Don’t let this happen to you. Here’s Mat Honan writing for Wired on How Apple and Amazon Security Flaws Led to My Epic Hacking.
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
Mat Honan is a tech journalist. You would think Mat would have his cyber defenses well-secured. He did not. Study what happened to Mat so you can do whatever you must to protect yourself from a similar fate.
For a concise summary of how Honan was hacked read this: Apple Responds To Journalist Victim of “Epic” Apple ID Hack Apple responded today to Honan via a spokesperson, Natalie Kerris. In a statement to Wired, where Honan posted an account of his experiences, Apple promised to look into how users can protect their data and security better when they need to reset their account passwords.
“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password,” said Apple, via Kerris. “In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”
This all happened because the hackers were able to get a hold of Honan’s email address, his billing address and the last four digits of a credit card he has on file. Once the hacker had this info, he or she called Apple, asked for a reset to the iCloud account in Honan’s name, and was given a temporary password.
“In many ways, this was all my fault,” Honan wrote. “My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.”
The real problem here, he noted, is that the companies he relied on to keep his data safe have competing security practices. “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” he wrote. “The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”
If you have protected all your accounts and devices with 1Password – in particular with unique strong passwords, then you are well on your way securing your digital life. If you are not using 1Password or similar state of the art password management then you need to fix that right now.
Pro tip: do NOT use the same username for sensitive logins. If you use say ‘firstname.lastname@example.org’ for both Amazon and Google you have made life much easier for the Russkie mafia. When they seduce customer support to help them get your Amazon password they are almost home. If your Google account uses a different email/username and a different strong password, then the mafia hackers have to start over to break into your Google. Gmail is happy to give you a unique email address for every one of your sensitive accounts. Use them.