How, Knowing Only a Name and Email, Attackers Gained Access to All Accounts and Remotely Wiped All Devices

A very interesting article appeared today on wired.com. In literally one hour, the author Mat Honan had his Amazon, Gmail, Apple, and Twitter accounts hacked, and all data on his iPad, iPhone, and MacBook was remotely wiped. Among other things, he lost all photos of his daughter since her birth, many documents, and most of his correspondence. What makes this story particularly interesting is how the attacker gained access to the Amazon account and Apple ID — all it took was publicly available information and a phone.

The attacker took a liking to Mat's three-letter Twitter handle. In order to obtain it, he conducted a small investigation, during which he discovered that Mat's Twitter account contained a link to his personal website, which in turn contained his Gmail address. Having the Gmail address, the attacker initiated the password recovery process. Since Mat did not have two-factor authentication enabled, Google helpfully displayed an obfuscated alternative email address on the first password recovery screen: m****n@me.com. By matching this pattern with the Gmail address mhonan@gmail.com, the attacker obtained the author's Apple email.

The first thing the attacker needed to proceed to the interesting part was Mat's address, which was easily found via a WhoIs lookup on his personal website's domain. Armed with the address, the attacker called Amazon and said he was the account owner and wanted to add a new credit card. To verify that the caller was indeed the account owner, Amazon asked for the address, name, and email — the attacker already had all of this information, and he successfully entered a fake credit card number, pre-generated on one of the specialized websites.

Then he called Amazon again and said he had lost access to his Amazon account. Amazon asked for the name, address, and credit card number. After providing this information (the credit card number added in the previous step worked), the attacker was able to add a new email address to the account, through which he reset the password. In the Amazon account, you can view the list of saved credit cards, where, for security purposes, only the last four digits of the number are displayed.

Next, the attacker called AppleCare, where they asked for his name, address, and the last four digits of the credit card, and issued him a temporary password for the .me account. Using this account, the attacker reset the Gmail password, and through Gmail, the Twitter password. Using the Apple ID, he also remotely wiped all data from the iPhone, iPad, and MacBook using the Find My Phone and Find My Mac services. A tragic end to the story.

Later, Mat contacted Apple, where he was told that in this particular case, internal procedures were not fully followed, and that Apple takes user security very seriously. A request was also sent to Amazon from Wired, but no response had been received yet.

Today, three days after all of this happened, the folks at Wired were able to fully reproduce the entire trick twice within minutes — from an address and name to gaining access to Amazon and Apple accounts with all the consequences that follow.