Last Friday evening, a hacker got into Mat Honan's Apple account, remotely erased the data on his iPhone, iPad and MacBook, deleted his Google account, commandeered his Twitter account, and then posted a string of nasty stuff under Honan's name. Until recently, Honan, who's a writer at Wired and one of my favorite tech journalists, worked at Gizmodo, and his Twitter account was still linked to the tech blog's main Twitter page — so for about 15 minutes, the hacker was able to post a bunch of foul-mouthed, racist stuff there, too.
I was on a cross-country flight when I read Honan's first post about the hack. When the jet captain turned on the Wi-Fi, I got down to doing what I always do when I hear about an attack that could have happened to me: I changed my passwords. This made me feel better, but it turns out it certainly wasn't sufficient. Honan spent the weekend on the phone with Apple tech support and — curiously — in conversation with the hacker. By Monday morning, he'd found out exactly how his online identities had been compromised. The upshot: Creating better passwords wouldn't have helped him.
In a lengthy Wired piece, Honan explains that the hacker got into his account not by guessing his passwords but by asking for them. On Friday, the hacker called Apple's tech support line and, pretending to be Honan, claimed he'd been locked out of his Apple account. Apple's support guy asked the hacker to answer the security questions on Honan's account, but the hacker apparently said that he'd forgotten the answers.
No problem, because the hacker knew something most of us don't: If you can't answer your security questions, Apple will issue you a new password if you can prove that you're who you say you are using another form of identification. What identification does Apple ask to reset your password? A billing address and the last four digits of your credit card number.