Analysis: How did Apple allow hackers to access iCloud account?

Based on my experience with Apple support, that is not an easy thing to do.

The Internet is abuzz this weekend as a result of the Gizmodo Twitter account getting hijacked. That incident was traced back to the hack of an Apple iCloud account--allegedly accomplished through social engineering.

A story from Adrian Kingsley-Hughes explains that a former contributor for Gizmodo, Mat Honan, was the original victim of the attack. Hackers were able to access Honan's iCloud account, and remotely wipe his iPhone, iPad, and MacBook. The original theory was that the hackers used a brute force attack to crack Honan's iCloud password, but further investigation revealed that social engineering was used to convince Apple the attackers were Honan, and Apple gave them the keys to walk right in.

Color me incredulous!

Why? Well, I have my own story of Apple woe--and it's the exact opposite experience. I somehow lost access to my own email address for use on iTunes, iCloud, and other Apple services, and it took months of fighting with Apple Support to finally get to the bottom of things and get into my own account. I couldn't get Apple Support to give me access to my own account, never mind someone else's.

I had originally set up my Apple ID using my primary email address. I didn't have any problem for months, maybe even years. Then, one day it simply wouldn't work. The Apple system claimed it was already in use on another Apple ID account.

I assumed I'd been hacked somehow. It's my email address. I own the domain. Nobody else could possibly use my email address with a different Apple ID account "on accident".

Initially, Apple Support directed me to just use a different email address. I did that as a temporary solution to enable me to access iTunes and other Apple services, but it was a Gmail address that I created just for that purpose. I don't use Gmail, and I had no intention of starting, so I was still determined to get my own email address back.

In my experience, Apple security was almost too tight. I tried repeatedly to reset the password for my email address, but the reset confirmation emails never arrived. The reason? The confirmation emails are sent to an emergency rescue backup email address. I had no idea what account was using my email address, so I had no way of knowing where those emails were being delivered.

No problem. You can also verify your identity to reset your Apple ID by answering security questions. The first one--the gateway to get to the actual security questions--is your date of birth. I entered my date of birth, and the Apple system told me I was wrong...about my own date of birth.

Every time I'd contact Apple Support I would get the same default answers, and "solutions" that wouldn't work. Apple Support would explain that my email address was already in use on another Apple ID account, and that until it was removed from that account I'd be unable to use it.

Exasperated, I'd explain again that I can't remove the email address from the Apple ID account because I had no idea what the Apple ID account was, or how to access it. Eventually, I'd become frustrated and quit. After a month or two, I'd contact Apple support and try again.

After many conversations and attempts, I finally had a breakthrough...sort of. An Apple Support person "cracked" and gave me an email address of the Apple ID associated with my email address. It was my wife's. However, we logged in to her Apple ID account to remove my email address and found no sign whatsoever of it being there.

Once again, I contacted Apple Support. I explained that I can prove it's my domain, and I can prove it's my email address, and I asked that my case be escalated to someone capable of simply deleting my email address from the other Apple ID forcibly. Then I was told it was actually attached to, or associated with four different Apple IDs, but Apple couldn't do what I asked. I wasn't pleased.

I got my email address back. After over a year of attempts, and probably seven or eight different sessions with Apple Support, one of them finally "slipped" and gave me a crucial bit of information. It turned out that I was the one who stole my own email address.

The email address was associated with an Apple "" address. Two of them, actually--and they were both mine. I never saw the reset confirmation emails because I've never actually used the "" email addresses and I wasn't set up to receive the messages. The date of birth verification and account security questions wouldn't work, because I never set them up in the first place.

I do recall creating the "" accounts to test some things out, but it wasn't a problem immediately. My guess is that Apple changed some rules on the backend after I had used my email address as an alternate contact on these other accounts, and that locked me out from using it as my primary email address on the Apple ID I actually use.

The bottom line is that I found Apple Support to be tight-lipped to a fault, and I'm surprised the attackers in the Mat Honan / Gizmodo incident were able to social engineer their way into his iCloud account. It took me over a year to "social engineer" my way into my own Apple ID.

Perhaps that says more about my lack of social engineering skills than it does about Apple security measures, but I can vouch for the fact that accessing someone's Apple account is no simple feat.

Join the CSO newsletter!

Error: Please check your email address.

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place