Find My Mac and Remote Wipe
Mat Honan (via Hacker News):
In short, someone gained entry to my iCloud account, used it to remote wipe all of my devices, and get entry into other accounts too.
It seems way too dangerous to allow anyone with access to your iCloud account to remote wipe your Mac. (Plus, is remote wiping really necessary if you have FileVault enabled?) It looks like the only way to disable remote wipe is to disable the entire Find My Mac feature in the iCloud pane of System Preferences.
Secondly, the new Allow my Apple ID to reset this user’s password is potentially dangerous. Or, if you’re using File Vault 2, there’s the similar option to store your recovery key with Apple.
Backing up to the cloud is great, but those backups are only as safe as your password, so they shouldn’t be your only backups.
Update (2012-08-04): Daniel Jalkut:
One way to protect yourself is by declining to delegate authentication to third parties. When enrolling in a new service that offers Twitter or Facebook authentication, I usually go through the nuisance of creating a new account instead. That way I can choose a unique passphrase, and store that in my keychain. I prefer this to allowing numerous items to be implicitly added to my Twitter or Facebook “keychain.” Don’t put all your eggs in one basket, as they say. (Well, that’s what I’m doing with my keychain, but I am empowered to personally protect it and to back it up as I see fit.)
Update (2012-08-05): Mat Honan:
I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.
Update (2012-08-05): Jonathan Grynspan reports that there’s a bug that can allow anyone with access to your Apple ID (which obviously includes Apple itself) to access your FileVault-encrypted drive, even if you’ve not shared your FileVault recovery key with Apple.
Update (2012-08-06): Mat Honan:
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me email — which, of course was my .me email.
In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an Internet connection and a phone can discover.
Update (2012-08-17): Mat Honan:
My data came back to me on an external hard drive, organized by file types. The thing I cared most about, above all else, was my photo library. And there, in a folder full of JPGs, was photo after photo after photo that I had feared were gone forever. Subfolders were organized by the year, month and day files were created. I went immediately to the folder that bore the date my daughter was born. They were there. Everything was there. We were floored. I nearly cried.
Update (2017-09-20): Juli Clover:
Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone.
