After Epic Hack, Apple Suspends Over-the-Phone AppleID Password Resets

Apple on Tuesday ordered its support staff to immediately stop processing AppleID password changes requested over the phone, following the identity hacking of Wired Reporter Mat Honan over the weekend, according to Apple employees.
Image may contain Electronics Computer Pc Tablet Computer Computer Keyboard Keyboard Computer Hardware and Hardware
Apple is considering changes to its AppleID password reset policies. But what those changes would be, if there are any, aren't yet clear.Photo: Ariel Zambelich/Wired

Apple on Tuesday ordered its support staff to immediately stop processing AppleID password changes requested over the phone, following the identity hacking of Wired reporter Mat Honan over the weekend, according to Apple employees.

An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.

The change follows similar security tightening at Amazon, which on Tuesday closed a hole in its customer service systems that gave people the ability to gain control of a customer's Amazon account as long as the hacker knew the name, e-mail address and mailing address of the victim.

Our Apple source's information was corroborated by an Apple customer service representative, who told us Apple was halting all AppleID password resets by phone. The AppleCare representative shared that detail while Wired was attempting to replicate Honan's hackers' exploitation of Apple's system for the second day. The attempt failed, and the representative said that the company was going through system-wide "maintenance updates" that prevented anyone from resetting any passwords over the phone. The rep said we should try calling back after about 24 hours, and directed us to iforgot.apple.com to change AppleID passwords ourselves on the web instead.

"Right now, our system does not allow us to reset passwords," the Apple rep told Wired. "I don't know why."

In an earlier attempt on Tuesday to change an AppleID password (which is the same password used to log into iCloud and iTunes), Apple customer service offered up a different response, saying that passwords could only be changed over the phone if we were able to supply a serial number for a device linked to the AppleID in question -- for example, an iPhone, iPad or MacBook computer. The rep also suggested changing our AppleID password online at appleid.apple.com or iforgot.apple.com.

While it's clear that Apple is reacting to the privacy vulnerability that surfaced with the hacking of Honan's digital identity, it's unclear what final policy change will emerge. Apple officials declined to comment on whether permanent changes to the company's security measures were planned.

On Monday, we were able to call Apple, reset AppleID passwords over the phone, and gain access to iCloud accounts by supplying AppleCare representatives with a name, e-mail address, mailing address and the last four digits of a credit card number linked to an AppleID. This is the exact same information hackers supplied Apple with on Friday to get a temporary password that gave them access to Honan's iCloud account.

From there, the hackers wiped Honan's iPhone, iPad and MacBook. They also used their access to get into Honan's .Me email account, which gave them access to his Google account (they wiped that too), his personal Twitter account and Gizmodo's Twitter account. Honan previously worked as a reporter at Gizmodo and, under the hackers' control, both Twitter accounts became a platform to spout racist and homophobic invective.

Names with matching e-mail addresses and mailing addresses are easy enough to find on the web. Credit card numbers tied to a name can be found on many purchase receipts, and everyday millions of Americans give these valuable numbers out over the phone ordering pizzas, among other things.

Yesterday, Apple issued a statement noting that "we found that our own internal policies were not followed completely." However, Wired's internal source at Apple said that if the support representative who took the hacker's call issued a temporary password based on an Apple ID, billing address, and the last four digits of a credit card, he or she would have "absolutely" been in compliance with Apple policy.

Wired reporter Alexandra Chang contributed to this report.