Skip to main content

Amazon boosts security after tech journalist's account hacked

Amazon on Tuesday confirmed that it has closed a loophole that helped hackers gain control of a tech journalist's digital life.

"We have investigated the reported exploit, and can confirm that the exploit has been closed as of yesterday afternoon," an Amazon spokesman said.

That includes no longer allowing Amazon customers to change account settings like email and credit card data over the phone.

The change was prompted after Mat Honan, a writer for Wired, had all of his cloud-based data hacked and deleted. As Honan put it in a Monday piece about the incident: "In the space of one hour, my entire digital life was destroyed."

Helping the hackers gain access to Honan's content was the fact that many of his online accounts were linked in some way.

"Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter," he wrote.

The individual who hacked Honan's accounts - who identified himself as Phobia - actually contacted him on Twitter and explained how it was done. Basically, Phobia liked Honan's brief Twitter ID (@mat) and wanted it for himself.

In a string of moves that are startlingly simple, Phobia managed to track down Honan's Gmail address and his Apple email address. All he needed was Honan's billing address and the last four digits of a credit card and he could take over Honan's Apple account with one call to AppleCare.

Phobia secured the billing information from the Whois database since Honan has a personal website. In terms of the credit card information, that's where Amazon came in. Phobia called up Amazon and asked to add a credit card to an account because all he needed was Honan's name, email address, and billing address - which he already had.

Phobia then hung up, called Amazon again and told them he'd lost access to "his" account. Since Phobia could now provide credit card information, Amazon allowed him to add another email address to the account. Phobia then went to Amazon's website, sent a password reset to the newly added email address, and he was in.

Phobia now had access to the credit card data stored on Amazon, which he used to call Apple and gain access to Honan's iPhone, iPad, and Mac via iCloud. The rest is your basic digital nightmare.

According to Honan, "Apple would not comment as to whether stronger authentication is being considered."

(Ed. Note: UPDATE. Late yesterday, it was reported that Apple had instructed its support staff to immediately stop processing AppleID password change requests over the phone, with the freeze expected to last at least 24 hours as the company looks at potential alterations to security policies.)

Honan acknowledged that had he turned on Google's two-factor authentication, none of this probably would've happened. Matt Cutts, head of Google's webspam team, said as much in a Monday blog post prompted by Honan's experience.

"Much of the story is about Amazon or Apple's security practices, but I would still advise everyone to turn on Google's two-factor authentication to make your Gmail account safer and less likely to get hacked," Cutts wrote.

More details about Google's two-factor authentication are available on Google's support page.

The cloud-related data security breach illustrates Apple co-founder Steve Wozniak's fears about the "horrible problems" likely to be caused by the storing of information on the Internet, which he voiced earlier in the week.

A Reuters journalist also recently suffered a high-profile hack.