The estimated reading time for this post is 7 minutes
You may never have heard of Mat Honan, but his digital disaster is an important lesson for anyone who connects to the Internet. Honan, a former writer for Gizmodo, encountered an “epic hack” when his Amazon, Apple, Google and Twitter accounts were sequentially hacked within a matter of minutes. As a tech journalist, Honan is no stranger to the online world, but various mistakes and security vulnerabilities enabled hackers to access his accounts and wipe out Honan’s computer, iPhone and iPad.
Within a matter of minutes Honan had lost everything on his iPhone, iPad and MacBook, including irreplaceable pictures of his 1 1/2 year old daughter and family members who are now deceased. Honan’s Twitter account as well as Gizmodo’s Twitter account, which was linked to Honan’s, were used by the hackers to tweet out inflammatory messages.
Honan shared his experiences and lessons learned in a thorough article in Wired. I encourage you to read the article to learn both what happened to him and what he suggests doing to avoid this nightmare happening to you.
What Happened
Honan’s Hell
Honan discovered the attack soon after it had occurred when he tried to use his iPhone and realized it was wiped clean of all data and unusable. After he discovered the other hacks one by one, he had the presence of mind to create a new Twitter account to alert his followers that his original Twitter account had been hacked and to disregard the offensive tweets being sent from that account. He then saw that the hackers had posted a tweet from his original account claiming responsibility for the hack.
Amazingly, one of the hackers who took over his @mat account contacted Honan through his new Twitter account and provided enough information to verify that it was indeed the hacker who had infiltrated Honan’s accounts. The hacker, a 19 year-old code-named Phobia, offered to explain the hacks if Honan agreed not to prosecute them. He agreed and Phobia walked him through what they did and how they did it.
The Hacks
One of the hackers called Amazon customer service pretending to be Honan and asked to add a new credit card number to Honan’s account. The hacker identified himself as Honan using Honan’s email address, which was listed on his website, and his physical address, discovered through an online search. Amazon added the new (fake) credit card number to Honan’s account.
The hacker then called Amazon back a few minutes later, again pretending to be Honan, and told a different customer service rep that he had forgotten his Amazon password and needed to reset it. The customer service rep asked him for his (Honan’s) email address, billing address and the last four digits of his credit card number. The hacker provided this information, using the new credit card number he had just added to Honan’s account a few minutes earlier, and the account password was changed. The hacker next logged into Honan’s Amazon account using the newly reset password and found the last four digits of Honan’s credit card number.
Next the hacker called Apple customer service pretending to be Honan and said he needed to reset the password for his Apple ID. Apple asked for his (Honan’s) email address, billing address and the last four digits of the credit card on his account. The hacker provided Apple with the information, including the four digits from Honan’s credit card from his Amazon account. The hackers guessed correctly that Honan used the same credit card for his Amazon account as he did for his Apple account.
Apple then asked for answers to the security questions that Honan had set up. Even though the hacker was unable to answer the questions correctly, Apple verified the identity and reset Honan’s password, providing the hackers with access to Honan’s:
- iCloud account
- .Me email account
- Find My Mac app
- Find My iPhone app
The hackers then wiped all of the data from Honan’s MacBook, iPhone and iPad. Using Honan’s .Me email account, they were then able to access Honan’s Gmail and Twitter accounts, as well as Gizmodo’s Twitter account, which was linked to Honan’s account, and continue with the hacks.
Could This Happen to You?
Members of Wired’s staff were able to replicate the hackers’ steps with Amazon and Apple on Monday using the same techniques as the hackers used, but by yesterday Amazon had changed its security policy. Attempts by Wired yesterday to add a new credit card over the phone to an Amazon account were unsuccessful yesterday due to changes that had reportedly been made by Amazon to “protect customers’ security.”
Wired was informed yesterday by an anonymous Apple representative that Apple has put a 24 hour hold on resetting passwords over the phone. Subsequent attempts by Wired to reset passwords over the phone after the moratorium was imposed were unsuccessful. Expect further measures being taken by Apple and Amazon in the future.
What You Can Do to Protect Yourself
Back Up Your Photos
Honan admits that it was a very regrettable mistake to not have backed up his photos that were on his laptop.
Ideally, your photos should be accessible in three places:
- the original,
- on an external hard drive, SD card or CD
- the Cloud
See, Back It Up!
Don’t Use Your Name as a Prefix for Your Email Accounts
The hackers were able to guess the prefix of Honan’s Gmail account because he used his name as a prefix and his Gmail prefix was very similar to the prefix of his .Me email account. Names and monograms are easily guessed by hackers. Use unique prefixes for your various email accounts that don’t include your name or initials.
Use Separate Credit Cards for Your Major Accounts
The hackers guessed correctly that Honan used the same credit card for his Amazon and Apple accounts. While it doesn’t make sense to sign up for a unique credit card for each site where you shop online, consider using different cards for popular sites. You can also use temporary credit card numbers for your online shopping.
Use Google’s Two-Step Verification for Your Gmail Account
Google offers a two-step verification for your Gmail account so that you can verify your Gmail account and phone number. Google will send a verification code in a text message or voice call to your phone.
By using this service, you can greatly reduce the chances that a hacker will be able to access your Gmail from an unauthorized computer. This video explains how Google’s two-step verification works.
Honan regrets that he didn’t activate this verification process with Google to protect his Gmail account.
Verification Email
Honan used his Gmail account to verify his .Me email account. Although the prefix of his Gmail address was partially hidden in his .Me account settings, the hackers guessed what the prefix was because Honan used his name on both accounts.
Create a separate, dedicated email account for verifying other email accounts. Only use the account for verification purposes and don’t use a prefix that is related to any of your other email accounts.
Find My Mac
Find My Mac is an Apple app that allows you to locate and wipe your Mac computer should it be lost or stolen. Honan had signed up for this service and had the app installed on his computer when his Apple account was hacked, enabling the hackers to wipe his computer. Honan recommends against using this service after his experience, reasoning that it is preferable to risk your laptop being or stolen than to have your data wiped by a hacker.
Although Honan’s iPad and iPhone were also wiped by the hackers using the Find My iPhone app, Honan thinks the value of retrieving a lost or stolen iPhone or iPad is worth risking a hacker being able to wipe his mobile devices as they are at a greater risk of falling into the hands of others.
Clean Up Your Permissions
Restrict access to your accounts by others by cleaning up your permissions. See, Clean Up Your Permissions! for an easy way to make sure only the apps and websites you are using have permission to access your accounts.
Nothing is 100% Safe
No matter what steps you take your personal information is vulnerable to customer service representatives who may disclose it to hackers. As ethical hacker Kevin Mitnick explained in Ghost in the Wires, hackers use “social engineering” to convince workers to reveal private information over the phone, sometimes in violation of their companies’ policies.
Bottom Line
What happened to Honan was tragic and traumatic, but by learning from Honan’s experience and taking these steps, we may be able to keep safer from hackers.
Had you heard about Honan’s nightmare hacking experience? Have you taken steps to protect yourself from hacks? Let us know in the Comments section below!
*Broken padlock image by Mark Kjerland (altered)
** MacBook Air photo by Robert S. Donovan
Backing up the data is very very important,you never know who will going to hack your stuff and when.Being aware is important but we are just bloggers so we don’t know much about the security concerns and how to do it.Must hire someone or give this job to professional to make everything secure,but at the same front you calnot trust him too but have too ๐ Sad to know about Honan.
wonderful ways to prevent our online accounts Carolyn ๐
You are back with the bang with this post.
Hi Aditya, Thank you for your kind words. Yes, Honan was more vulnerable to being hacked because he had his own website. His email that he used with his website, which was publicly available, was also the one he used for his Amazon and Apple accounts.
As bloggers we should make sure that we separate our private accounts from our public, blogging lives.
Separating our accounts as public and private is recommended but extra security should be provided to them,separating doesn’t mean they are secure it just creates some sort of fear in handling them effectively Carolyn.
But yes it does makes sense separating them.
Yes, Aditya, separating accounts doesn’t guarantee hackers won’t be able to get into your accounts but it does make it harder for them.
Hi Carolyn,
I’m a hackers nightmare probably. I have email accounts even I can’t access! It’s a story people should pay attention to though. You can trust no one these days. Make it as hard as possible for hackers. Sometimes, so called hacking is an inside job though. Hotmail accounts are notoriously vulnerable.
I wandered onto your genre today with a blog about science and technology that makes use of nature’s secrets.
Hi Mike, Yes, the linking of Honan’s email accounts as verification definitely worked against him and made it easier for the hackers to execute their hacks.
It’s true though that we can forget our passwords and then have trouble resetting them. While resetting passwords just got tougher for us, it also is tougher for hackers too.
My wife complains about this all the time; saying since I am all over the internet I am increasing the likelihood we will be hacked. I’m not naive, but I would imagine I am somewhat under the radar and I do take some precautions.
My biggest concern would be from a financial standpoint; everything else could be replaced or I could do without. It would be aggravating, but livable.
Of course everything I have is prefaced by my name; but then again, it’s all about me anyway so why would that be different?……..:).
Hi Bill, Yes, Honan was fortunate that he didn’t suffer any financial consequences from the hacks but the loss of his pictures was devastating to him.
Yes, if we never use the Internet then we probably wouldn’t be as susceptible to hacking but with identity theft even people who aren’t on the Internet are vulnerable. It’s a scary world out there.
Woah, that must be an an awful experience!
I have all my information in my Gmail account (including passwords), if someone gets access to it, they basically got access to all my account (Man! I need to go delete those emails and labels). I have been hearing a lot lately about hacking and losing data (due to computer hanging up – of course, that isn’t hacking, but that could happen to).
Those photos are gone, right? Gone for ever. Okay, I can understand that the guy hacked his account because of passion (to hacking), for fun or just for making money (Through tweets). But, why did he delete the data (I don’t get that!).
Anyways, thank you for your precautionary post, Carolyn.
I need to go in and clear my email inbox. At least, I will be safe with other accounts if someone manages to hack my email.
Jeevan Jacob John
Hi Jeevan, Yes, it’s an incredible story. The hacker claimed to Honan that he did the hack for good, to bring attention to the lax security at Apple and Amazon, but you’re exactly right. If the hacker was really trying for good, then he wouldn’t have destroyed the data.
There may be ways to recover the data, but they are very expensive. Professional recovery firms exist that can try to retrieve his photos but they generally cost thousands of dollars and can’t guarantee results.
At the end of the Wired article, Honan says he will write an article about how he put his digital life back together. Whether that process includes recovering his images remains to be seen.
I’m glad you’re taking the steps to protect yourself, Jeevan. Honan wishes he would have taken those steps sooner.
Wait a minute, doesn’t make Mac have some kind of recovery tool? (I have seen them highlighting that specific feature in the past in ads).
Yeah, you are right. If he has to hire professional firms, it is going to take some time and money (And no guarantee in results).
Hi Jeevan, Yes, but I’m not sure how it works if Find My Mac has wiped the computer. The idea of that app is to secure your confidential data so recovering that data may be particularly challenging. The idea of that app was to keep your data safe from thieves so easy data retrieval isn’t one of the features of that app.
What a nightmare Carolyn!
Thanks for writing this post and offering some solid solutions for preventing this to happen to anybody else.
We live in a scary world sometimes. There are many unscrupulous people in the world!
I think there should be severe punishment handed down to those people who would invade other peoples privacy and private property.
The death penalty would be sufficient.
Hi Mark, I agree, hackers should be severely punished to take some of the incentive out of their crimes. In Ghost in the Wires, Mitnick’s sentence included a requirement that he reveal how he committed his hacks.
This cyber world is scary because there are so many criminals out there and often we are flying blind trying to protect ourselves from them. The more steps we can take to protect ourselves the better.
What a nasty story. Thanks for writing up some clear cut ideas on how to proceed. We don’t want to be so hampered by fear of hacking that we don’t do anything online.
Hi Leora, Yes, this story is very nasty. I wish I had a magic formula to prevent hackers from attacking. Unfortunately there is no 100% guarantee but by taking these steps we may lead hackers to search elsewhere to more vulnerable victims.
Brilliantly written, Caroline.
But I agree, nothing is safe!! There is tons of info on your iPhone itself, and most even don’t have screenlock on. Anyone can get to my email, facebook and few other accts on my iPhone. Not an iPhone problem, its just the mobile problem. We want everything to ba available to us easily, quickly, whereever, whenever. And the price we pay is the security of our data.
So its entirely upto us to secure our data, with duplications across cloud, external HD etc.
All the steps you have outlined here, are truly, cumbersome for even a tech person to follow. Set apart a normal non-tech user.
But thanks for bringing this to your readers!
Thank you, iRewardChart. I appreciate your kind words.
You’re right, nothing is safe but by taking extra steps to protect ourselves we can try to make it difficult for hackers so they move on elsewhere.
I don’t think that these steps are particularly difficult for people to take. People should back up their data not just because of hackers but because computers can crash and data can be lost for other reasons.
I wish people didn’t have to take these steps, kind of like how I wish we didn’t have to lock our doors at night. But the Internet is like the Wild West now and it’s not going to get any better.
I hope that cyber-crime gets reined in soon. I don’t want my grandchildren to have to learn about the Internet in History class.
Wow. I remember how it felt when I got my gmail hacked, but this was a lot worse. I have started using 1Password to have very strong passwords (unique for every account I have online). But, what you describe sounds almost too easy. And a little similar to what I’ve read that the famous hacker Kevin Mitnick did years ago.
Thanks a lot for sharing.
Hi Jens, You’re right, Kevin Mitnick hacked through social engineering, convincing workers to bypass company policies to give him access to private data. While you could be angry with him for taking advantage of trusting people who wanted to help others’ out, he showed companies how vulnerable they were to criminals who could talk their way into computer networks.
It’s going to make it more difficult for us to recover lost passwords, but I would rather have to endure some hassles than be hacked.
This is indeed the worst that could happen to a person. Hacking is catching a lot of vogue these days and it is not negligible. The hacker such smartly got hold of the information and changed it in no time as per his requirements. Now one thing important for me is taking up the back up.
Hi Peter, Welcome to The Wonder of Tech! You’re absolutely right, hackers threaten the integrity of the Internet. I’m glad you’re taking the time to back up your data. That’s very important. ๐
Carolyn – This is another one coincidental article which we both have written ๐
I read about this article on wired on monday and I was shocked beyond belief with this tragic event. I am still unsure if this is all a “promotional gimmick” by wired as has been suggested by many readers all over. But this article has gone viral!!!!
2 step authentication is the best way to prevent any such mishaps and no matter if this is a fake story or a real experience, it helps us to be safe rather than repent later.
I will send you the link to my article once it is published on techbu.
Hi Praveen, Yes, I look forward to reading your article when it’s published. The story is just horrifying, but I cannot believe that it is a hoax. Honan made some mistakes by not backing up his data, but Amazon and Apple can share part of the blame as well.
Poor Mat!
You know Carolyn, we should all be able to get on our computers and access our information without any worries in the world. To think that some 19 year old kid can do this because he has nothing better to do or just wants to prove himself is just outrageous.
To have to go to all these measures to protect ourselves is mind boggling. All I know is that I have my passwords set that they’ll be hard to guess and I don’t use the same ones everywhere. I also back up my computer on an external hard drive alone with an online service.
Luckily for me I don’t access my information through any other sources and you very well know. I have a laptop but haven’t used it in about a month now. I was sitting out by the pool but it’s way too hot for that now.
A hard lesson to learn for us all. Thanks for sharing Mat’s story with us.
~Adrienne
Hi Adrienne, You’re absolutely right, what happened to Mat is outrageous. It’s great that you have strong passwords but even that step isn’t a guarantee that you are safe from hackers.
What I find particularly scary about this situation is that there was nothing Mat could have done to protect himself from this hack. The strongest password in the world wouldn’t have been good enough because his passwords were reset. It’s as if you got a pick-proof lock and someone gave a thief the key.
I’m hoping that companies beef up their identification standards and educated their customer service reps about the dangers of social engineering.
Now I really feel the need to change all my email ids to something which is absolutely not very common and obvious that hackers could easily get through. Hacking is a big threat to all of us and our confidential data related to our banks details, mail details and such other important stuff.
Hi Peter, Welcome to The Wonder of Tech! You’re right, having an email address that doesn’t include your name is very important and makes it tougher for hackers to guess what your email address it. The tougher we can make it on hackers the better.
Hi Carolyn,
I had briefly heard of this story earlier this week, but you gave the WHOLE story here and you’ve got me hooked.
The first thing I can say it’s that it’s totally scary and gave me the creeps. This is what frighten me the most about new technology where everything and anything is linked together. In other words all are nice little eggs in one big basket.
Then, there also the human factor when someone is going to do something they shouldn’t and give all your information to a hacker.
At least this sad story helped Amazon and Apple to be more smart about protecting their customer’s identity.
Thanks for this great post ๐
OMG… it’s like a Hollywood movie plot unfortunately which took place in real. This incident is very frightening as it can ruin a lots of things. thanks for giving all these tips and suggestions to avoid these kind of unpleasant happenings.
๐
Hi Jessie, You’re right, I wish this were a plot instead of a true story. Luckily his bank accounts weren’t hacked but he probably would have preferred that to losing his precious photos.
It sounds like Apple is doing more to respond to this simple hack than Amazon
Hi Local Tourist, Welcome to The Wonder of Tech! What I find disturbing is that neither Amazon nor Apple has made a public statement about this issue yet. Determining their new policies has meant calling customer service to see what happens. Of course, as soon as Apple and Amazon would announce their new policies for identification, hackers would start trying to crack them.
The Internet can be a nasty place.
Well.. The blame is on Honan for being a bit irresponsible and negligient and Apple as well. However, Apple and Amazon stay much under mistake because being such vast and famous companies, their security systems were fooled very simply. This problem is very grave and needs to be sorted in time before another accident.
Hi Jack, Welcome to The Wonder of Tech! Honan does take responsibility, publicly, for his mistakes. To date, neither Apple nor Amazon have responded publicly to this incident. The world would be a better place if we didn’t have to lock our doors at night nor take these security precautions but gone are the days we can assume that we are safe.
Yes, this could happen to anyone of us at any point of time. Hacking is not restricted to only a certain category of people and anybody could be a victim. So on our part, we need to be prepared for saving ourselves against such incidents and for that you have mentioned some very useful methods.
Hi Chris, Welcome to The Wonder of Tech! You’re right, hacking can happen to anyone, tech journalists, governments, businesses and every day people. The more we can do to protect ourselves against hackers the better!
This is indeed shocking and absolutely irresponsible on the part of Apple and Amazon. I am definitely changing all my confidential stuff, passwords and logins into something which cannot be hacked so easily as soon as possible. The world has become the most unsafe place where people are taking up such inhuman practices.
Hi Tony, Welcome to The Wonder of Tech! Yes, this is shocking and mostly because no matter how secure Honan’s password was, hackers were able to get it because of other companies’ lax security.
You’re right, the Internet needs to become safer if we are going to be able to trust that our online world can be secure.