A Persistent Hacker and the Destruction of an Online Life

Aug. 8, 2012 — -- The Cloud has a lot of benefits. You can access your information from anywhere and any device, save space on your computer's hard drive, and more.

It can also have major downsides, as one tech writer has now learned.

Mat Honan, a senior writer at Wired and a former senior reporter for Gizmodo.com, learned the hard way on Friday evening that hackers had taken over his entire online life. They took over his Twitter account. They cleaned out his entire Google account and Gmail inbox. His iPhone, iPad, and MacBook were completely wiped. He has lost years of files and, more important, photos of his daughter.

"I was in my daughter's bedroom and I was playing with her and I saw the phone power down. At first I thought the battery died. I went and plugged in the phone and when I did that I got the 'activate your phone' screen," Honan told ABC News in a phone interview. Honan then grabbed his MacBook and saw alerts that his Google account password was incorrect. His MacBook then powered itself off. When he grabbed his iPad he got the same screen.

At this point, realizing something was very wrong, he suspected someone was hacking him.

"My first thought was that someone had gotten onto my local network, so I went upstairs and turned off the router," Honan said.

Anyone following Honan's Twitter account knew something was wrong as well. The account had been plastered with profane, homophobic, and racist comments. And because Honan previously controlled Gizmodo's Twitter account, followers there saw some offensive messages too.

How Did it Happen?

Over the last few days Honan has been trying to figure out how this happened to him. By putting the digital pieces together and chatting with the hacker himself, he got a pretty good idea of how it all went down.

The hacker, who revealed himself under the name of Phobia, initially came across his Twitter account. In fact, the hacker told Honan that his original intention was to just mess with his three-letter Twitter handle (@mat) and cause havoc for him and his followers.

"They said they liked the name and they wanted to take it. They have on the website of the group all the other Twitter accounts they have taken," Honan said.

From Twitter he ended up on Honan's personal webpage, and there found his personal Gmail address. From there he went to Google's account recovery page, and because Honan didn't have two-factor authentication turned on, it showed him that he had another email account with Apple, ending in @me.com.

Phobia knew he could get access to Honan's @me.com account with just his billing address and the last four digits of his credit card. The billing address was easy: He found it via Honan's registered domain name. The credit card number was harder to get, but thanks to a loophole at Amazon it was easy enough for the persistent hacker.

He knew that if you call Amazon and tell them you are the account holder and want to add a credit card all you need is the name on the account, the associated email address, and the billing address. Phobia had those all. Here comes the loophole: call back and tell Amazon you've lost access to your account, provide a name, billing address, and the new credit card number, and Amazon will let you send the new account info to a new email address.

Then back to Apple Phobia went with the credit card number and Honan's billing address. Phobia gained access to Honan's entire iCloud account and Apple @me.com address. That gave him access to Honan's other online accounts, including Google and Twitter, since Honan had all these accounts linked to each other via iCloud and Google.

"What happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's. Apple tech support gave the hackers access to my iCloud account," Honan wrote on Wired. "Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information."

That's the very, very short version of what really happened. Honan has published a lengthy account of what happened on Wired.com.

Apple and Amazon Respond

Apple and Amazon have both issued statements on the security issues that have been exposed.

"We have investigated the reported exploit, and can confirm that the exploit has been closed as of yesterday afternoon," an Amazon spokesperson, Ty Rogers, told ABC News.

Apple has issued a statement as well. "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer," Apple's Natalie Kerris said. "In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected."

What Can You Do?

Honan admits there are some things he shouldn't have been doing, things that allowed the hacker to get as far as he did.

"I shouldn't have daisy-chained two such vital accounts — my Google and my iCloud account — together. I shouldn't have used the same email prefix across multiple accounts — mhonan@gmail.com, mhonan@me.com, and mhonan@wired.com. And I should have had a recovery address that's only used for recovery without being tied to core services," Honan wrote.

Honan should have also had two-factor authentication enabled on his Google account. This step requires Google to confirm you are you by sending a verification number to your phone. In the aftermath of Honan's sad tale, Google has put up a blog post urging people to turn on this setting.

"In the end, as much as you want to live in the cloud, you've got to know that your information is vulnerable in the cloud, but it's vulnerable when it's on your computer too," said Robert Siciliano, an online security expert with McAfee. "It's beyond important to back up."

That tech lesson is one Honan says he won't ever forget again. "Had I been regularly backing up the data on my MacBook, I wouldn't have had to worry about losing more than a year's worth of photos, covering the entire lifespan of my daughter," Honan said.

Honan confirmed to ABC News that he doesn't plan to press charges against the hacker. "I decided I could approach this in one of two ways: have this person prosecuted or I could try and understand how it happened and prevent it from happening again," Honan said. He was able to get in touch with the hacker via Twitter after he restored his account.

"It has already become a public service announcement and I'm not going to go back on my word about that."

Read Honan's full account of how his online life was disassembled on Wired.com.