Mat Honan Explains How He Got Hacked (MuckReads Podcast)
Earlier this week, Mat Honan, a senior writer for Wired, watched as his digital identity was taken from him and then systematically deleted by hackers who had cracked into his iCloud account. Nothing was spared. Even his hard drive — full of irreplaceable family photos — was completely erased, all in an effort to gain control of his Twitter profile, @mat.
Surprisingly, his hackers didn't use brute force or guess the password, but rather took advantage of lapses in Apple's and Amazon's security systems to gain access — bringing into question if password-based security mechanisms are strong enough for the era of cloud computing.
ProPublica senior editor Eric Umansky invited Honan on the podcast this week to share his terrifying hacking ordeal. Among the topics they cover: How Honan started chatting with his hacker, and after deciding to write about it all, ended up promising not to prosecute.
You can read Honan's firsthand account of being hacked and having his digital life compromised on Wired, How Apple and Amazon Security Flaws Led to My Epic Hacking. You can also download all of ProPublica's podcasts on iTunes.
Eric Umansky: Welcome to the MuckReads podcast. I'm Eric Umansky, a senior editor at ProPublica. For this week's episode, we're talking to Mat Honan, a senior writer for Wired who recently laid out his remarkable, and frankly horrifying, account of being hacked. Everything from his iPhone to his laptop to his Gmail, Twitter, family photos were all wiped clean after hackers broke into his account. They didn't do it by brute force or guessing his password. Instead, they used security loopholes from Amazon and Apple's customer service departments, and I urge everybody to go to Wired.com and read his very, very scary story.
I talked with Mat on Wednesday, August 8, and here's more on the story.
The first thing I think we should say is that Mat and I have been friends for, what, about a dozen years? Journo friends?
Mat Honan: I believe so, yeah. You were my first editor.
Eric: Yeah, I hired Mat in 1990 something, and we've been in contact off and on since then. And I would actually say that the first time I first noticed that you got hacked when I noticed, basically, vile, racist diatribes coming from your Twitter account.
Mat: That was actually the way that most people, most of my friends, found out that I was hacked, was that the first thing these guys did...I mean, the whole goal of their hack was to get to my Twitter feed, which is really weird. They weren't trying to commit a financial crime, they weren't trying to take over my identity – well, they were in a way – but their ultimate goal was to get to Twitter and just, you know, cause mayhem and make people angry. Yeah, they posted all this racist, homophobic stuff. They posted links to other hacks they'd done. They just basically spewed on Twitter for a couple hours.
Eric: We should lay out here, you've been on Twitter since essentially Twitter was started more or less, right?
Mat: Certainly, yeah. I think it was probably in the first six months, eight months or so of when it was started. When I signed on, it was really easy to get a username, so I just used my first name as my username, which is M A T. One of the things that this group, the hacker who later got in touch with me claimed to belong to I assume he does because they posted some videos of it on their website one of the things they do, or the main thing they seem to do, is grab Twitter handles. They've got post after post after post in their blog showing all these Twitter handles they've grabbed.
The guy who hacked me said that they really sort of like these shorter Twitter handles. It's like a mark of respect to have one, even if you don't have it very long.
Eric: But also you have how many followers, again? I mean, you have a big voice on Twitter.
Mat: I believe at the time it was right around 14,000. I think it's a little over 15 now. I've added a lot in the past week since all this went public.
Eric: Right. And so when you mention… and Mat wrote a really remarkable story in Wired talking about how security lapses by or really loopholes in the security verification process by Apple and Amazon allowed these guys to take over all your various accounts. When you wrote that and then you wrote subsequently that you had been in contact with these guys and they said, "Oh, we were just after your really succinct Twitter handle," it kind of struck me, because I thought, well, isn't it also possible doesn't it seem likely that they know that you're a pretty prominent journalist, you have 15,000 followers on Twitter. You take over his account, and you get a lot of attention. Right?
Mat: Yeah. That's occurred to me. I certainly think the follow account played into them wanting to grab the Twitter, but I think the main thing is that it was available. They just were able to figure out really quickly that this was open to be exploited. The whole thing took place – when they laid out a timeline for me – I know some things like, by going through Apple tech support and forcing them to tell me when the first call came in that day, I know that the first call came in at 4:33p.m., Pacific, and they were deleting my account just a few minutes later.
The way they explained it to me is that they saw my Twitter linked to my domain. They went to my domain, saw my Gmail address on my domain, checked the Gmail address and – because I didn't have two factor turned on – saw right away that the backup was at .me, and assumed that...
Eric: Two factor, by the way, just being this extra step verification process for Gmail that everybody's talking about now. It's like, this is what you have to do to protect yourself from not becoming Mat Honan again.
Mat: Yeah, which is not totally true, by the way. It would have protected my Google account. It would have done nothing for me with Apple. They saw this chain, really quickly. From Twitter, to Gmail, to .me, they were able to establish that right away. As soon as they saw the .me, they knew that they could basically get this Twitter handle.
I gather they were just sort of probing around, bored, looking for stuff, when they found this. The guy who hacked me claims that he didn't know who I was, beforehand. He also claims – I’m not sure if you're aware of this – they also posted a bunch of stuff to Gizmodo's Twitter account.
Mat: Gizmodo's Twitter account, they didn't...
Eric: Because your accounts were somehow connected?
Mat: Yes. You can give access to a second account, or maybe even more than two accounts, on Twitter. When I was logged into the Gizmodo account at one point, when I worked there...
Eric: A very prominent tech blog that has, what, hundreds of thousands of followers?
Mat: Yes. Certainly in the hundreds of thousands. I'm not sure exactly how many. I'd guess around half a million, would be a guess. I had also logged into my personal Twitter account, so that if I was just logged in on the web, I wouldn't have to log out every time, and log back in again, if I needed to post something to Gizmodo's Twitter.
Well, I never actually cut that off. I couldn't have cut that off because it was done on the Gizmodo account, which I didn't have access to anymore. And Gizmodo didn't cut it off because they weren't aware that I had done this.
But the hackers, when they logged in, they saw right away that there was a second account linked on there. So, they jumped on Gizmodo's account and began, not only did they have my 14,000 followers, now they had Gizmodo's 400, 500, 600 however many thousand followers Gizmodo had as well they could spew racist stuff to.
And back to your original question, I don't know how...you never know how honest they're being. They claim they didn't know I was a journalist, but that certainly did amplify their voice and it certainly did, at least, bring the person who's going to touch with me a large degree of notoriety he didn't previously have.
Eric: Right. So that brings me to one of the real things I've been wondering about it, and to be honest here, I don't know what the right answer is, but I think it's interesting to consider is, you decided, and it seems like pretty quickly, to write about this. You know? I'm just curious about your thought process on that. You had options. You could have decided not to give the attention and just gone to the cops. You could have laid it all out.
Mat: Yeah. My first decision wasn't to write about it. My first decision was to try as best I could to understand what had happened and how they had done it, because I wanted to make sure that it was fixed. I wanted to know what the scope of it was. For whatever reason, one of these guys was willing to talk to me. I think it started off sort of…not I think…I mean, it started off in a taunting way, you know?
Eric: He essentially contacted you. You didn't reach out to him.
Mat: Oh, yeah. Yeah, yeah. They were sending me on my secondary Twitter account, when I set up a second Twitter account using my neighbor's computer so I could basically say, "Yes, I've been hacked. It's not me who's doing all this stuff. I wouldn't be saying that." At some point, one of the two of them, they claim there were two. There could have been one, there could have been 10, I have no idea to be perfectly honest. One of the two of them, though, sent me an "@" message. And I followed him, he followed me, and we started...
Eric: This is all on Twitter?
Mat: This is all on Twitter. We started off communicating via direct message, and he was surprisingly open to talking to me.
Eric: How did you know, by the way, he wasn't just an imposter or something?
Mat: Just because of the things that he knew about my account and eventually would come to offer up some account passwords. He offered some detail, I'm not really comfortable getting into complete detail, but he offered some details that indicated to me that either he was the person who did it or that he was involved in it. There wouldn't have been other ways to know some of the things he knew, and some of those things I've been able to verify, even internally, with Apple. At first I just wanted to understand how, though, and I started talking to him and at one point he said, "Am I going to get in trouble for talking to you?" He said he's 19, but I get the impression he may even be younger than that. That was when I decided, yeah, I'm going to turn this into a story. I told him if he talked to me and helped me understand how he did it...
Eric: Which is to say, and that was actually going to be my next question, just to lay this out, you essentially said, "I am not going to press charges," right? In other words, you gave him...
Mat: Yeah, I didn't essentially say that. It's exactly what I said. Yeah, and in fact I got a call today, or I got an email, and spoke to him from someone in the state of California's Attorney General's Office today, and I declined to press charges today.
Eric: You essentially gave the person who hacked you reporter confidentiality, right? Anonymity.
Mat: Yeah, that's exactly what I tried to do. I thought that it would be, especially as I started to learn about it, at first he was just telling me stuff like – he wasn't getting into detail. He was just saying, "We didn't use a password cracker." We didn't do this. We didn't do that. We didn't do phone calls. I wanted to really understand, yeah, but exactly how? Especially as I began to really understand it, at one point it got too complicated for Twitter and I convinced him to move to email, and we now – we were talking on AIM last night.
Eric: You now have key information about this guy, right? I mean, some stuff.
Mat: Yeah, yeah. I have information with this guy. I don't have his name or his address or anything like that. I don't think I have enough that I could do something myself if I wanted to, but I've established some things about him, I believe.
Eric: Was it essentially curiosity that was driving you? You figured, hey, like any reporter, I want to know what the story is, so this is part of the deal that I'm going to have to make?
Mat: Again, like I said initially, it was a self preservation type of thing. It was curiosity, and I wanted to be able to make sure that whatever had happened couldn't happen again. It was Saturday in the evening when he finally sort of laid out the particular of the Apple account, or the Apple exploit. When he did that, and I called Apple Tech Support and was able to verify that that was possible...
Eric: And this is where he gave them the last four digits of your credit card which he had gotten through Amazon through another security hole in Amazon.
Mat: I didn't realize the Amazon piece yet initially, but it took until basically Sunday, maybe even evening, before I was able to completely understand how all that happened. Yeah, as soon as I understood the Apple part I realized this was an issue that was not just my problem, that this was a big, big problem. Just so people can understand exactly what happened, what you could do was call Apple and you could give them your Apple ID which is the email address you use, like if you buy a song from iTunes or something, your billing address, which for most people is your home address, and your last four digits of a credit card, and they would send a password reset. And once you get that password reset, you're in somebody's Apple account, which if they're using iCloud, in my case it gave them the ability to remotely wipe my computer and my iCloud...
Eric: Right, because this is from the "Find Your iPad" and "Find Your Mac.” This is, right, the app that you can use to wipe your computer if it's stolen, and the hackers turned it against you, basically.
Mat: Right, right. What I also discovered is that once that happens, like if somebody does that, and I've subsequently now heard from someone whose ex husband used this against them, if someone decides to remotely wipe your machine, you can't stop it because there's not a…when you go to remotely wipe the machine, it just asks for your iTunes password, your Apple ID password. Then it asks you to set up a four digit pin to stop it. If I set up that four digit pin and I'm going to try and remotely wipe my machine, I enter that in and an hour or two later some guy knocks on my door and is like, hey, I found your computer on the bus. Here you go. I can open it up and enter that four digit pin right away and the wipe doesn't start.
If someone else does that, you're toast because you're not going to know it, you're not going to get it...
Eric: You're not going to know the pin to stop it.
Mat: Yeah, exactly. One of the big takeaways from me is that should have been on the front end when you set up on my Mac, not on the back end when you decide to use it.
Eric: There have been, just in reading some of the follow up to your piece and some of the reverberations, it looks like both Amazon and Apple have closed these loopholes. Is your understanding, by the way, that the loopholes that you're aware of they've actually closed down?
Mat: Amazon has never commented to us officially about this case. And we actually had several reporters working on this on Monday and testing out everything and making sure that we could not just verify it by multiple totals, but verify it by duplicating it. It's our understanding...I mean, Amazon has issued a statement, not to us, but they've closed the loophole, and we haven't been able to duplicate it anymore.
Eric: Right. I saw, by the way, you guys had an article that says, "Amazon Quietly Closes Loophole.” Right?
Mat: We've been able to repeatedly do this. Apple yesterday, suddenly we couldn't do it anymore and they said they weren't giving password resets over the phone. One of my sources at Apple told me they were putting a temporary hold on it...
Eric: A temporary hold on stopping this, essentially...
Mat: On issuing passwords over the phone, reissuing a password.
Eric: Right, which is the loophole, yeah.
Mat: Yeah. One of our reporters also had someone in AppleCare tell them that when they were trying to get a password reset, so we went ahead and ran that story yesterday and Apple confirmed today that they have put that temporary password replacement thing on hold until – they haven't said this part – but seemingly until they get better security mechanisms in place.
Eric: Right, right. It's one of the interesting things from, again, in terms of the fallout from your story and what's happened to you, I can't count the number of articles that I've now seen that essentially are, "How To Protect Yourself From Becoming the Next Mat Honan.”
Mat: It's very weird, yeah. I know. Every website I go to, I see some story. Wired had one that says, like, "How Not to Be the Next Mat Honan.” That's a weird headline to read about yourself.
Eric: [laughs] Yeah, I would imagine it's a weird headline to read about yourself. But it's one of these funny things that, look, you had this horrific thing happen to you and with these guys who, they wiped family photos, they really obviously made your life really difficult and cost a lot of pain. And yet the upshot of all of this is that it has to be, I imagine, that in the past 48 hours more Americans have created better passwords and better security for their own systems than in the past X number of months or whatever it is. That this has entered the national consciousness, in a way.
Mat: I think having a technology reporter, a Wired reporter, have this happen to me or someone you think would probably be a candidate who would follow good security practices, I think it makes people reevaluate what their own are. Let's say that this had happened to, I don't know, somebody who's a big executive at Google or somewhere and it was public when it happened, I hope that by going in and looking at how it happened and telling the story of how it happened, that that's also sort of helped these changes come about.
I hope there's going to be more changes, too. I really do. I don't think passwords are a good system.
Eric: Right, right. And it also makes me go back to one of the original things we were talking about is, the hackers' motivation. Is that just a silver lining to this, or is the potential out there that they think they were, in some weird roundabout way, doing good by exposing these problems?
Mat: What he's told me, it's weird. I've come to think of him as my hacker. I talk to him to my wife, and sometimes I'll be like, well my hacker says...it's weird phrasing. Yeah, what my hacker told me is that he wants to expose security vulnerabilities. I don't know how genuine that is, but I will at least take him at his word.
Eric: And you feel like the options that you had, keeping quiet, going to authorities, writing about it, it seems to me, I'll just be honest here because we were talking about it in the office, you look at the reverberations of this and you've had a tough few days. But it seems like a lot of people are a fair amount more secure than they were last week.
Mat: Right. What I hope, though, is that it doesn't just stop next month. I hope that when everybody has to reenter their six digit thing into Google next month because they set up two step authentication, when they have to look at their phone and get the number in 30 days from now and reenter it, I hope that people actually do that. The problem with some of these security measures right now is that they're kind of a pain. Last year, I interviewed someone in the U.S. government's information security Department, basically, who was talking about how security measures have to both be very secure and very easy to use if they're going to be at all effective. If they're not very easy to use, people just abandon them. There have been all these articles written about what you can do to prevent being the next Mat Honan. But really, what I think the articles should be saying is what Microsoft can do to prevent being the next Apple, what whoever can do to prevent being the next Amazon. The onus ought to be on the corporations that we trust our data to, and that we give our money to, to keep that secure and to keep it secure in a way that's relatively convenient for us.
Eric: Yeah. As a guy who doesn't change his passwords often enough, I think that's very true and very wise. Listen, Mat, thank you very, very much. I hope you get back all your photos and everything else that was wiped.
Mat: Thanks so much for having me.
Eric: Thanks again to Mat Honan for chatting with us. If you want to know more about what happened to Mat and the continuing fallout from it, you should visit Wired.com and their website, Gadget Room, where Mat has been writing about every aspect of this case.
Transcription by CastingWords