A Cautionary Tale - Hacked iCloud Account Wiped an iPhone, iPad and MacBook in 5 minutes

Mark Honan writes about what happened when his iCloud account was hacked, and in a matter of five minutes the hackers remote wiped his iPhone, iPad and MacBook Air and more than a years worth of data. In his own words:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password (see update) and then reset it to do the damage to my devices.

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed. 

At 5:00 PM, they remote wiped my iPhone 

At 5:01 PM, they remote wiped my iPad 

At 5:05, they remote wiped my MacBook Air. 

A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well. 

In the case Mark Honan, the problem was once his iCloud account was compromised, all this devices were. I do not use iCloud, but the same thing could happen to me, or any or us. For most of us the key to the online world we live in revolves around our primary email address.

If a hacker is able to gain access to our primary email address, the hacker can use that email address to reset passwords in our Facebook, Twitter, Google+, Dropbox, Box or any other online service that we use.  I doubt if any system can hold off a skilled and determined hacker forever, but there are a few things we can do to make your online persona and data more secure.

Use Gmail and enable two step authentication. Most email services rely on a user created password to provide security. Gmail uses two step authentication. First you have your password. Second, the device you access your account to has to have been authenticated. When you log on to Google services you will be asked for your password. If this is the first time you log on with a particular device, you will be asked for an authentication code. This code is generated by an app on your smartphone or you can get the code via voice call or SMS. You can set it up to keep your device verified for 30 days, after which you have to authenticate the device again.

So basically, accessing your Gmail account means that a hacker would have to find out what your user generated password is, and that figure out the corresponding Google authentication code, which changes every minute. I would not say hack proof, nothing is, but much safer. 

But I do not want to change email addresses? You do not have to. You can continue to use you Hotmail, Outlook, Yahoo or other address but you should consider using a second email address, a Gmail the address, the place where emails for password recovery are sent.