As hacking victim's story spreads, Apple and Amazon tighten security

A tech journalist's online life was erased over the weekend – and the hackers used nothing more than easily-obtainable pieces of personal information to trick Apple and Amazon into letting them gain control of his accounts.

Shannon Stapleton/Reuters/File
Amazon tightened its security policies this week after hackers exploited its customer service department to erase a tech journalist's online footprint. Here, Amazon CEO Jeff Bezos speaks at the launch of the Kindle Fire tablet in September 2011.

By now you might be familiar with the saga of Mat Honan, the Wired reporter whose entire digital life was destroyed by hackers over the weekend. And you might be in the process of checking the security of your own online stuff. If you're an Amazon customer, at least, you can breathe (slightly) easier: Amazon quietly changed its customer privacy policies this week, presumably making it harder for other hackers to carry out similar attacks.

To recap: The hackers didn't use any sophisticated algorithms or brute-force attacks to gain access to Honan's online information. They just called Apple, pretending to be Mr. Honan and claiming to have lost access to the associated Apple e-mail account.

The hackers supplied two pieces of easily-discoverable information – a billing address and the last four digits of a credit card (which they were able to obtain by exploiting an Amazon loophole) – and were able to reset Honan's e-mail account. From there, they took Honan's Twitter account, and wiped his iPhone, iPad, and Macbook. Then they erased his Google account, along with tons of personal photos and documents.

Now, at least, both companies have battened down the security hatches a little bit. At the time Honan was hacked, someone could call in to change the e-mail address or credit card associated with an Amazon account by supplying a name, e-mail address, and mailing address. Shortly after Honan's story was widely publicized, though, Amazon changed its policy so that these pieces of information can no longer be changed by phone.

Amazon told the Los Angeles Times, "We have investigated the reported exploit, and can confirm that the exploit has been closed as of yesterday [Monday] afternoon."

For its part, Apple – whose "Find My Mac" service allowed the hackers to wipe most of Honan's data – also implemented a freeze on over-the-phone password changes. Wired quotes an Apple customer service representative, as well as an employee "with knowledge of the situation," who speculates that the freeze may be a way for Apple to buy time to determine if any other security policies need to be tighted.

Of course, these changes don't mean that we're all safe from hacks again. Honan's story still serves as a cautionary tale against what he described as "flaws in data management policies endemic to the entire technology industry." But it does mean that both companies are taking more seriously their roles as the stewards of some pretty sensitive customer information.

If you're concerned about the security of your data, the usual rules still apply: Make multiple backups of your stuff (Honan only had his data backed up to Apple's iCloud service, which was compromised when the hackers took control of his Apple account. A local copy of the data would have prevented its loss). Don't link sensitive accounts to one another, as Honan did by connecting his Apple and Gmail accounts. And consider using additional security, such as Google's two-factor authentication, which requires a special phone code before an account can be accessed.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.