On Tuesday, Apple ordered its telephone support staff to immediately cease AppleID password changes requests. The likely temporary change in procedure comes following the Wired
reporter Mat Honan's identity hack
over the weekend, resulting in completely deleted MacBook, iPad, iPhone, and GMail accounts as a result of an attacker tricking an AppleCare rep into resetting Honan's iCloud password, which started a chain of password reset procedures to access the next system, culminating in the reporter's Twitter accounts.
An Apple employee told Wired
that the phone support password procedure change would last at least 24 hours, but MacNN
was told that the block would be in place "as long as it takes" to update Apple's policies and procedures to prevent another event like the weekend's hack from taking place. The change follows changes to Amazon's security routine, which previously allowed hackers to gain control of an Amazon account as long as the name, email address, and mailing address was known.
was attempting to recreate the events of the weekend hack when the block was discovered. The attempt failed, and the phone representative said that the company was undergoing "maintenance upgrades" that prevented password resets over the phone. The phone support technician directed all password reset requests to iforgot.apple.com. In a telephone conversation with support supervisors MacNN
has discovered that the final identity verification procedure after the expiration of the temporary ban on phone password resets was "in discussion" at the executive level of Apple support.
Honan said he has confirmed with both Apple and the hacker that victimized him that his iCloud account was compromised by a "social engineering" trick with AppleCare. The hacker managed to get an AppleCare support staffer to skip security questions by providing information from Amazon, and then reset Honan's password, giving the hacker complete access to anything tied to Honan's iCloud account or email address. This included not only personal and Gizmodo
Twitter accounts, but also Honan's GMail account, which was completely deleted.
The Find My iPhone app in the iOS sports a device erase feature and was used to perform remote wipes of Honan's Mac, iPhone, and iPad following iCloud seizure by the hacker. Apple admits to a failure to follow
normal support procedures and rules which resulted in the hack.