How a Hacker Gained Access to a Reporter's iCloud Account

Monday August 6, 2012 7:36 pm PDT by Arnold Kim

matHonan v4edit Wired reporter Mat Honan details the exact process by which hackers had gained control of his iCloud account. The hijacked iCloud account resulted in a remote-wipe of his iPhone, iPad and MacBook Air, as well as further intrusions into his Gmail and Twitter accounts.

As previously reported, the hackers were able to convince Apple Support to provide them with a temporary password to access Honan's account. Honan details exactly how this was performed.

Apparently, Apple Support only requires an iCloud user's billing address and last-four digits of the credit card on file in order to issue a temporary password. That temporary password grants full access to the user's iCloud account. Apple spokesperson Natalie Kerris issued this statement which claims that internal policies were not followed completely in Honan's case, but failed to specify exactly how:

“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”

Wired was able to confirm the reported policy themselves by successfully gaining access to another account using only those two pieces of information: a billing address and last-four digits of the credit card number.

As noted by Honan, a target's billing address is generally easy to determine by looking up a domain registration or by public white pages databases. As for discovering the last-four digits of Honan's credit card, Honan's hacker used a loophole in Amazon's security systems which don't protect the last-four digits of their user's credit card information. The hack requires a two-step phone call to Amazon. In the first call, Amazon allows you to add a second credit card to the account by simply offering the account's billing address, name and email address. Then, a second call allows you to add a second email address by verifying the previously added credit card. This second email address then has access to the account information including the last four digits of the original credit card.

Honan's intrusion seemed to be a result of a targeted effort to infiltrate his Twitter account, and a number of items had to line up just right for the hackers to gain access. The situation does reveal that the differing security processes between different providers could open up unwanted opportunities. It also seems to show that at present, a specific user's iCloud account access can be gained with those two pieces of only semi-private information.

Honan's full story about the sequence of events is an interesting read.

Popular Stories

iPhone 17 Pro 3 4ths Perspective Aluminum Camera Module 1

New iPhone 17 Pro Details: Brighter Display, Best Battery Life, and More

Wednesday September 3, 2025 5:33 am PDT by Hartley Charlton

Apple's iPhone 17 Pro and iPhone 17 Pro Max models will feature a number of significant display, thermal, and battery improvements, according to new late-stage rumors. According to the Weibo leaker known as "Instant Digital," the iPhone 17 Pro models will feature displays with higher brightness, making it more suitable for use in direct sunlight for prolonged periods. The iPhone 16 Pro and...

• 73 comments

iPhone 17 and iPhone 17 Pro Prices Estimated Ahead of Apple Event Next Week

Tuesday September 2, 2025 1:50 pm PDT by Joe Rossignol

Just one week before Apple is expected to unveil the iPhone 17 series, an analyst has shared new price estimates for the devices. Here are J.P. Morgan analyst Samik Chatterjee's price estimates for the iPhone 17 series in the United States, according to 9to5Mac: Model Starting Price Model Starting Price Change iPhone 16 $799 iPhone 17 ...

• 59 comments

Apple Watch Ultra 3 Coming Next Week: Eight Reasons to Upgrade

Thursday September 4, 2025 7:38 am PDT by Tim Hardwick

We're only days away from Apple's "Awe dropping" fall event scheduled to take place on Tuesday, September 9 – and along with the new iPhone 17 series, we're going to get a new version of the Apple Watch Ultra for the first time since 2023. By the time the Ultra 3 is unveiled, it will have been two years since the previous model arrived. The intervening period has left plenty of room for...

• 90 comments

iPhone 17 Pro Clear Case Leak Reveals Three Key Changes

Sunday August 31, 2025 1:26 pm PDT by Joe Rossignol

Apple is expected to unveil the iPhone 17 series on Tuesday, September 9, and last-minute rumors about the devices continue to surface. The latest info comes from a leaker known as Majin Bu, who has shared alleged images of Apple's Clear Case for the iPhone 17 Pro and Pro Max, or at least replicas. Image Credit: @MajinBuOfficial The images show three alleged changes compared to Apple's iP...

• 83 comments

iPhone 17 Release Date, Pre-Orders, and What to Expect

Thursday August 28, 2025 4:08 am PDT by Tim Hardwick

An iPhone 17 announcement is a dead cert for September 2025 – Apple has already sent out invites for an "Awe dropping" event on Tuesday, September 9 at the Apple Park campus in Cupertino, California. The timing follows Apple's trend of introducing new iPhone models annually in the fall. At the event, Apple is expected to unveil its new-generation iPhone 17, an all-new ultra-thin iPhone 17...

• 62 comments

iPhone 17 Air Could Start at $1,099 With 256GB Storage, 1TB for $1,499

Thursday September 4, 2025 2:54 am PDT by Tim Hardwick

Apple's upcoming iPhone 17 Air will have a $1,099 starting price providing 256GB of base storage and will max out at $1,499 with a 1TB option, according to the latest TrendForce report. Apple will offer three price/storage tiers for the all-new ultra-thin iPhone 17 model, which replaces last year's iPhone 16 Plus in the lineup. Here's how TrendForce sees them breaking down: 256GB — $1099...

• 114 comments

Top Rated Comments

faroZ06

171 months ago

Who cares.. Is it a 'rumor' that someone's iCloud account got hacked or is it a fact? It's a FACT. This site is for RUMORS.

You must be constantly angered by MacRumors then.

Score: 35 Votes (Like | Disagree)

brentsg

171 months ago

This happens with a ton of Xbox Live accounts too. Microsoft doesn't seem to care. Also, since it's Microsoft and not Apple, the media doesn't care either.

Score: 15 Votes (Like | Disagree)

nagromme

171 months ago

Big, scary, simple failures here on the parts of Apple (using the credit card number as ID), Amazon (giving out that number!) and Google (giving out your alternate email address to strangers).

If I had to name 3 companies (that I actually use) which I trust the most to keep things secure, it would have been those 3... before today! (I know Google tracks me, but I’m surprised at this kind of lapse.)

I’m sure I’m not alone today in turning off Find My iPhone/iPad/Mac for the time being. And it’s probably smart to use different credit cards with different services, even if it means more bills to manage monthly. I do already use different (and hard to guess) passwords, and I back up in multiple ways including locally. Very important.

Something NEW is needed to make security usable AND effective for all of us, and incident this shines a light on the problems. What’s scary is, I doubt we'll see the changes (across MANY more companies than these 3) happening fast enough.

P.S. I hope the hackers spend some serious jail time after wiping out the guy’s family photos :mad:

Score: 12 Votes (Like | Disagree)

heov

171 months ago

Solution: apple needs better security. more than last 4 digits of CC and billing address should be required.

Score: 10 Votes (Like | Disagree)