The answer, it would seem, is “not hard at all,” especially after Mat Honan’s (of Gizmodo) iCloud account was purportedly hacked after a group of miscreants were able to compromise the account by ringing Apple tech support, and asking for the iCloud account password.
Honan suffered an absolute nightmare this past weekend. Not only did the group, “Clan Vv3,” gain access to Gizmodo’s Twitter account, but within 15 minutes of his alphanumeric, seven-digit password being cracked and changed (a confirmation email reached his account informing him of the password change), Honan’s iPhone, iPad and MacBook Air had all been remotely wiped. He explains, over at his personal blog:
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password (see update) and then reset it to do the damage to my devices.
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.
Honan has explained the whole experience, which sounds like any Apple fan’s worst nightmare, over at his website. Fortunately, he managed to get things (partly) fixed thanks to a couple of Genius Bar appointments. But that doesn’t mean this experience is over, or that Clan Vv3 – or some other group – might not strike other, unsuspecting Mac and iDevice owners in the near future. Just listen to how the group of hackers managed to crack Honan’s alphanumeric, seven-digit password:
I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.
Hopefully, Apple will learn from Honan’s dreadful experience and make the necessary changes to prevent it from happening again. It’s frightening that so much damage was done just by simply calling up Apple, and requesting for a change of password using “some clever social engineering.”