Yes, I was hacked. Hard.
So maybe you saw my Twitter going nuts tonight. Or you saw Gizmodo’s Twitter account blow up. Or you saw this in AllThingsD. Or this in the DailyDot. Although embarrassing, Twitter was the least of it. In short, someone gained entry to my iCloud account, used it to remote wipe all of my devices, and get entry into other accounts too.
Here’s what happened:
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password (see update) and then reset it to do the damage to my devices.
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.
Here’s how I experienced it:
I was playing with my daughter, when my phone went dead. It then rebooted to the setup screen. This was irritating, but I wasn’t concerned. I assumed it was a software glitch. And, my phone automatically backs up every night. I just assumed it would be a pain in the ass, and nothing more. I entered my iCloud login to restore, and it wasn’t accepted. Again, I was irritated, but not alarmed.
I went to connect it to my computer and restore from that backup—which I had just happened to do the other day. When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four digit pin.
I didn’t have a four digit pin.
By now, I knew something was very, very wrong. I walked to the hallway to grab my iPad from my work bag. It had been reset too. I couldn’t turn on my computer, my iPad, or iPhone.
I used my wife’s iPhone to call Apple tech support. While on hold, I grabbed her laptop and tried to log into gmail. My password had changed. I couldn’t reset it either because the backup went to iCloud, where my password had also changed.
I checked Twitter, and saw someone had just sent a tweet from that account. I tried to log into Gmail again, and now it told me that my Google account had been deleted. The way to restore it was to send a text message to my phone which I didn’t (and still do not) have access to.
Apple tech support couldn’t verify any of my information—my address, my credit card number, anything — as supporting information. They had me log into the website, where I was able to again change my password. After nearly an hour and a half on the phone, I realized they were spelling my last name incorrectly. They were looking at someone else’s account. Once we cleared that hurdle, well, actually not very much changed. They weren’t able to stop the wipe on my Macbook. Or give me a pin to log into it. Or give me immediate access to my phone. They couldn’t do much of anything, actually. Although they did set an appointment for me at the Genius bar tomorrow. Actually, I did that, later, when I called the store myself.
At some point in this time, Joe Brown, my friend and editor from Gizmodo, called my wife’s phone to make sure we knew what was going on. We did, but I seriously appreciated the moral support, and felt like a jerk for fucking up Gizmodo’s twitter. He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting. That was really, really solid. Thank you.
I still can’t get into Gmail. My phone and iPads are down (but are restoring). Apple tells me that the remote wipe is likely irrecoverable without serious forensics. Because I’m a jerk who doesn’t back up data, I’ve lost at more than a year’s worth of photos, emails, documents, and more. And, really, who knows what else.
It’s been a shitty night.
Someone claiming to be my hacker has been in touch. I can’t be at all certain of his authenticity, but he says he “didnt guess ur password or use bruteforce. i have my own guide on how to secure emails.”
As for 2 factor authentication preventing this, it would have kept my google account from being deleted, and probably kept them off of my Twitter feed, but it wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud. Nonetheless, I’m setting it up on my Google account once I have access to it again.
The big steps now are regaining access to my Macbook and Google. I’ve got a genius bar appointment today for the former. I’ve put in a request to un-delete the Google account. I could not, however, use my phone number to restore it. My phone is linked to my Google voice account—which was deleted along with the rest of my Google accounts—I’m not sure if that’s the reason, but I can’t send or receive text messages or phone calls now. I answered a bunch of questions about my Google account to have it restored, now I have to wait 3 to 5 days to see if that request goes through.
Do you know somebody (or are you somebody) at Google who can help me get my account back? I’d love to get in touch. On my long list of things to do today is get in touch with Sprint to see if it can help me get my phone service restored.
Finally about the comments. I’ve seen people express outrage both below and on Twitter about some of the comments this post has generated. I don’t know. Maybe I’m jaded. But after years of writing for the Web, I guess I’ve come to expect comments to be less than constructive.
Update Two: I’ve gotten phone service restored and regained access to my Google account. Twitter should be back soon too, but that may take until Monday. The last major piece of this is my Macbook. I have a genius bar appointment today. I guess I’ll know what the damage is once I’m there.
Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.
Update Four: I’ll be discussing this on TWiT with Leo Laporte, Ed Bott and others today live at 3 PM Pacific. I now know how it happened, basically start to finish, which I’ll explain in a story on Wired tomorrow (Monday, August 6). Apple tech support is working on recovering my data (thanks guys!) from my Macbook, but I won’t know how successful that was until Monday. According to what the told me last night, the wipe stopped (by powering down) before it got far enough along to start over-writing, so I am hopeful. Via AppleCare, I was able to confirm the hacker’s account of how he got access to my account. I have an email in to Tim Cook and Apple PR, and want to give them a chance to respond (and make changes). I want to give the company a little more time to look at its internal processes, but should be as simple as a policy change. So far, I haven’t received any acknowledgement from Apple corporate. I did, however, get an urgent call from AppleCare ten minutes after emailing Mr. Cook, informing me that my situation had been escalated and there is now only one person at Apple who can make changes to my account. So I gather corporate is aware of what happened and looking into how to most effectively respond to make sure this doesn’t happen again.
At least, I hope that’s what’s happening.