Last Friday, a writer from Wired named Mat Honan had “recounted the tale” of how his own iCloud account had been hacked which resulted in his own iPhone, iPad and also MacBook Air getting wiped, remotely.
The way it was hacked had normally appeared to be his iCloud account which was used then gain access to Gmail and his own and own former employer, Gizmodo’s own Twitter accounts.
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere.
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.
The reported, Honan, was not exactly sure how the hackers had gained access to his own iCloud account. Though his own guess was that who ever did it had brute-forced the password to hack it, and other people had said that his password had been key logged and used in another service that was insecure.
I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.
Just after convincing Apple support that they were actually Mat Honan (when they or he actually wasn’t), the hacker then had Apple Support change the iCloud password for Honan’s account as well which gave the hacker full access. And from then on, they or he was able to access Honan’s files through iCloud and remotely wipe all of Honan’s devices while using Apple’s own Find My iPhone service which provides a remote wipe service as a feature for any iOS devices that are lost.
As Honan is somewhat of a public figure, it may be that he was just an easier target than any average iCloud user, though many users may also have had personal information available through online services like Facebook which could be used in a fashion that is similar. Forbes’ own Adrian Kingsley-Huges had suggested that Apple “needs to enforce higher security standards and also come clean about what they went wrong in this situation”.
So the answer is “no”, that Apple did not support this hacker at all, they were just convinced that the hacker was Honan, just like a Valet giving the keys to a car owned by someone else claiming that they own the car, while not knowing it’s the wrong person.