"They didn't hack into my account in the traditional bad movie way where they are trying a million different passwords," he said. "They made a phone call to tech support and tech support gave them a temporary password."
Honan described in detail how the hacker was able to exploit security flaws to gain access to all of his information in a story he wrote for Wired. Basically, Honan's hacking experience emphasizes that as companies and people become more dependent on the cloud, they need to take steps to protect the data stored there.
"The interesting thing is to me, as I started to dive into it a little bit I realized that there [are] some really easy exploitable security vulnerabilities at a lot of big companies," Honan said. "All of the big tech companies are moving towards cloud based solutions, but they haven't really set up the security mechanisms they should have for us to be doing that."
Honan said that backing up data stored in the cloud, and using extra security features like two-factor authentication to verify email accounts, are two good ways to prevent users from losing data and from getting hacked in the first place.
Apple and Amazon's Security Problem
Full details of Honan's attack can be found in his article. In a nutshell, the hacker exploited simple security flaws to destroy Honan's digital life.
First, the hacker called up Amazon pretending to be Honan, and told customer service that he wanted to add another credit card to Honan's account.
All the hacker did to add the new credit card number to the account was provide Amazon with the name on the account, the billing address and an associated e-mail with the account.
The hacker did a basic search to find Honan's billing address, used the email that was on Honan's personal website, and a fake credit card number that met Amazon's requirements for verification.
After the credit card was added to the account, the hacker called Amazon back up and told the company that he lost access to the account.
The hacker only needed to provide a name, billing address and a credit card on the account (The hacker used a credit card number just added to the account) for Amazon to add a new e-mail address to Honan's account.
Once the e-mail was added to the account, the hacker sent a password reset to the e-mail account he had just added and was able to gain access to Honan's account. From there he had partial access to Honan's credit card numbers (Amazon shows the last four digits of credit card numbers on the account).
But those few credit card numbers were the keys to gaining access to everything Honan had on Apple's iCloud.
The hacker called AppleCare and by providing the tech company with only Honan's billing address and last four digits of his credit card number, Apple issued the hacker a temporary password that granted access to Honan's iCloud, Honan said.
Amazon and Apple have since changed their customer service procedures closing these security holes, Honan said.