{
	"id": "b9d89f6a-ccd2-4ef4-9711-c40ccbfa659f",
	"created_at": "2026-04-06T00:09:24.007287Z",
	"updated_at": "2026-04-10T03:20:46.542845Z",
	"deleted_at": null,
	"sha1_hash": "2f523afacbb335e7733cd074ec7ec30a0e6b2f7c",
	"title": "How Apple and Amazon Security Flaws Led to My Epic Hacking",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2109640,
	"plain_text": "How Apple and Amazon Security Flaws Led to My Epic Hacking\r\nBy Mat Honan\r\nPublished: 2012-08-07 · Archived: 2026-04-05 14:39:16 UTC\r\nIn the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then\r\ndeleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic\r\nmessages. Here's the story of exactly how my hackers created havoc by exploiting Apple and Amazon security\r\nflaws.\r\nMeet Mat Honan. He just had his digital life dissolved by hackers.Photo: Ariel Zambelich/Wired.\r\nIllustration: Ross Patton/Wired\r\nIn the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then\r\ndeleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic\r\nmessages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of\r\nthe data on my iPhone, iPad, and MacBook.\r\nIn many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my\r\nhackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had\r\nI used two-factor authentication for my Google account, it’s possible that none of this would have happened,\r\nbecause their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.\r\nHad I been regularly backing up the data on my MacBook, I wouldn't have had to worry about losing more than a\r\nyear’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in\r\nno other location.\r\nhttps://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/\r\nPage 1 of 9\n\nThose security lapses are my fault, and I deeply, deeply regret them.\r\nBut what happened to me exposes vital security flaws in several customer service systems, most notably Apple's\r\nand Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them\r\nthe ability to see a piece of information – a partial credit card number – that Apple used to release information. In\r\nshort, the very four digits that Amazon considers unimportant enough to display in the clear on the web are\r\nprecisely the same ones that Apple considers secure enough to perform identity verification. The disconnect\r\nexposes flaws in data management policies endemic to the entire technology industry, and points to a looming\r\nnightmare as we enter the era of cloud computing and connected devices.\r\nThis isn’t just my problem. Since Friday, Aug. 3, when hackers broke into my accounts, I’ve heard from other\r\nusers who were compromised in the same way, at least one of whom was targeted by the same group.\r\nThe very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely\r\nthe same ones that Apple considers secure enough to perform identity verification.Moreover, if your computers\r\naren't already cloud-connected devices, they will be soon. Apple is working hard to get all of its customers to use\r\niCloud. Google’s entire operating system is cloud-based. And Windows 8, the most cloud-centric operating system\r\nyet, will hit desktops by the tens of millions in the coming year. My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms – which can\r\nbe cracked, reset, and socially engineered – no longer suffice in the era of cloud computing.\r\nI realized something was wrong at about 5 p.m. on Friday. I was playing with my daughter when my iPhone\r\nsuddenly powered down. I was expecting a call, so I went to plug it back in.\r\nIt then rebooted to the setup screen. This was irritating, but I wasn’t concerned. I assumed it was a software glitch.\r\nAnd, my phone automatically backs up every night. I just assumed it would be a pain in the ass, and nothing more.\r\nI entered my iCloud login to restore, and it wasn’t accepted. Again, I was irritated, but not alarmed.\r\nI went to connect the iPhone to my computer and restore from that backup — which I had just happened to do the\r\nother day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information\r\nwas wrong. Then the screen went gray, and asked for a four-digit PIN.\r\nI didn’t have a four-digit PIN.\r\nBy now, I knew something was very, very wrong. For the first time it occurred to me that I was being hacked.\r\nUnsure of exactly what was happening, I unplugged my router and cable modem, turned off the Mac Mini we use\r\nas an entertainment center, grabbed my wife’s phone, and called AppleCare, the company’s tech support service,\r\nand spoke with a rep for the next hour and a half.\r\nIt wasn’t the first call they had had that day about my account. In fact, I later found out that a call had been placed\r\njust a little more than a half an hour before my own. But the Apple rep didn't bother to tell me about the first call\r\nconcerning my account, despite the 90 minutes I spent on the phone with tech support. Nor would Apple tech\r\nsupport ever tell me about the first call voluntarily – it only shared this information after I asked about it. And I\r\nonly knew about the first call because a hacker told me he had made the call himself.\r\nhttps://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/\r\nPage 2 of 9\n\nAt 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says\r\nthe caller reported that he couldn't get into his Me.com e-mail – which, of course was my Me.com e-mail.\r\nIn response, Apple issued a temporary password. It did this despite the caller’s inability to answer security\r\nquestions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an\r\ninternet connection and a phone can discover.\r\nAt 4:50 p.m., a password reset confirmation arrived in my inbox. I don’t really use my me.com e-mail, and rarely\r\ncheck it. But even if I did, I might not have noticed the message because the hackers immediately sent it to the\r\ntrash. They then were able to follow the link in that e-mail to permanently reset my AppleID password.\r\nAt 4:52 p.m., a Gmail password recovery e-mail arrived in my me.com mailbox. Two minutes later, another e-mail\r\narrived notifying me that my Google account password had changed.\r\nAt 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my\r\niPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time,\r\nthey deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to\r\nmy account on Twitter taking credit for the hack.\r\nBy wiping my MacBook and deleting my Google account, they now not only had the ability to control my\r\naccount, but were able to prevent me from regaining access. And crazily, in ways that I don’t and never will\r\nunderstand, those deletions were just collateral damage. My MacBook data – including those irreplaceable\r\npictures of my family, of my child’s first year and relatives who have now passed from this life – weren’t the\r\ntarget. Nor were the eight years of messages in my Gmail account. The target was always Twitter. My MacBook\r\ndata was torched simply to prevent me from getting back in.\r\nLulz.\r\nI spent an hour and a half talking to AppleCare. One of the reasons it took me so long to get anything resolved\r\nwith Apple during my initial phone call was because I couldn't answer the security questions it had on file for me.\r\nIt turned out there’s a good reason for that. Perhaps an hour or so into the call, the Apple representative on the line\r\nsaid “Mr. Herman, I....”\r\n“Wait. What did you call me?”\r\n“Mr. Herman?”\r\n“My name is Honan.”\r\nApple had been looking at the wrong account all along. Because of that, I couldn’t answer my security questions.\r\nAnd because of that, it asked me an alternate set of questions that it said would let tech support let me into my\r\nme.com account: a billing address and the last four digits of my credit card. (Of course, when I gave them those, it\r\nwas no use, because tech support had misheard my last name.)\r\nIt turns out, a billing address and the last four digits of a credit card number are the only two pieces of information\r\nanyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that\r\npassword grants access to iCloud.\r\nhttps://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/\r\nPage 3 of 9\n\nApple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the\r\nassociated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file.\r\nI was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to\r\nme. “That’s really all you have to have to verify something with us,” he said.\r\nWe talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired,\r\n\"Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID\r\npassword. In this particular case, the customer's data was compromised by a person who had acquired personal\r\ninformation about the customer. In addition, we found that our own internal policies were not followed\r\ncompletely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is\r\nprotected.\"\r\nOn Monday, Wired tried to verify the hackers' access technique by performing it on a different account. We were\r\nsuccessful. This means, ultimately, all you need in addition to someone’s e-mail address are those two easily\r\nacquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of\r\nhow the hackers got them.\r\nBy exploiting the customer service procedures employed by Apple and Amazon, hackers were able\r\nto get into iCloud and take over all of Mat Honan's digital devices – and data. Photo: Ariel\r\nZambelich/Wired\r\nOn the night of the hack, I tried to make sense of the ruin that was my digital life. My Google account was nuked,\r\nmy Twitter account was suspended, my phone was in a useless state of restore, and (for obvious reasons) I was\r\nhighly paranoid about using my Apple email account for communication.\r\nhttps://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/\r\nPage 4 of 9\n\nI decided to set up a new Twitter account until my old one could be restored, just to let people know what was\r\nhappening. I logged into Tumblr and posted an account of how I thought the takedown occurred. At this point, I\r\nwas assuming that my seven-digit alphanumeric AppleID password had been hacked by brute force. In the\r\ncomments (and, oh, the comments) others guessed that hackers had used some sort of keystroke logger. At the end\r\nof the post, I linked to my new Twitter account.\r\nAnd then, one of my hackers @ messaged me. He would later identify himself as Phobia. I followed him. He\r\nfollowed me back.\r\nWe started a dialogue via Twitter direct messaging that later continued via e-mail and AIM. Phobia was able to\r\nreveal enough detail about the hack and my compromised accounts that it became clear he was, at the very least, a\r\nparty to how it went down. I agreed not to press charges, and in return he laid out exactly how the hack worked.\r\nBut first, he wanted to clear something up:\r\n“didnt guess ur password or use bruteforce. i have my own guide on how to secure emails.”\r\nI asked him why. Was I targeted specifically? Was this just to get to Gizmodo’s Twitter account? No, Phobia said\r\nthey hadn’t even been aware that my account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy.\r\nHe said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted. They just\r\nwanted to take it, and fuck shit up, and watch it burn. It wasn’t personal.\r\n“I honestly didn’t have any heat towards you before this. i just liked your username like I said before” he told me\r\nvia Twitter Direct Message.\r\nAfter coming across my account, the hackers did some background research. My Twitter account linked to my\r\npersonal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for\r\nTwitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This\r\nwas just a recon mission.\r\nBecause I didn’t have Google's two-factor authentication turned on, when Phobia entered my Gmail address, he\r\ncould view the alternate e-mail I had set up for account recovery. Google partially obscures that information,\r\nstarring out many characters, but there were enough characters available, m••••n@me.com. Jackpot.\r\nThis was how the hack progressed. If I had some other account aside from an Apple e-mail address, or had used\r\ntwo-factor authentication for Gmail, everything would have stopped here. But using that Apple-run me.com e-mail\r\naccount as a backup meant told the hacker I had an AppleID account, which meant I was vulnerable to being\r\nhacked.\r\nhttps://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/\r\nPage 5 of 9\n\nBe careful with your Amazon account – or someone might buy merchandise on your credit card, but\r\nsend it to their home.\r\nPhoto: luxuryluke/Flickr\r\n“You honestly can get into any email associated with apple,” Phobia claimed in an e-mail. And while it's work,\r\nthat seems to be largely true.\r\nSince he already had the e-mail, all he needed was my billing address and the last four digits of my credit card\r\nnumber to have Apple's tech support issue him the keys to my account.\r\nSo how did he get this vital information? He began with the easy one. He got the billing address by doing a whois\r\nsearch on my personal web domain. If someone doesn’t have a domain, you can also look up his or her\r\ninformation on Spokeo, WhitePages, and PeopleSmart.\r\nGetting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems.\r\nPhobia says that a partner performed this part of the hack, but described the technique to us, which we were able\r\nto verify via our own tech support phone calls. It’s remarkably easy – so easy that Wired was able to duplicate the\r\nexploit twice in minutes.\r\nFirst you call Amazon and tell them you are the account holder, and want to add a credit card number to the\r\naccount. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon\r\nthen allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates\r\nfake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.\r\nNext you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing\r\naddress, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a\r\nnew e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the\r\nnew e-mail account. This allows you to see all the credit cards on file for the account – not the complete numbers,\r\nhttps://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/\r\nPage 6 of 9\n\njust the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment\r\non its security policy, but didn't have anything to share by press time.\r\nAnd it’s also worth noting that one wouldn't have to call Amazon to pull this off. Your pizza guy could do the\r\nsame thing, for example. If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on\r\nthe other end of the line all he needs to take over your entire digital life.\r\nAnd so, with my name, address, and the last four digits of my credit card number in hand, Phobia called\r\nAppleCare, and my digital life was laid waste. Yet still I was actually quite fortunate.\r\nThey could have used my e-mail accounts to gain access to my online banking, or financial services. They could\r\nhave used them to contact other people, and socially engineer them as well. As Ed Bott pointed out on TWiT.tv,\r\nmy years as a technology journalist have put some very influential people in my address book. They could have\r\nbeen victimized too.\r\nInstead, the hackers just wanted to embarrass me, have some fun at my expense, and enrage my followers on\r\nTwitter by trolling.\r\nI had done some pretty stupid things. Things you shouldn’t do.\r\nI should have been regularly backing up my MacBook. Because I wasn’t doing that, if all the photos from the first\r\nyear and a half of my daughter’s life are ultimately lost, I will have only myself to blame. I shouldn't have daisy-chained two such vital accounts – my Google and my iCloud account – together. I shouldn't have used the same e-mail prefix across multiple accounts – mhonan@gmail.com, mhonan@me.com, and mhonan@wired.com. And I\r\nshould have had a recovery address that's only used for recovery without being tied to core services.\r\nBut, mostly, I shouldn’t have used Find My Mac. Find My iPhone has been a brilliant Apple service. If you lose\r\nyour iPhone, or have it stolen, the service lets you see where it is on a map. The New York Times’ David Pogue\r\nrecovered his lost iPhone just last week thanks to the service. And so, when Apple introduced Find My Mac in the\r\nupdate to its Lion operating system last year, I added that to my iCloud options too.\r\nAfter all, as a reporter, often on the go, my laptop is my most important tool.\r\nBut as a friend pointed out to me, while that service makes sense for phones (which are quite likely to be lost) it\r\nmakes less sense for computers. You are almost certainly more likely to have your computer accessed remotely\r\nthan physically. And even worse is the way Find My Mac is implemented.\r\nWhen you perform a remote hard drive wipe on Find my Mac, the system asks you to create a four-digit PIN so\r\nthat the process can be reversed. But here’s the thing: If someone else performs that wipe – someone who gained\r\naccess to your iCloud account through malicious means – there’s no way for you to enter that PIN.\r\nA better way to have this set up would be to require a second method of authentication when Find My Mac is\r\ninitially set up. If this were the case, someone who was able to get into an iCloud account wouldn't be able to\r\nremotely wipe devices with malicious intent. It would also mean that you could potentially have a way to stop a\r\nremote wipe in progress.\r\nhttps://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/\r\nPage 7 of 9\n\nBut that’s not how it works. And Apple would not comment as to whether stronger authentification is being\r\nconsidered.\r\nAs of Monday, both of these exploits used by the hackers were still functioning. Wired was able to duplicate them.\r\nApple says its internal tech support processes weren't followed, and this is how my account was compromised.\r\nHowever, this contradicts what AppleCare told me twice that weekend. If that is, in fact, the case – that I was the\r\nvictim of Apple not following its own internal processes – then the problem is widespread.\r\nI asked Phobia why he did this to me. His answer wasn’t satisfying. He says he likes to publicize security exploits,\r\nso companies will fix them. He says it's the same reason he told me how it was done. He claims his partner in the\r\nattack was the person who wiped my MacBook. Phobia expressed remorse for this, and says he would have\r\nstopped it had he known.\r\n“yea i really am a nice guy idk why i do some of the things i do,” he told me via AIM. “idk my goal is to get it out\r\nthere to other people so eventually every1 can over come hackers”\r\nI asked specifically about the photos of my little girl, which are, to me, the greatest tragedy in all this. Unless I can\r\nrecover those photos via data recovery services, they are gone forever. On AIM, I asked him if he was sorry for\r\ndoing that. Phobia replied, “even though i wasnt the one that did it i feel sorry about that. Thats alot of memories\r\nim only 19 but if my parents lost and the footage of me and pics i would be beyond sad and im sure they would be\r\ntoo.”\r\nBut let’s say he did know, and failed to stop it. Hell, for the sake of argument, let’s say he did it. Let’s say he\r\npulled the trigger. The weird thing is, I’m not even especially angry at Phobia, or his partner in the attack. I’m\r\nmostly mad at myself. I’m mad as hell for not backing up my data. I’m sad, and shocked, and feel that I am\r\nultimately to blame for that loss.\r\nBut I’m also upset that this ecosystem that I've placed so much of my trust in has let me down so thoroughly. I'm\r\nangry that Amazon makes it so remarkably easy to allow someone into your account, which has obvious financial\r\nconsequences. And then there's Apple. I bought into the Apple account system originally to buy songs at 99 cents a\r\npop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets,\r\ncomputers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an\r\ninstant, or do damage at a cost that you can't put a price on.\r\nAdditional reporting by Roberto Baldwin and Christina Bonnington. Portions of this story originally appeared on\r\nMat Honan’s Tumblr.\r\nContinued: How I Resurrected My Digital Life After an Epic Hacking.\r\nhttps://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/\r\nPage 8 of 9\n\nHardwired to Find the Best of the Best\r\nUpgrade your life with our Gear newsletter—get expert-tested product reviews, buying guides, deals, and how-to’s.\r\nWired Coupons\r\nSource: https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/\r\nhttps://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/"
	],
	"report_names": [
		"apple-amazon-mat-honan-hacking"
	],
	"threat_actors": [],
	"ts_created_at": 1775434164,
	"ts_updated_at": 1775791246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f523afacbb335e7733cd074ec7ec30a0e6b2f7c.pdf",
		"text": "https://archive.orkl.eu/2f523afacbb335e7733cd074ec7ec30a0e6b2f7c.txt",
		"img": "https://archive.orkl.eu/2f523afacbb335e7733cd074ec7ec30a0e6b2f7c.jpg"
	}
}