy to brute force due to common dictionary words?

Just throwing an (possibly wrong) idea out there.

~~~
bigiain
That still rasies some questions. You're either implying Apple allow enough
login attempts for brute force against their live web services to be possible,
or that someon somehow got hold of the password hash.

Without knowing the guy, I strongly suspect a reused password that was exposed
somewhere other than Apple/iCloud. Anyone want to bet against this Gizmodo
guy's password being in the Gawker password dump?

~~~
bigiain
I guess I owe @mat an apology here - it seems Apple's customer service was at
fault, not @mat's password reuse practices…

------
jrockway
This is why I use two factor authentication for my email. It's a usability
nightmare, but not as much of a nightmare as losing all my accounts
everywhere.

~~~
AncientPC
Two factor is magnitudes better than password only, but it's not foolproof.

Security is only as strong as the weakest link. CloudFlare was hacked recently
because the attacker was able to redirect voicemail to another account, then
use the two-factor backup recovery phone option to take control of Google
Authenticator.

[https://blog.cloudflare.com/the-four-critical-security-
flaws...](https://blog.cloudflare.com/the-four-critical-security-flaws-that-
resulte)

~~~
jrockway
You can no longer recover a Google account via a voicemail message, and AT&T
now allows you to lock changes to your account with a passcode. And, the
people that committed this particular attack are now in jail awaiting trial.

------
racbart
This is one of the reasons why I have different Apple ID for app purchases
(with weaker password which I'm more comfortable to type over and over again
when purchasing apps) and different for iCloud (which I need to type only
once, configuring the device).

I saw many people buying their apps in public and the password input in iOS
isn't really secure from bystanders. As a Gizmodo reporter he probably went to
dozens of events where he was pitched to try someone's app and maybe even
given App Store codes. If he used to download apps on such events that might
be the source of his leaked password. Someone could simply see what password
is he typing.

As long as Apple requires you to type the password with each purchase, it is
wise to separate your sensitive data/services with the App Store credentials.

~~~
wamatt
Never understood Apple's insistence on asking for the password all the time.

For such a customer focused company, it just seems so bad.

~~~
hrktb
If you get the chance to watch a kid playing with an iPhone it's an eye
opener. The 15min no auth required again window after an app purchase is the
devil's time.

~~~
vidarh
Airplane mode.

------
growse
Well, if you will put complete remote control of all your devices behind a
single, weak password.....

~~~
CamperBob2
What difference does it make how strong the password is? It was a seven-digit
alphanumeric password, right? Is iCloud going to permit up to 36^7-1 failed
login attempts in a row without rate-limiting, banning, or launching missiles
at the owner of the offending IP address?

Assuming the answer is no, there are only two remaining alternatives: 1)
Someone targeted and keylogged him to obtain the password, in which case it
doesn't matter how strong the password is; or 2) Someone hacked iCloud itself
and stole their (presumably unsalted) password file.

In that case, yeah, a stronger password might've helped. Bad user. No cookie.

But if _he_ thinks he's having a rough night, consider what scenario #2 would
mean to Apple. The impact of an iCloud hack would be measured in multiple
billions of dollars of market capitalization.

~~~
smadam9
The strength of the password is relevant in the scenario where the password
was actually brute-forced through an interface. If it was _jesus01_ (or
something else common - typically religious), then it may be an easy hack for
the hacker.

~~~
smadam9
"Brute-forced" was a bad word choice.

Typing-the-most-common-passwords-with-numbers through the interface style.
Basically guessing from the top password list.

~~~
CamperBob2
But again, why would iCloud allow that many consecutive failed login attempts
without locking the account?

~~~
smadam9
iCloud would surely block consecutive, failed login attempts. From the post,
reading _years and years_ , opens up the possibility that it may have been
something the hacker was following for some time. Therefore, he would have
been blocked, but may have come back in 1 week to try again.

The possibility is a bit far-fetched, but it exists. The likelihood that this
was actually the case is extremely low.

~~~
bigiain
I _strongly_ suspect the iCloud web login will block brute force attempts.
What I do wonder though, is if there's some other place an iCloud/AppleID
login can be brute forced without appropriate rate limiting? Maybe an IAP API
endpoint? Or an in app advertising endpoint? I wonder if the "check whether an
IAP succeeded" API that the "just redirect you dns to my server and add my
root cert" "exploit" uses is failing to block brute force attempts?

------
robomartin
Every machine we have has local backup in the form of a sizable external USB
drive. Some also backup to a network drive. Windows and Mac. With dozens of
machines it is hard to justify paying for remote backup. Although, every time
I say or think this I also think: fire, theft, earthquake. I wish there were a
reasonably priced multi-machine remote backup service at an affordable price
with storage measured in terabytes. One hundred gigs doesn't even begin to
scratch the surface.

~~~
Soliah
There is Backblaze[1]. Unlimited backup at $50/year/computer.

[1] <http://www.backblaze.com/>

~~~
jasonlotito
My wife recently started using this. She wanted to have another source backing
up her photography (being a photographer and all...), and this was highly
recommended by all her friends with expensive cameras and even more expensive
lenses.

I was shocked, mostly because the price was fairly inexpensive, and her lot
love to spend lots of money on small things.

I take pictures with my iPhone. =/

------
ck2
_My guess is they used brute force to get the password_

How can a system allow login attempts so fast and often that a 7 digit word
with numbers can be hacked?

That's hundreds of thousands of attempts.

~~~
CamperBob2
About forty billion attempts, to be specific.

It wasn't brute-forced, unless somebody got their hands on the iCloud password
database.

------
Zenst
Very well written story and also very educational on the faith peopl put in
cloud backups. Even if you have a cloud backup/syncronised it is still worth
popping over your mum's or a good freinds with a some burned DVD's or external
USB drive (if you have two you can swap them every time you visit). This
approach is good as a cheap offsite backup and also social at the same time.

As for linked accounts, that again is another education many of us have
probably overlooked and I would say if you do have a 2-factor facility that
uses SMS, maybe think about digging out an old phone and getting a PAYG SIM
with a token credit and using that number. But security is a never ending
drive bordering on paranoia and in that you do what is enough to help you
sleep at night after reading the article.

Don't think I have seen a article doing a test on how easiy it is to recover a
hacked account and how long it takes. I certainly have never seen any speed
comparisions, nor consumer reviews in that area. Anybody know of any at all?

------
user49598
Passwords: Don't try to remember them. Use a service like passpack to generate
and store random ones for every account. Two pass authenticate into it.

Data: Back it up. Backup your backups. Stop fucking around. If you don't get
hacked, your storage will fail.

Software: Don't install shit you don't trust. Don't trust shit you can't
verify.

Passwords: Don't try to remember them!!

It's 2012, not following these simple rules is inexcusable.

~~~
bigiain
Unfortunately, my AppleID password is one I _do_ need to remember - I need to
use it often, and in places that 1Password won't auto fill. At least: the
iCloud website login, various iDevices when using app store, and iTunes on
several machines (all on the home sharing network). The alternative seems to
be to have all those devices "remember" my AppleID password, which seems like
a security lose.

~~~
nl
_Unfortunately, my AppleID password is one I _do_ need to remember - I need to
use it often, and in places that 1Password won't auto fill._

Write it down on a piece of paper (or use a password manager that will show
your password).

Back in the 1990's "writing down passwords" was considered a huge security
hole.

Now day's attack vectors have changed and it is probably more safe than using
a memorable password.

 _The alternative seems to be to have all those devices "remember" my AppleID
password, which seems like a security lose._

If your devices are physically safe, and iCloud has remote log-out (does it?)
then this may be more safe too.

~~~
danso
Not disagreeing with you but think of all the times you need your appleID on
the go. Carrying around a piece of paper may not be feasible or ideal

~~~
DanBC
The strong password has value. Credit cards and cash have value.

Write the strong password on a credit card sized bit of paper, and keep it in
your wallet.

People tend to keep their wallets safe.

Most people can learn complicated passwords after a few days or weeks of use,
so you can keep the paper in a safe place at home once you've learnt it.

~~~
ricardobeat
Worst advice ever. Now you only need to lose your wallet and you're in the
same situation as the article's. The old advice is still sound.

~~~
cheald
If you label the passwords you're probably doing it wrong. If someone pulls
out a piece of paper that says "QWhXnLv0qzi1h1m" out of my wallet, how are
they going to use it?

If you're worried about someone stealing it, just shift the password over, so
it's now "mQWhXnLv0qzi1h1 > 1" on paper.

~~~
ricardobeat
Any tech savy person knows that has a strong possibility of being a password.
Grab an ID, google "your name gmail", log in.

The kind of weak encrypting scheme you can remember is easily defeatable, this
is still very vulnerable even if you leave one or two letters off (which
you'll have to remember in addition to the scheme). So, going back to the
parent, no, this isn't safer than a password in your head.

~~~
petitmiam
but this isn't the password for gmail. This is the password for the password
manager account. So you need to know the password manager they are using and
the username to match with the password. They have to find this out within the
time that we've realised we have lost our wallet and are changing the
password.

Obviously this is still less secure than no password in the wallet at all, but
I don't think it's "very vulnerable" as you are claiming.

------
piffey
Hate to repurpose a cliche, but never put all of your eggs in one basket.

~~~
tomjen3
On the contrary.

Put all your eggs in one basket and then _watch that basket_.

------
fjarlq
No backup? Seriously? Wow.

What do people like for backups these days? Crashplan seems pretty damn good
to me.

~~~
thaumaturgy
...Wait, you mean, an online backup service that sends emails (and password
reset requests) to an email account that can be compromised?

Hm.

~~~
crazygringo
Question: could an attacked delete my CrashPlan backup via the website?

It seems like they should be holding on to files for 30 days period or
something. Does anyone know?

~~~
thaumaturgy
Doesn't look like they hold on to the data if you remove a computer from your
CrashPlan account:
[http://support.crashplan.com/doku.php/how_to/remove_a_comput...](http://support.crashplan.com/doku.php/how_to/remove_a_computer)

(I do like CrashPlan, but this seems to be common practice with data storage
services.)

Removing the computers associated with a CrashPlan account and then cancelling
the account looks like it'll cause a pretty big headache.

------
OmIsMyShield
Is there some background concerning the author that I'm not aware of? Asking
because some comments (at Emptyage, not here) seem unusually hostile.

------
rcthompson
So via your iCloud account someone can remote wipe all your Apple devices?
That seems like a questionable design. Does anyone know the rationale behind
this? I guess it would be useful to deny access to your data in the case where
your device is physically stolen.

Maybe there should be a significant time period (hours?) after a password
change where this functionality (and any other data-destruction functionality)
is disabled. Or maybe a password change should require you to re-auth every
device before data remote deletion features can be used on it.

~~~
3143
It's so that _you_ can remote wipe your own devices if you lose them, in case
you have sensitive data on them. For example, my employer requires that you
enable this feature if you want to get your work email on your phone.

------
danso
Don't know if this has been mentioned yet, but Gawker was completely hacked to
pieces two years ago

<http://www.wired.com/threatlevel/2010/12/gawker-hacked/>

The most visible consequence was that the entire user DB was compromised and
the site rooted. But other consequences were that the hackers had cracked a
large number of Gawker staff accounts and even had access to internal emails
and chats.

I think it feasible that enough internal info was linked to compromise
Gawker's staff for years. Some of them probably thought resetting their
gawker.com account was enough, and forgetting that that password might have
been used elsewhere. Also unclear is how long the hackers were snooping around
before the hack was discovered...in that time, they could have download dumps
of staff email and gmail accounts.

The upshot: someone out there might have several GB of personal gawker staff
info. Ever email yourself your ID number to your email account? Has anyone
ever emailed you credentials that you forgot in the heat of the moment? How
many times does your social security number appear in your Gmail, thanks to
attached billing/app files at you originated from there.

And remember that the hackers had root access to everything at Gawker, even
the site source code. How positive is everyone there (remember that the
owner's laughable password is one of the main reason that Gawker got crushed)
that no key-loggers had been secretly installed and have been running all this
time? It doesn't even require anything that sophisticated...all it takes is
one security-unsavvy staff member...and this is a staff of mostly culture
writers...to do something insecure.

I'm not sure if Mat was employed by Gawker all this time but even if he came
after the hack, you can see how one massive data breach can have almost
permanent implications within an organization.

That said, what an awful incident and thank you to him for writing a thorough
account of how he coped...this is a valuable lesson to everyone and I hope
they find the punks who did it.

* To underscore my point, I didn't realize that Honan is recently a former Gawker employee. Yet he had enough credentialed access for an outsider to break into Gizmodo's twitter account. I bet Gizmodo didn't think that an amicable departure of an employee was enough to warrant a password change to Twitter...but if his emails contained the password, then it's an easy hack. If I were Gawker, I would change EVERYTHING...not just gizmodo info, but all of its sister Gawker site credentials. They should assume the worst and that someone out there has all of Honan's emails, including every time he might have been emailed credentials in plaintext

 __also, Honan's current employer, Wired, should do the same. Change all the
keys.

------
Orva
Remote data wipe access to devices from cloud service. What could go wrong?

~~~
duaneb
Well it's still much preferable to not being able to wipe data from stolen
hardware.

~~~
michaelt
Better still would be encryption that meant there was no need to wipe data
from stolen hardware.

------
wrekkuh
After hearing how this attacker was able move from one linked account to the
next, ultimately gaining a snow-ball effect of moving through, defacing and
wiping your data, from a security standpoint i can't say i'm surprised (of
course that doesn't mean i don't feel for you and wish it never happened to
you). I've made several avenues available to mitigate these types of effects,
none of which involve administration at Twitter like most of the world.

Now i don't mean to insult you, but one basic avenue is two physical, offline
& secure back-ups of everything i have on and off of the Cloud... with no
connection to any network. I do have to say that it took a little bit of time
to realize i did actually have to do this because my reliance on that data
crept up like a ninja! And before i knew it i had well over 30Gigs of data up
there in the Cloud, not backed-up.

------
sgdesign
I actually didn't even know that enabling "find my X" also enabled that remove
wipe option. I just disabled it for my MacBook Pro, Undercover is a much
better solution anyway: <http://www.orbicule.com/undercover/>

~~~
muppetman
Do people really think these services are actually much good though?

Sure there's a few amazing stories they use for the marketing campaign, but
that's about it. If you actually loose it (i.e. not stolen) then they work.

Most people that steal them though know exactly what they're doing and how to
wipe them properly. Same with mobile phones etc.

I guess something is better than nothing, but really it seems to me they're
selling you the same as the dream of winning lotto without mentioning the
actual odds.

------
aw3c2
> When I set it up, _years and years ago_ , that seemed pretty secure at the
> time.

If you did not change your password in those many years, an attacker had years
and years of time to find or crack it. Regularly change your passwords. And
use special characters.

------
mlloyd
It's both better than and worse than it appeared/feared. It turns out it
wasn't a password hack, it was a social hack against Apple. Looks like someone
recently watched the movie Hackers and wanted to see if that stuff still
works. Hint: It still works.

Update Three: I know how it was done now. Confirmed with both the hacker and
Apple. It wasn’t password related. They got in via Apple tech support and some
clever social engineering that let them bypass security questions. Apple has
my Macbook and is trying to recover the data. I’m back in all my accounts that
I know I was locked out of. Still trying to figure out where else they were.

------
dendory
The thing I keep thinking about when reading this is how many others, perhaps
thousands or more, get hacked like that but don't have his clout? No direct
line to Twitter, Google, etc..

------
at-fates-hands
Once again another cautionary tale about why you should be paranoid about the
security of your devices and accounts.

When securing anything, the best philosophy is to just assume you're going to
get hacked and act accordingly. Linking accounts, weak passwords, and no
encryption? You're just putting a target on yourself.

Best advice? Keepass, Whole disk encryption and using anonymous information is
a good start. Keep your stuff and accounts in separate silos, and stay in the
shadows.

------
breckinloggins
Regarding Google services:

When you enable Two-Factor Authentication, they give you the option of
printing a "one time pad" with six codes on it. You then print this out and
keep it safe somewhere. That way you can get into your account even if your
phone and other contact points are compromised.

This won't do you any good if someone has deleted your google accounts or
reset the 2FA system, but for more "normal" scenarios it can be a life-saver.

------
koevet
It should also be noted that on the iCloud web site there is no link to change
password. This is the url to access the "My Apple Id" page and change the
global password: <https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/>

------
rdl
Probably was hacked through email, then iCloud password recovered through it.

I wish there were a special high security password recovery email mailbox,
separate from routine communications mailbox, in apps. Would be really hard to
get adopted, and t that point, you might as well push for something better
than passwords.

------
bdz
The online backup service advice sounds good but what about the people, like
me, who have an upload speed of only 64kb/s? No Blackblaze or Crashplan for
me... Neither can I upgrade my internet connection. So what to do? I have two
Time Machine backups (one hourly at home and one daily at another place).

------
dctoedt
I wonder _why_ the article author was (seemingly) targeted? And who else might
the criminal be targeting?

Or could this be completely untargeted? That might mean that anyone with a
password vulnerability is at risk of having their digital life wiped out. That
seems pretty extreme for lulz.

------
nicholassmith
I'm amazed that Apple isn't running something to check for brute force attacks
on iCloud.

~~~
dekz
As am I, considering almost weekly I used to get my iTunes account reset from
failed attempts (maybe an old app or suspicious activity?).

More likely the writer erred and reused the password.

~~~
nicholassmith
Or had his password shoulder surfed or something similar.

------
Xyzodiac
Why would anyone store that much data behind one password? Apple really
shouldn't give the ability to remotely destroy all data on multiple devices
with a single password.

I love my MacBook and all, but I would never use such a stupidly insecure
service.

------
oinksoft
Wow, who would give a program like "iCloud" access such that it could wipe
your mobile, tablet, and PC? I hope the author can recover his data, but it
sounds like he set himself up for disaster by linking all his systems so
strongly.

------
419
>>They weren’t able to stop the wipe on my Macbook. Or give me a pin to log
into it.

I don't use a mac so this question might seem a little off.

Wouldn't disabling the computer's internet access stop his data from being
entirely wiped?

~~~
justincormack
Yes but he didnt realise what was happening. Ran for the computer not the wifi
router.

------
shocks
Google two-factor auth doesn't work if you have IMAP or POP enabled.

~~~
gglanzani
In a sense it does. They provide different random 16 characters passwords for
each of the client that request access to your data and does not support two-
factor.

So if someone hacks your gmail password, they still cannot login via IMAP or
POP, as they require different password (which you shouldn't write down or
remember anyway).

------
jstalin
I created <https://uncrackablepassword.com/> to generate passwords online that
I don't need to remember.

------
gcr
This article inspired me to begin using a password manager instead of putting
everything in `.netrc`, `getmailrc`, and plaintext passwords everywhere else.
Thanks.

------
tadhgk
Personally I think all web services should be using aliases (so you don't
login with the username that other people see) and pass phrases rather than
passwords.

------
alpb
That made me say thanks to Google 2-step verification.

------
dkroy
Haha, oh wow those comments on his post are horrible.

------
verelo
The comments on that blog post make me remember all the things i hate about
the Internet.

~~~
Jimbotron
Indeed - I found the comments on the post almost as bad as the malice of the
hack....

------
uncoder0
I hope the password wasn't:

g1zm0do

:)

~~~
uncoder0
Social Engineering... we never had a chance.

------
idiotblu
Well that sucks. Big time.

------
nubela
why is this news?

~~~
muppetman
Because it shows people the effect that someone getting your iTunes password
can have, especially if you've enabled Find my X in your account?

It shows that (maybe) it's possible to brute force an Apple password?

Because it's generally interesting reading, in the same way that people like
to rubberneck at car crashes. I'm not saying that's right, but it's human
nature.

~~~
pjmlp
Specially because people are dumb enough to rely important data to third
parties, instead of having it at home.

~~~
Dylan16807
Right. Because my own laptop is not 'at home'.

~~~
pjmlp
Encrypt the harddisk, and backup regularly when at home.

I imagine you have to be at home some point in the day right?

For the very important data, put it in a safe.

~~~
Dylan16807
What? My first comment was sarcastic. When I have my laptop within arm's reach
at home the data is safe without relying on a third party. Except when someone
installs a backdoor.

~~~
pjmlp
Ah, ok. Point taken.

I did not understood it like that, sorry about that.

------
fullfilldreams
Mat Honan's statement on being hacked scared me into changing every password.
You'll prob feel the same way, too.

~~~
CamperBob2
Not really. This was clearly a targeted attack, whether he realizes it or not.

A security problem, not a password problem, in other words.

