Apple has issued a statement as well. "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer," Apple's Natalie Kerris said. "In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected."
What Can You Do?
Honan admits there are some things he shouldn't have been doing, things that allowed the hacker to get as far as he did.
"I shouldn't have daisy-chained two such vital accounts — my Google and my iCloud account — together. I shouldn't have used the same email prefix across multiple accounts — firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org. And I should have had a recovery address that's only used for recovery without being tied to core services," Honan wrote.
Honan should have also had two-factor authentication enabled on his Google account. This step requires Google to confirm you are you by sending a verification number to your phone. In the aftermath of Honan's sad tale, Google has put up a blog post urging people to turn on this setting.
"In the end, as much as you want to live in the cloud, you've got to know that your information is vulnerable in the cloud, but it's vulnerable when it's on your computer too," said Robert Siciliano, an online security expert with McAfee. "It's beyond important to back up."
That tech lesson is one Honan says he won't ever forget again. "Had I been regularly backing up the data on my MacBook, I wouldn't have had to worry about losing more than a year's worth of photos, covering the entire lifespan of my daughter," Honan said.
Honan confirmed to ABC News that he doesn't plan to press charges against the hacker. "I decided I could approach this in one of two ways: have this person prosecuted or I could try and understand how it happened and prevent it from happening again," Honan said. He was able to get in touch with the hacker via Twitter after he restored his account.
"It has already become a public service announcement and I'm not going to go back on my word about that."