Apple, Amazon make changes after journalist's hack

generic, Computer Hacker,Computer Hacker, Computer Crime, Stealing, Identity, Computer, Burglar, Security, Criminal istockphoto.com

istockphoto.com

Updated 11:31 a.m. ET

(CBS News) Apple and Amazon made changes to its password retrieval process after technology journalist Mat Honan published an in-depth account of how one hacker took over his digital life by exploiting vulnerabilities in Apple and Amazon's account policies.

Apple responds to journalist's iCloud hack
CNET: Journalist blames Apple for allowing iCloud hack

Honan described how a hacker named Phobia accessed his Apple, Amazon, Google and Twitter accounts because they were daisy-chained.

"Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this," Honan wrote in Wired.

Full coverage of Apple
Full coverage of Amazon

Honan reported that Phobia gained access to his Apple account by providing a credit card number and billing address, using the Who IS domain registry and exploiting a series of security loopholes at Amazon.

According to Wired, Apple no longer allows its support staff to process AppleID password changes over the phone. Amazon, similarly, no longer allows people to change their account settings over the phone.

In a statement given to Wired, Apple said the company "takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password."

"In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer," Apple continued. "In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected."

An Amazon spokesperson told CBS News via email: "We have investigated the reported exploit, and can confirm that the exploit has been closed as of Monday afternoon."

Comments