Emptyage — Yes, I was hacked. Hard.

By: nonstickron

Aug 06 2012

Category: Uncategorized

Leave a comment


Yes, I was hacked. Hard.

So maybe you saw my Twitter going nuts tonight. Or you saw Gizmodo’s Twitter account blow up. Or you saw this in AllThingsD. Or this in the DailyDot. Although embarrassing, Twitter was the least of it. In short, someone gained entry to my iCloud account, used it to remote wipe all of my devices, and get entry into other accounts too. 

Here’s what happened:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password (see update) and then reset it to do the damage to my devices.

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed. 

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well. 

Here’s how I experienced it:

I was playing with my daughter, when my phone went dead. It then rebooted to the setup screen. This was irritating, but I wasn’t concerned. I assumed it was a software glitch. And, my phone automatically backs up every night. I just assumed it would be a pain in the ass, and nothing more. I entered my iCloud login to restore, and it wasn’t accepted. Again, I was irritated, but not alarmed. 

I went to connect it to my computer and restore from that backup—which I had just happened to do the other day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four digit pin.

I didn’t have a four digit pin. 

By now, I knew something was very, very wrong. I walked to the hallway to grab my iPad from my work bag. It had been reset too. I couldn’t turn on my computer, my iPad, or iPhone.

I used my wife’s iPhone to call Apple tech support. While on hold, I grabbed her laptop and tried to log into gmail. My password had changed. I couldn’t reset it either because the backup went to iCloud, where my password had also changed. 

I checked Twitter, and saw someone had just sent a tweet from that account. I tried to log into Gmail again, and now it told me that my Google account had been deleted. The way to restore it was to send a text message to my phone which I didn’t (and still do not) have access to.

Apple tech support couldn’t verify any of my information—my address, my credit card number, anything — as supporting information. They had me log into the website, where I was able to again change my password. After nearly an hour and a half on the phone, I realized they were spelling my last name incorrectly. They were looking at someone else’s account. Once we cleared that hurdle, well, actually not very much changed. They weren’t able to stop the wipe on my Macbook. Or give me a pin to log into it. Or give me immediate access to my phone. They couldn’t do much of anything, actually. Although they did set an appointment for me at the Genius bar tomorrow. Actually, I did that, later, when I called the store myself. 

Anyway.

At some point in this time, Joe Brown, my friend and editor from Gizmodo, called my wife’s phone to make sure we knew what was going on. We did, but I seriously appreciated the moral support, and felt like a jerk for fucking up Gizmodo’s twitter. He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting. That was really, really solid. Thank you. 

I still can’t get into Gmail. My phone and iPads are down (but are restoring). Apple tells me that the remote wipe is likely irrecoverable without serious forensics. Because I’m a jerk who doesn’t back up data, I’ve lost at more than a year’s worth of photos, emails, documents, and more. And, really, who knows what else. 

It’s been a shitty night. 

For now, at least, I’m back on Twitter @mathonan I’m back at @mat

Update:
Someone claiming to be my hacker has been in touch. I can’t be at all certain of his authenticity, but he says he “didnt guess ur password or use bruteforce. i have my own guide on how to secure emails.” 

As for 2 factor authentication preventing this, it would have kept my google account from being deleted, and probably kept them off of my Twitter feed, but it wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud. Nonetheless, I’m setting it up on my Google account once I have access to it again.

The big steps now are regaining access to my Macbook and Google. I’ve got a genius bar appointment today for the former. I’ve put in a request to un-delete the Google account. I could not, however, use my phone number to restore it. My phone is linked to my Google voice account—which was deleted along with the rest of my Google accounts—I’m not sure if that’s the reason, but I can’t send or receive text messages or phone calls now. I answered a bunch of questions about my Google account to have it restored, now I have to wait 3 to 5 days to see if that request goes through. 

Do you know somebody (or are you somebody) at Google who can help me get my account back? I’d love to get in touch. On my long list of things to do today is get in touch with Sprint to see if it can help me get my phone service restored.

Finally about the comments. I’ve seen people express outrage both below and on Twitter about some of the comments this post has generated. I don’t know. Maybe I’m jaded. But after years of writing for the Web, I guess I’ve come to expect comments to be less than constructive. 

Update Two: I’ve gotten phone service restored and regained access to my Google account. Twitter should be back soon too, but that may take until Monday. The last major piece of this is my Macbook. I have a genius bar appointment today. I guess I’ll know what the damage is once I’m there. 

Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass  security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were. 

Update Four: I’ll be discussing this on TWiT with Leo Laporte, Ed Bott and others today live at 3 PM Pacific. I now know how it happened, basically start to finish, which I’ll explain in a story on Wired tomorrow (Monday, August 6). Apple tech support is working on recovering my data (thanks guys!) from my Macbook, but I won’t know how successful that was until Monday. According to what the told me last night, the wipe stopped (by powering down) before it got far enough along to start over-writing, so I am hopeful. Via AppleCare, I was able to confirm the hacker’s account of how he got access to my account. I have an email in to Tim Cook and Apple PR, and want to give them a chance to respond (and make changes).  I want to give the company a little more time to look at its internal processes, but should be as simple as a policy change. So far, I haven’t received any acknowledgement from Apple corporate. I did, however, get an urgent call from AppleCare ten minutes after emailing Mr. Cook, informing me that my situation had been escalated and there is now only one person at Apple who can make changes to my account. So I gather corporate is aware of what happened and looking into how to most effectively respond to make sure this doesn’t happen again.

At least, I hope that’s what’s happening. 

234 notes

Show

  1. michaelzhao liked this

  2. 4-the-horny liked this

  3. jennyjenjen liked this

  4. nickdouglas liked this

  5. sareg0 reblogged this from emptyage

  6. rudramakesmovie reblogged this from emptyage

  7. khakilike liked this

  8. jenclass reblogged this from emptyage and added:

    learn here. Wow. This sucks… hard.

  9. badbatz liked this

  10. grandelusionslinks reblogged this from emptyage

  11. jeffzilla liked this

  12. jeffzilla reblogged this from emptyage

  13. tilsuchtime reblogged this from emptyage

  14. jusky liked this

  15. notabadbiscuit reblogged this from emptyage

  16. webjester liked this

  17. amanimal liked this

  18. newro reblogged this from emptyage

  19. ajoyner liked this

  20. rowast reblogged this from emptyage

  21. joseph-ratliff reblogged this from emptyage

  22. joseph-ratliff liked this

  23. ngeru liked this

  24. fuyukuniaki liked this

  25. fuyukuniaki reblogged this from emptyage

  26. wkfd reblogged this from emptyage

  27. jennydeluxe liked this

  28. kendahlin liked this

  29. lexicaal reblogged this from emptyage

  30. hbowly reblogged this from emptyage

  31. securitsolutions reblogged this from emptyage

  32. roboteti reblogged this from emptyage and added:

    Yikes. PSA: Back…your stuff. Use 1Password.

  33. uchidakoichi reblogged this from emptyage

  34. uchidakoichi liked this

  35. plenitudotemporis reblogged this from emptyage

  36. capndesign liked this

  37. futurehistories reblogged this from emptyage

  38. ivanfilios liked this

  39. fangfeng88 reblogged this from emptyage and added:

    terrible story! We

  40. arvindraman liked this

  41. imd23 liked this

  42. tarasis liked this

  43. ben10do64 liked this

  44. aussiemoron liked this

  45. spalmier reblogged this from emptyage

  46. berlinde liked this

  47. thoughtlogbook liked this

  48. traffshow reblogged this from emptyage and added:

    Be careful. Social

  49. withalittlebitofnanny liked this

  50. Show more notesLoading…

randomchars: …no, as Google doesn’t offer remote wiping of all your units. You don’t run Android on your laptop, right?

(Edited by author 2 days ago)

  • randomchars 4 comments collapsed Collapse Expand

    No. I’m running Prey. On all my computers including my desktop. If my Google account is compromised, everything else does too.

  • Bricks 1 comment collapsed Collapse Expand

    Do you now see the issue with your retarded actions?

  • Deleriumnightmares 1 comment collapsed Collapse Expand

    It’s almost like you went out of your way to be insecure and retarded.

    Reminds me of a group of people who like to use the same company’s products for all their digital needs…

  • Kev Quirk, RefuGeeks.com creator 1 comment collapsed Collapse Expand

    Wow, you can see the gaping security hole in your setup yet you seem to be so chilled about it. In light of the writers mess that he’s in, don’t you think you should reconsider?

  • Glenn Snead 1 comment collapsed Collapse Expand

    I’d like to point out that this could have happened to anyone.  The web based impacts aren’t OS specific.  If this guy was a Droid user, his Google account would’ve been wiped.  If he was a Windows 8 user…who knows?  Microsoft seems headed towards the walled garden that Apple has had for years.

  • jeffventura, Provocateur. 3 comments collapsed Collapse Expand

    This has nothing to do with Apple devices, asshole. It’s a story of a single account password being hacked and the dangers of linking online accounts. Did you even read the post, or did you stop and type in your idiotic reply when you read ‘Apple’?

    I understand you and your horrifying adult acne love Android, but if someone got a hold of your Google account password, it’d be just as ugly — especially if you linked other online accounts to your Google login.

    Grow up, you two-bit loser. After that, take a reading comprehension class or two.

    Now go have a friend read this post to you, and for chrissake, stop sniffing your fingers.

    (Edited by author 2 days ago)

  • Nik Dudnik 1 comment collapsed Collapse Expand

    c’mon he’s just a troll
    and he got you hooked with a really poor trolling

  • Deleriumnightmares 1 comment collapsed Collapse Expand

    It’s a story of a major security hole in Apple’s entire consolidated base of products (you should have to go through a lot more to have that kind of power to remotely wipe devices). It’s also a story of Apple users thinking that they are tech-savy when in reality they are the least tech-savy of any technology because they don’t understand what’s going on, their hand is just seamlessly guided through their experience.

    Know your device, be secure, and as mentioned above don’t keep all your eggs in one basket and avoid making it possible to have a single password lead to the capability of taking over and ruining all your digital devices. I’m not a troll, just a guy who’s laughing at an awesome example of a typical iFanboy who has no clue about tech and gets their shit pushed in as a result.

  • Ian Eiloart 8 comments collapsed Collapse Expand

    You didn’t notice that gmail and twitter are available to Windows users, too, Deleriumnightmares? This isn’t really an Apple issue at all, but rather a symptom of the interconnectedness of all our accounts.

    Tracking and remote wipe are really potentially useful ways of defending against information theft, but the latter opens a new vulnerability to this kind of vandalism. It really illustrates the importance of not putting all your eggs in one online basket.

  • Notch 2 comments collapsed Collapse Expand

    “You didn’t notice that gmail and twitter are available to Windows users, too”
    It was his iCloud that got hacked. Who said anything about Windows?

    How do you tell if someone is a rabid Apple fanboy? They start talking about how much Windows sucks.

  • Slurpy2k11 1 comment collapsed Collapse Expand

    And to you, ‘delerium’ isn’t rabid? His posts are the definition of rabid. The author of this article made a million mistakes, which is surprising since he’s in the tech field, none of those mistakes have anything to do with using Apple. I use Apple products, and the iCloud service, and this could never have in a million years happened to me, because I actually do local backups, have enough foresight not to link my gmail account to my iCloud account, etc so whoever gets access to one gets access to everything, and I actually change my password more than once every few years. Again, enough with the anti-apple horse-shit. Grow the fuck up. The author got screwed because of gross negligence, the platform he used is irrelevant. 

  • Deleriumnightmares 1 comment collapsed Collapse Expand

    The real question is why didn’t Clanvv3 go into his Facebook and really create some fun?

    Poole (mootles?) is spot on, it’s not about some guy getting hacked, shit happens. It’s about a guy who had the stupidly insecure interconnectivity of his iShit devices which enabled someone (presumably underage) with ease to wipe all his data on all his devices and “ruin” his digital life (1stwrlpblms)

  • Christopher Poole 4 comments collapsed Collapse Expand

     >not putting all your eggs in one online basket.

    You mean putting all your eggs in Apple’s basket. If anything, this was a shortsightedness on Apple’s part if they really allowed “brute-force attacks” to even happen on high-profile systems such as iCloud.

  • David Childs 3 comments collapsed Collapse Expand

    They don’t “allow” brute-force in a larger extent than anyone else. After a certain number of failed tries, the account is locked for a while. Same as everywhere else.

  • Notch 2 comments collapsed Collapse Expand

     So Mat is lying.

  • Briggs 1 comment collapsed Collapse Expand

    He’s not lying. But, he also doesn’t know. He has absolutely no evidence this was a brute force attack. I highly doubt it was. Mat was, IMHO, just speaking hypothetically. He also has no evidence that the iCloud account was the first account compromised. Basically, the whole idea of how it was done is just anecdotal. The true lesson in this is that Mat gave a real world example of how linking accounts can be used for exploitation, if that is what happened in this case. Someone could have also got access to his computer while unattended, unlocked the keychain and grabbed his stored password(s). I don’t think you can extrapolate the entire event with the evidence given.

  • knzar 1 comment collapsed Collapse Expand

    Does reveling in other people’s misfortune make you feel better about something in your life?

  • Malcolm Lloyd, I’m an author, I write. It’s what defines me and in turn I define it. 1 comment collapsed Collapse Expand

    Wow – the internet has no decency.

  • Asdfjskal 2 comments collapsed Collapse Expand

    People have the right to get what they want. I don’t understand what’s wrong with that. Just because YOU feel that Apple products are shit, doesn’t mean the person next to you should be forced to feel the same way. You are the cancer of not only the internet, but the world. inb4 fag, whiteknight.

  • Deleriumnightmares 1 comment collapsed Collapse Expand

    When did I say he doesn’t have a right to get a shitty Apple product? He has the full right to get whatever he wants.

    He also has the full right to get his iLife hacked and fucking wiped. Owned like a punk.

  • tomandyourmom 8 comments collapsed Collapse Expand

    What the fuck is wrong with you?

  • david payne 7 comments collapsed Collapse Expand

    Funny you’re asking him something like that, but your name tells a different story..

  • tomandyourmom 6 comments collapsed Collapse Expand

    what does that even mean?

  • Jnducidhin 1 comment collapsed Collapse Expand

    Not sure if “Tom andy our mom” or “Tom and your mom”.

  • david payne 4 comments collapsed Collapse Expand

    You ask him whats wrong, yet your name tells me something’s wrong with you and not him 😉

  • tomandyourmom 3 comments collapsed Collapse Expand

    Again, I’ll ask you:  What the fuck are you talking about?  You’re trying to be funny or snarky, but you’re failing.  Desperately.  Here’s a hint:  when you have to explain your joke (and people STILL don’t get it), it’s not funny.  Go away and let the adults talk.

  • GScaled 2 comments collapsed Collapse Expand

    You’re an idiot. That is the reason why you don’t get what he is saying about your name.

  • tomandyourmom 1 comment collapsed Collapse Expand

    Hahaha, okay fuckface.  Whatever you say.  It couldn’t possibly be because you juvenile assholes wouldn’t know humor if it bit you in the ass, could it?  So, if I’m so dumb and you’re so smart, explain this “awesome” joke. Go ahead.  I’ll be waiting, coward.

  • Nik Dudnik 1 comment collapsed Collapse Expand

    keep practicing your trolling skills son

  • Idiots 1 comment collapsed Collapse Expand

     Did you idiots read what he said at all? Only because of his password being hacked were they able to do this, both with Google and various other accounts and cannot be blamed on Apple. Very similar services are offered by Google, for example the Chrome book. All data could be wiped on that laptop too if you knew the users password.

  • gbyers72 1 comment collapsed Collapse Expand

    Typical windows troll, He could have turned it off if he wanted, it even asks you at setup 

  • jameskatt 7 comments collapsed Collapse Expand

    1. I seriously doubt that the hacker brute forced the iCloud account password.  iCloud (as does Google) allows for only a limited number of password attempts before locking up. Then you have to answer two of three security questions (the two factor authentication).  Therefore, unless you use an extremely easy password to guess, brute force is going to fail since it will take too much time to do. 

    2. MORE LIKELY: The Hacker is someone the person knows who then got access to his password or someone who used a keylogger.  With a keylogger, if you ever log into any of your accounts on someone else’s computer or public terminal, you are screwed immediately.

    3. Since the iCloud account was used as the person’s central account, any other account which uses that central account as the backup email address (such as his Google and Twitter accounts) became vulnerable to a password resent request.

    4. The Hacker easily gained access to his Gmail Account and Twitter Account even without knowing the password by simply knowing those accounts’ backup addresses and sending a password reset request.  This shows that Gmail and Twitter are also not very secure.

    5. Remote Wipe is a good thing.  The only problem is if a Hacker gains access to the account that can do a remote wipe, you can be remote wiped.  Thus, to guard against this possibility, always do backups of your data.

    6. Backups are clearly important.  If the person used Time Machine AND another app (such as ChronoSync) to do hourly backups AUTOMATICALLY AND WITHOUT SUPERVISION, then he would only lose 1 hour of work.  

    7. Using only one backup email address is bad.  This can occur not only with iCloud but also Google and any other email accounts.  The key is that the person used his iCloud account as the backup email account for every other account he had – his Google account, his Twitter account, etc.  This links these other accounts to the original account.  This problem is the same if he used his Gmail account as his primary backup account. It isn’t limited to using Apple’s iCloud account.  Using only one email as the primary backup account makes every other account linked to it insecure and accessible because all these other accounts are easy to access via a password request – Google, Twitter are easily accessed.

    8. Strong passwords and regularly changing passwords are important.  This helps protect against keyloggers and people you know from accessing your account if they don’t do it immediately. Being able to mix numbers, capital letters, and small letters helps make the password more secure. Being able to add symbols (e.g. !
     or *, etc.) to the password increases security even more.

    The most important lessons:
    1. any account can be hacked.
    2. backup, backup, backup, backup, backup, backup,…

    (Edited by author 2 days ago)

  • Jnducidhin 1 comment collapsed Collapse Expand

    A few journalists I know have have been hacked for using the open wifi at conferences without using SSL

  • Trackback URL

    Please enable JavaScript to view the comments powered by Disqus.

    Blog comments powered by Disqus

    Wow, scary.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    %d bloggers like this: