Want CNET to notify you of price drops and the latest stories?

Amazon addresses security exploit after journalist hack

After a tech reporter detailed his nightmarish saga of being hacked because of Amazon and Apple security flaws, the e-commerce giant says it has changed its system to make things more secure.

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Dara Kerr
2 min read

When tech reporters get hacked, it seems like tech companies pay attention.

Wired reporter Mat Honan's entire online life was compromised by a hacker named Phobia four days ago. Phobia used Honan's AppleCare and Amazon IDs, along with his billing address and last four digits of his credit card to get into his various online accounts. Apple responded yesterday saying that it was looking into how users can reset their account passwords to ensure data protection; and Amazon responded today.

"We have investigated the reported exploit, and can confirm that the exploit has been closed as of yesterday afternoon," an Amazon representative told CNET today.

What this means is that Amazon customers can no longer make changes to their account settings by telephone, according to PC Magazine. A small but significant change -- because it was by calling Amazon that Phobia eventually succeeded in deleting Honan's Google and Twitter accounts and wiping his MacBook, iPad, and iPhone clean.

"In many ways, this was all my fault," Honan wrote in an article for Wired yesterday that detailed his saga. "My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter."

The way Phobia gained entry into Honan's Amazon account is by calling the e-commerce giant pretending to be Honan and adding a credit card to his account -- all he needed to do this was Honan's name, e-mail address, and billing address. Then, Phobia called Amazon again and said he couldn't access the account and this is how he was able to use the credit card information to add another e-mail address and reset Honan's password.

It all snowballed from there as Phobia was then able to get into Honan's Apple account, call AppleCare, and get access to Honan's iCloud account, and then delete everything.

"But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's," Honan wrote. "Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information -- a partial credit card number -- that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification."

Despite Honan having to go through digital hell for security changes to be made at Apple and Amazon, he hopefully has made the Internet just a little bit safer for others.