Apple suspends phone-based password resets

On Friday, the Gizmodo Twitter account was briefly taken over by a hacker, via the account of a former Gizmodo staff member, Mat Honan. He claimed that the reason for his information getting in the hands of the hacker was " ... via Apple tech support and some clever social engineering that let them bypass security questions."

Now it appears that Apple is taking steps to make sure that sort of "social engineering" doesn't happen again. Wired.com reports, via unnamed Apple employees, that the company has temporarily suspended its support team members from handling any AppleID password requests that they receive over the phone. The sources claim that the suspension will last for at least 24 hours.

It's possible that Apple has put the brakes on password support via the phone to see if they need to make any changes to their security polities. People who need to have their passwords reset can still do so at iforgot.apple.com.

Honan's information was obtained over the phone by the hacker giving the Apple tech support member a name, an email address, a snail mail address and the last four digits of a credit card number that were linked to an AppleID. It's currently unknown how the hacker obtained this information. In addition to highjacking the Gizmodo Twitter account, the hacker also remotely deleted Honan's Gmail account, along with all of Honan's data from his various Apple products.

Source: Wired.com

Report a problem with article
Previous Story

Microsoft talks about reading with Word 2013

Next Story

Researcher: Microsoft's MS-DOS doesn't contain copied CP/M code

11 Comments

Commenting is disabled on this article.

When will big companies get their **** together on the security front? It's not even funny.

Outlook.com, for example, limits password length to 16 characters, there's no good reason for that to happen. Way worse that that? Last.fm stored their passwords unsalted. So did the playstation network and linkedin. What the hell? Not only that but those hashes were floating around for a while before last.fm even noticed.

Things like this phone thing, how passwords are stored in databases and others should be concepts that these companies should be REALLY familiar with since they are storing the data of MILLIONS OF PEOPLE.

Edited by paperless, Aug 8 2012, 2:53pm :

We do know how they got the data. The CC number came from Amazon, and the address details came from the Whois records on his domains.

Do some research; this was reported on other sites.

chAos972 said,
We do know how they got the data. The CC number came from Amazon, and the address details came from the Whois records on his domains.

Do some research; this was reported on other sites.

He linked to Wired. Go tell them to do some research. Or better yet, quit bitching and write an article yourself. You could even report the inaccuracies to the author using a little button. So many options...

farmeunit said,

He linked to Wired. Go tell them to do some research. Or better yet, quit bitching and write an article yourself. You could even report the inaccuracies to the author using a little button. So many options...


It was originally reported on wired.com as the reporter who got hacked works there. Neowin should do this basic research at least.

BajiRav said,

It was originally reported on wired.com as the reporter who got hacked works there. Neowin should do this basic research at least.

Your asking alot there, not sure Neowin can do more than C&P

chAos972 said,
We do know how they got the data. The CC number came from Amazon, and the address details came from the Whois records on his domains.

And don't forget that the rest of the hacks came from a fail in Google Accounts security (Google Account recovery page shows the email addresses you've configured for account recovery).