Last Friday, Mat Honan (writer for Wired and Gizmodo) had his digital life destroyed. Hackers, whose only desire was to take over Mat's three-letter Twitter account, gained control of his Google, Twitter and Apple accounts by social engineering the customer support staff at Apple and Amazon. Mat has detailed the story of how the hack happened (he was ultimately able to talk to the hackers involved). In summary, the attackers contacted Amazon and Apple customer service, gained control of Mat's Apple accounts and then were able to gain control of Mat's Gmail and Twitter accounts. (Mat's Twitter account used the same password as his Gmail account.) The hackers deleted Mat's Gmail account, began sending out offensive messages on his Twitter account, and used Apple's "Find my Mac/iPhone" feature to remotely erase Mat's laptop and iPhone.
There are numerous lessons we can take away from this incident. First and foremost, companies like Apple and Amazon have a responsibility to better protect customer data and do a better job of validating customers when they call in for help. The fact that Apple allowed a password reset to Mat's account based on a billing address and last four digits of a credit card should be very concerning, considering this data is very easy to get. (The hackers were able to obtain this information from Amazon in the space of two or three phone calls). Both Apple and Amazon have since suspended over-the-phone password reset requests.
Second, there are things we can do to help mitigate both the likelihood of this happening as well as the impact if it had happened. In Mat's case, had he been using Google's two-factor authentication for email access, the hackers would have failed. Wired has a comprehensive list of steps one can take, but here are a few to consider.
- Use two-factor authentication on your Gmail accounts.
- Use unique, strong passwords for different accounts. This can get difficult to track, so think about using a password escrow tool like Keepass, Lastpass, or 1Password.
- Don't link accounts together. For example, if you have two Twitter accounts, log into them separately. Don't combine them.