Updated 2012/08/05. Matt says, “I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.”
The still answer is, “When It’s Online.” I addressed this topic in several previous posts:
- An Online Database Copy Is Not A Backup (Part 1)
- What Does “Data Loss” Mean To You?
- A Sidekick In The Pants – Part 2
and it’s still true. In Matt Honan’s case, his data not only was in the cloud, but also was on multiple systems; a MacBook, an iPad, and an iPhone. And he still lost a year’s worth of photos, emails, documents, and who knows what else. Here is Matt’s story.
A high-tech reporter, Matt had his Apple iCloud account hacked by someone who somehow learned his 7-character alphanumeric password. While Matt didn’t use this password anywhere else, he hadn’t changed it for a very long time—years in fact. Which of course is a security no-no itself.
After logging in to his iCloud account, the hacker reset Matt’s password and tossed the confirmation message into the trash so that he wouldn’t see it. Since Matt’s backup GMail account was his hacked iCloud account, the hacker requested a GMail password reset and took over that account too and deleted it. The next target was Matt’s Twitter account, followed by Gizmodo’s Twitter account which was linked to Matt’s account. And you can imagine the #@%&$ that the hacker posted on both accounts.
The hacker then proceeded to remotely wipe his iPhone, iPad, and MacBook. Even though Matt saw it happening, there was nothing that he could do to stop the process. And since Matt didn’t have any offline backups, his data is gone forever.
Gizmodo has some recommendations including:
- Use complex passwords, don’t use the same password more than once, and change your passwords periodically
- Use a password manager if you need to and choose an insanely complex password for it. Personally, I like the cross-platform SplashID with a line from a poem or song as the password
- If it’s available, use two-factor or two-step authentication on websites, especially for password recovery
- If you have linked multiple accounts, unlink them unless there is a very good reason for the linkage
- If you have accounts that you no longer use (anyone with a MySpace account, raise your hand), try to delete them. If you cannot delete the account, then remove all possible information and lock down the account as tightly as you can
- Once again—backup your data offline. A hard drive that you can stuff in a safe, in a closet, or under your bed is more secure than anything in the cloud
While I covered personal security above, the same information also applies to organizations, except that you’re probably going to use tape, virtual tape, or disk-to-disk archives for offline storage rather than cloning hard drives and putting them under your bed. If you have a web presence, blog, or use social media, go change your passwords now and evaluate how those accounts can be locked down before your reputation is tarnished by getting hacked.
As always, I look forward to your comments and recommendations.