"Yes, I was hacked. Hard."

http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard
"..
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere.
.."

It can be that bad

 

Ouch. That just sucks. This is why I use two-factor authentication and a minimum 16 char password for EVERYTHING!! People need to get on this.

 

I didn't see anything about local offline backups. That seems odd, for someone that experienced. I really can't imagine trusting the cloud that much.

 

When I first seen the title I thought Cudni got hacked,I should of know better it was not a wilders member.

 

You're not the only one who thought it.

 

I even wrote a post saying how sorry I felt for Cudni...

 

Thanks for the concern and sorry for the unintentional confusion thanks to the original title. Having said that, it could have been me (don't see what he did wrong in his approach) but luckily it wasn't. Maybe change password periodically?

 

Is it really common that devices can be wiped remotely through cloud backup services?

 

I don't know, but I wouldn't be comfortable with it. I understand it would be a good thing if the device is stolen, but I'm not sure it's worth risking malicious wiping.

 

I completely agree with you, local backups on an external drive are a must, even with cloud backups. To put all of your faith in the cloud, especially with it being relatively new is absolutely crazy IMHO!

 

Let me get this straight: the hacker got access to his iCloud account... And that let him wipe the contents of this guy's personal electronic devices remotely? Is this sort of remote stuff within the normal purview of iCloud, or was some kind of exploit involved?

Because I cannot imagine ever using a service that I knew could be used for such things. It might be more of a pain to have to synchronize your devices manually, but IMO allowing full remote access to your PC's filesystem is a little lacking in foresight. Strong passwords are good, but there should be more than just a password between your local data and a remote attack.

(BTW, I would advise people to avoid reading the comments on the linked page. The trolls are out in force today.)

 

It's normal.

 

Woah all his devices were wiped completely, that's insane, specially his computer .
Well personally i have my Google Account set to 2 way authentication (And only remembers my desktop) and all my main accounts have what i would call extremely hard passwords.

 

This brings new meaning to "having your head in the Clouds"...

Not sure what makes people and companies trust a third party with sensitive info-
(especially companies...they have much to lose.)

I think I'd just rather keep my info outta the cloud.

 

Can users opt out of that?

Can Apple wipe your stuff if it decides that you're evil?

 

Cloud services can come quite handy in some ways (Let's say sync some files that you may need somewhere such as documents etc.) but i would never ever trust em with sensitive information or as my only way of back up.

 

I would still rather use a spare tablet or cell to sync my files, gather my documents remotely, without anyone else involved.

If I were a company with sensitive info, such as clients personal health information, banking or ideas for new patents,
a prize winning secret ale recipe..
I would rather have my company set up it's own closed cloud system,
with strict security protocols for the employees who are allowed to access it.

To me, the Clouds are just another way for, say the gov or a competing company, to pick up all the info they want in one fell swoop..or anyone else that wants the leverage/info for that matter

Just my opinion.

Does anyone think there may come a day that we (or the generations coming up) will not even have a choice
of whether we want to use the cloud system?
It just seems like the perfect setup to add to that world wide database.

 

Data is KING. Simple as that. If your data is really important, you should have redundancy. Period. If you don't have redundancy, then your data must not be that important.

Cloud, not for me right now. I can see the use. Local storage is where I like it. But, no matter the location or how secure you think it is -- if the data is important, you need redundancy.

Isn't that second section a bit redundant? lol

Sul.

 

Are you talking about the world wide database?

It's not redundant yet, cuz they are still slavering after everyone's personal data..
I imagine they won't be happy until they know the contents of your actual drawers ....er dresser drawers.

I prob read too much science fiction, which isn't so far out anymore..
and was also thinking about that Verizon 'share everything' - such a deal!

Gee just what I would want to do with my whole family, especially if I were a teen.

If you have important data, why not use some form of backup you control, is what I am curious about.

Better?

 

It was not because of his passwords. Mat Honan said "They got in via Apple tech support and some clever social engineering that let them bypass security questions."

 

Hmmm...

1. Choosing a relatively short/weak password when a stronger one was likely an option
2. Not changing that password for years and years
3. Setting up iCloud to use the same, older Apple ID used for other services (reusing the same login credentials for multiple services)?
4. Using the same email address for multiple important accounts
5. Using someone else's cloud service to store/sync personal data
6. Failing to maintain offline backups of important data
7. Having multiple personal devices open to remote wiping/modification by other parties
8. Linking one online account to another such that if one is compromised the other is too
9. Too many devices/services from the same provider creating an unnecessary single point of failure

 

"They got in via Apple tech support and some clever social engineering that let them bypass security questions."

There will always be a way .... IMHO.

The bigger the company the easier it is to spring leaks.

Instead of trying to learn or open their minds coporate leaders are still content to
do as little as possible including listen to their own tech department ...

As far as they are concerned it has zero to do with profits and isn't in their big bonus description.
Instead they will pay/push politicians to pass a law. any law that 'sounds' good -
The same politicians that barely know what's going on as far as computers and security as they do.

Which in the long run, affects us and the freeness of the internet in usually negative ways..

===============
Reading WindBringeth's post. He may have been relating to a single person. Still, that sounds alot like some of the same things the employees and management did at the last company I worked for, your security is no good if your own people cut the corners he listed.

 

Was my idea also.
Using the same short password for years and years for a service which offers access to all devices and data and not having any backups...Uh oh!

Then again, as biscuits already posted;
'Update Three:I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. ...'

Some tech support employee has seemingly utterly failed/has had poor training/works with lame procedures/etc.
Even with a 20+char password changed every couple of months, he'd be in the same situation now.

 

I saw the "It wasn't password related" comment. Regardless, it sounds like this person made poor choices when it came to password handling and thus I included that in my list. Which was but a quick, coarse attempt to identify the "potentially dangerous choices" that were made on the user's side, and by extension those "potentially dangerous choices" which others could/should re-evaluate immediately.

It saddens me to read such a story, but there are things that can... should... must... be learned from this. Things that, I truly hope, will be fleshed out and elaborated upon in greater detail. Everything should be on the table for evaluation including not only the choices the user made, not only the choices an Apple tech support employee made, but also the choices Apple and other technology companies are making in terms of how devices, services, tech support tools, etc, etc are being designed and implemented.

Focusing on only one factor that contributed to this (poor choices made by one Apple tech support employee or whatever) would be the greatest of mistakes. This I'm sure is well appreciated by very many here, but not necessarily all who visit the forum.

 

Is anyone really shocked these days when they've just read about someone on the internet, or someone using a popular phone OS' having had their security compromised??

Everything is bugged up to the eyeballs with backdoors for the Governments to snoop us. So why wouldn't the crafty criminal have success doing so too.