The Internet is abuzz this weekend as a result in the Gizmodo Twitter account getting hijacked. That incident was traced time for the hack of an Apple iCloud account–allegedly accomplished through social engineering. A Forbes.com story from Adrian Kingsley-Hughes explains that the former contributor for Gizmodo, Mat Honan, was the initial victim of the attack. Hackers had the ability to access Honan’s iCloud account, and remotely wipe his iPhone, iPad, and MacBook. The original theory was that the hackers used a brute force attack to hack Honan’s iCloud password, but further investigation says social engineering was used to convince Apple the attackers were Honan, and Apple gave them the secrets of walk in.
Color me incredulous!
Why? Well, I have my very own story of Apple woe–and it’s the actual opposite experience. I somehow lost access to my personal email address for usage on iTunes, iCloud, along with other Apple services, plus it took months of fighting with Apple Support to finally arrive at the bottom of things and obtain into my own account. I couldn’t get Apple Support to give me access to my own, personal account, let alone someone else’s.
I had originally setup my Apple ID using my primary email. I didn’t possess problem for months, maybe even years. Then, some day it simply wouldn’t work. The Apple system claimed it had been already used on another Apple ID account. I assumed I’d been hacked somehow. It’s my email address. I own the domain. Nobody else could possibly use my email address contact information with a different Apple ID account “on accident”.
Initially, Apple Support directed me to simply use a different current email address. I did that as being a temporary solution to enable me gain access to iTunes as well as other Apple services, but it was a Gmail address that I created simply for that purpose. I don’t use Gmail, and I had no intention of starting, so I was still determined to get my own, personal email address back. In my experience, Apple security was almost too tight. I tried repeatedly to reset the password for my email address, though the reset confirmation emails never arrived. The reason? The confirmation emails are shipped to an emergency rescue backup current email address. I had no idea what account was using my email address, so I had no strategy for knowing where those emails were being delivered.
No problem. You can also verify your identity to reset your Apple ID by answering security questions. The first one–the gateway to arrive at the actual security questions–is your age. I entered my age, along with the Apple system said I was wrong…about my very own date of birth.
Every time I’d contact Apple Support I would have the same default answers, and “solutions” that wouldn’t work. Apple Support would explain that my email address was already in use on another Apple ID account, which until it had been removed from that account I’d be unable to put it to use.
Exasperated, I’d explain again that I can’t remove the email from the Apple ID account because I had no idea what are the Apple ID account was, or how to gain access to it. Eventually, I’d become frustrated and quit. After a month or two, I’d contact Apple support and try again.
After many conversations and attempts, I finally stood a breakthrough…sort of. An Apple Support person “cracked” and gave me an email address with the Apple ID linked to my current email address. It was my wife’s. However, we logged straight into her Apple ID account to take out my email address and found no sign whatsoever from it being there.
Once again, I contacted Apple Support. I explained that I can establish it’s my domain, and I can be it’s my email, and I asked that my case be escalated to someone capable of simply deleting my email address from the other Apple ID forcibly. Then I was told it absolutely was actually that come with, or connected with four different Apple IDs, but Apple couldn’t do what I asked. I wasn’t pleased.
I got my current email address back. After over a year of attempts, and in all likelihood seven or eight different sessions with Apple Support, one of these finally “slipped” and provided me with a crucial little bit of information. It turned out that I was the individual that stole my very own email address.
The email was connected with an Apple “me.com” address. Two of them, actually–and they were both mine. I never saw the reset confirmation emails because I’ve never actually used the “me.com” contact information and I wasn’t set up to receive the messages. The dob verification and account security questions wouldn’t work, because I never assemble them in the first place.
I do recall creating the “me.com” accounts to test some things out, however it wasn’t a difficulty immediately. My guess is Apple changed some rules around the backend after I had used my email address contact information as an alternate contact on the other accounts, knowning that locked me out of using it as my primary current email address on the Apple ID I actually use.
The bottom line is I found Apple Support to get tight-lipped to your fault, and I’m surprised the attackers in the Mat Honan / Gizmodo incident were able to social engineer their way into his iCloud account. It took me at least a year to “social engineer” my way into my very own Apple ID.
Perhaps that says more about my insufficient social engineering skills laptop or computer does about Apple security measures, but I can vouch for the belief that accessing someone’s Apple account isn’t simple feat.