Skip to Content

An Epic Hack Performed With a Few Simple Tricks

The victim’s Apple devices suddenly went dark last Friday. Similar attacks remain possible.
August 7, 2012

Lax security practices by Apple and Amazon cost one journalist a year’s worth of photos and other data last Friday, in a chilling tale that’s a reminder that keeping data secure is far from a solved problem.

Mat Honan of Wired laid out what happened yesterday, explaining how he had all of his data wiped from his iPhone, iPad and MacBook using Apple’s remote wipe feature, which is intended to protect the data on a gadget if it is lost or stolen. Attackers got control of Honan’s Apple account by first taking advantage of a flaw in one of Amazon’s systems that gave them the last four digits of his credit card number. That and an email address was all that was needed to convince Apple to hand over control of his account. As Honan put it:

[T]he very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

Amazon changed its customer service policies today to prevent the trick that compromised Honan’s account, Wired reports. Apple has so far said little, apart from denying the existence of the loophole that got Honan hacked, which he claims he was able to replicate several times.

Honan’s Gmail account was also compromised as part of the attack, the goal of which was simply to wrest control of his three letter twitter account, @mat. Many people have blogged and tweeted today to say that Honan – and everybody else – should use Google’s two factor authentication, which is a more secure alternative to the traditional username and password. It involves using both a regular password and a one-time code generated by a phone app every time you log in.

Two factor authentication could have helped protect Honan, and could boost the security of many other services, too. But despite Google’s best efforts, it still feels clunky to use. The debut of NFC chips in phones might reduce the burden, though, and Intel showed off laptops at CES back in January that processed online payments by having a person tap their phone on a computer to authenticate. However, companies will still need ways to help people that forget their password to get back into their accounts. That means that we will remain at the mercy of various combinations of security questions and systems, like those that let Honan down, for a while yet. 

In general, the best advice available is to understand how the services you use protect your account, and adjust your security questions, passwords and back up emails accordingly. Also, to avoid losing data irretrievably as Honan did, to frequently back up your data in multiple places.

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.