iCloud attack began with Amazon hack
The author Mat Honan has detailed how attackers broke into his iCloud account and remotely wiped his iPhone, iPad and MacBook. In an article in Wired, Honan explains how the attackers used flaws in Amazon's and Apple's customer service lines to expose his iCloud password. iCloud customer support requires a user's residential address and the last four digits of the registered credit card to generate a new password.
The hackers got Honan's residential address from whois records for a personal domain he had registered. The last four digits of the credit card were obtained through Amazon. The technique involves first contacting Amazon as Honan saying you wish to add a credit card to an Amazon account; at this point bogus generated credit card details were given and the hackers then hung up.
They then called Amazon again, this time saying they were locked out of their account and needed to add a new email address to the account, presenting the newly added bogus credit card details as identification verification. This gave the attackers access to the Amazon account, but as Amazon users know the site does not show full credit card numbers, only the last four digits. It was those last four digits that Apple customer service use to verify the identity of an iCloud user and so, using this, they took over the account.
The last four digits of a credit card account are regularly printed on receipts, although these cannot usually be obtained remotely as can an Amazon account. Why Apple relies on data which other credit card users use and display for identifying cards is unclear; it may be a side effect of the internal systems only displaying those four digits to customer service representatives to ensure they do not see full credit card numbers.
Once the account had been breached, Honan notes that the password reset email messages from the services were quickly moved to the trash by the attackers and within forty minutes of the call to Apple they had reset his Twitter password, posted a claim to the hack on his Twitter account, deleted his Google account and sent wipe commands to Honan's iPhone, iPad and MacBook. He has since been contacted by the hackers who say they were only attempting to "grab" his three character Twitter id and that the account deletions and device wiping were collateral damage.
Apple told the New York Times that it made a mistake when resetting the password, and protocols were not completely followed in this case. However, Honan says that a colleague at Wired has been able to reset a different Apple ID by replicating the same process the hackers used.