Imagine having your phone, tablet and computer wiped, followed by your email accounts being hacked and deleted, taking with them nearly your whole digital life. This would be a devastating loss for anyone, but you may be surprised to learn that it actually happens on a fairly regular basis. In the past few months there have been two similar instances, both involving Apple, that are making users wonder just how safe and secure the products sold by Apple and other companies really are.
Mat Honan’s problem
Mat Honan is a writer for Wired, who in early August had nearly his whole digital life wiped off the web. His article in Wired is a fantastic and scary read. We highly recommend it. To summarize, he had the majority of his website accounts linked together, with one account linked to many. Hackers were able to get into his iCloud account by taking advantage of Apple’s lax password reset.
To begin with, the hacker wanted to take Honan’s Twitter account. They noticed that he had a Gmail account linked to Twitter, and from there were able to find that an Apple account was linked to the Gmail account, as a secondary account. To get access to the Apple account, they reset the password, which requires a billing address and the last 4 digits of the card registered to that account. The card number came from hacking into Honan’s Amazon account, which shows the last 4 digits of the card.
From there, it was a simple step of resetting the Apple account and shortly thereafter the Gmail password, sending the Gmail reset to the registered Apple account address (the secondary address on the Gmail account). Once in control of the Gmail account, they asked Twitter to reset the password using the Gmail account and simple as that, the hacker had access to the Twitter account.
Apple UDID leaks
In early September the infamous hacker group Antisec, related to the hacker group Anonymous, released over 1 million Apple UDIDs. A UDID, or Unique Device Identifier, is a code Apple applies to their devices to be able to individually identify them. Upon the release of the UDIDs, Antisec claimed that they had come from a breached laptop owned by the FBI, and that the FBI was using the UDIDs to track users.
While it’s not known for certain where the breach came from, security experts have been able to prove to a 98% surety rate that the UDIDs came from Blue Toad, an app developer that suffered a digital breach previous to the release of the UDIDs. Blue Toad’s CEO has come forward acknowledging the leak, and noted that the company is sure the info came from them, and not the FBI.
While it may be alarming that the UDID’s were out there, users can be assured that passwords were not exposed, as the UDID tends to store information like account name, phone number and address. Yes, contact information is out there, which might raise concerns. But don’t kid yourself, this information, or most of it, is already readily available on the Internet anyway.
Learn from their mistakes
With these two fairly serious incidents occurring iPhone users are right to be a little wary, and should be taking steps to insure their information is secure. Here are seven steps you can take to minimize the chances of this happening to you:
- Unlink all essential accounts from one another.
- Set up an email account that’s only used for other account resets.
- Regularly back up all your devices onto a secure hard disk.
- Change your password regularly and use two-factor authentication if available.
- Don’t use the same username or password for multiple accounts.
- If the information isn’t necessary for you to set up your account, don’t provide it.
- Delete and never store any credit card numbers.
If you have any questions or concerns about the security of your accounts or systems, please don’t hesitate to call us.