SAN FRANCISCO - Apple is beefing up security for resetting user passwords after a journalist wrote about a hack affecting his personal data, highlighting possible weaknesses in the system protecting more than 400 million user accounts.
The company is temporarily suspending the ability to reset AppleID passwords over the phone while it takes steps to make the procedure more secure, said Natalie Kerris, a spokeswoman for Cupertino, Calif.-based Apple.
Mat Honan, a reporter for Wired, wrote Monday that hackers gained access to his account, erasing pictures and other data from his iPhone, iPad and MacBook, after resetting his password over the phone.
The incident highlighted potential vulnerabilities in AppleID, the verification needed for purchasing music, movies and applications from iTunes, as well as downloading software updates and accessing content on Apples iCloud Web-storage service, he said.
This system can reset a password in one of two ways: Either have a password reset sent to an alternate e-mail address already on record or challenge the customer to answer security questions they had previously set up, Kerris said. When we resume over-the-phone password resets, customers will be required to provide even stronger identify verification to reset their password.
Honan wrote that the hackers used the last four digits of his credit-card number and his home address to get a member of Apples tech-support staff to reset his password. He said the hackers got his credit-card information by first gaining access to his account at online retailer Amazon.com.
The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification, Honan wrote.