Mat Honan had his digital life dissolved by hackers

MatHonan v4edit

Don’t let this happen to you. Here’s Mat Honan writing for Wired on How Apple and Amazon Security Flaws Led to My Epic Hacking.

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

Mat Honan is a tech journalist. You would think Mat would have his cyber defenses well-secured. He did not. Study what happened to Mat so you can do whatever you must to protect yourself from a similar fate.

 

For a concise summary of how Honan was hacked read this: Apple Responds To Journalist Victim of “Epic” Apple ID Hack Apple responded today to Honan via a spokesperson, Natalie Kerris. In a statement to Wired, where Honan posted an account of his experiences, Apple promised to look into how users can protect their data and security better when they need to reset their account passwords.

“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password,” said Apple, via Kerris. “In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”

This all happened because the hackers were able to get a hold of Honan’s email address, his billing address and the last four digits of a credit card he has on file. Once the hacker had this info, he or she called Apple, asked for a reset to the iCloud account in Honan’s name, and was given a temporary password.

“In many ways, this was all my fault,” Honan wrote. “My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.”

The real problem here, he noted, is that the companies he relied on to keep his data safe have competing security practices. “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” he wrote. “The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”

If you have protected all your accounts and devices with 1Password – in particular with unique strong passwords, then you are well on your way securing your digital life. If you are not using 1Password or similar state of the art password management then you need to fix that right now.

Pro tip: do NOT use the same username for sensitive logins. If you use say ‘janedoe@gmail.com’ for both Amazon and Google you have made life much easier for the Russkie mafia. When they seduce customer support to help them get your Amazon password they are almost home. If your Google account uses a different email/username and a different strong password, then the mafia hackers have to start over to break into your Google. Gmail is happy to give you a unique email address for every one of your sensitive accounts. Use them.

The only secure password is the one you can’t remember

You need only remember one secure password – the passphrase that unlocks your password vault. This Troy Hunt essay is very worthwhile – Troy explains in detail the bad things that can and will happen to you by using the same simple passwords across all those Internet accounts.

(…) And this brings me to a neat philosophical conclusion; security is all about risk mitigation -you never actually become “secure”, you merely decrease your risk. On balance, the risk of your account details sitting out there in even a very secure website is significantly higher than having them sit there in your 1Password file.

But beyond just security, the password manager route is a very handy solution. Having all your accounts handy on all your devices and being able to simply logon with the once strong password is a very convenient route indeed.

And finally, when the time comes that you realise one of your accounts has been breached (and trust me, it will come), it’s no good thinking about password security then – it’s too late. So put aside a few hours one afternoon, spend just a few dollars and get yourself organised. Either that or start developing a taste for acai berries!

Troy recommends the same solution we prefer, 1Password on Dropbox. For that solution you need two strong passwords, one each for Dropbox and your 1Password file. Then all your very-strong-passwords are available to you on all your devices (computers, smartphones, iPads, …).