Subscribe via RSS Feed

My MobileMe Account Was Hacked Tonight And I Saw Them Do It!

August 24, 2009

I guess I am what you would call an IT expert. I am fluent in both Mac and PC platforms and have some large clients which I have helped demonstrate their own security flaws on occasion. Well tonight, it was my turn in the frying pan.

It all started with a benign email message from PayPal. I get spoofed PayPal messages once or twice a day so I didn’t think anything of it. It was a message that said that I had requested a password change. To change my password, it wanted me to click the link in the email. Being an IT expert, I avoided clicking on the link and simply deleted it figuring it was a spoofed email. Then I went back to my work.

A few minutes later something caught my eye… and only because I was sitting at my computer and saw a GOWL alert that mentioned that my me.com password had been successfully changed. As I looked up at Apple mail, the message disappeared. Then another PayPal message came in. What the heck was going on. I could see messages come and go off my screen but I wasn’t doing anything in mail. While I had no idea what was happening, I knew I was in trouble.

I kicked into high gear screaming for my wife to call the Bank and issue a hold on all our accounts. She grabbed a phone and made the call. I grabbed my iPhone and the office phone. While my wife called our bank and fraud alert company, I called Paypal and ATTEMPTED to find an emergency number for me.com on the interent. I couldn’t find one, so I was force to use the general Apple Customer Service number. With one phone I dialed PayPal. With the other I dialed Apple Customer Support. While I was navigating a complex phone tree at PayPal, I kept trying to change the password on the PayPal web site, but it kept getting kicked back to a login screen. I later figured that the bad guys were in there while I was in there. Finally PayPal Answered. It was too late. On my next re-login, I saw it on the general account screen. The first charge cleared. A purchase from a website called RapidShare.com. It was a premium membership to their site costing me 54.99 EUR. I immediately informed the PayPal rep who placed a hold on the account and forwarded my phone call to a security expert. While I was on hold for the Security Expert, we finally got to someone at Apple Customer Service. While he was very nice, he was of little help. He was IM’ing someone in the me.com support area about my problem. He was waiting to hear something back. The Security Expert finally answered so I passed the Apple phone off to my wife who waited for a response. The Paypal Security Expert was great. She listened to my problem carefully and politely and assured me that my two accounts (business and personal) had been secured. She also said a full investigation would ensue and urged me to leave the accounts suspended until I was sure all was fixed. I completely agreed.

By this time, I figured that the bad guys knew I was onto to them so the race was on. I logged in the me.com account and was going to change the password. I was typing the new password in when I made the mistake of telling the Apple Rep what I was going to do. He urged me not change it as they would not be able to see what was going on and who was doing it. So I held back. In about a minute, I lost complete access to me.com and my email. The bad guys changed the password first. Then, incredibly, the Apple rep informed me that he had lost the chat with the person from me.com. So thats how they do it? iChat with each other? No back up phone numbers? You have to be kidding! He directed me to an Apple Support page where I could initiate the chat myself. So I did.

Of course it took me several minutes to establish the chat and another minute or two to explain what was going on. Who knows what these guys were doing that whole time. Eventually, I convinced the Me.com rep to change the password for me. Of course that was after I was directed to several support pages to explain how to change the password myself. I demanded an explanation on how my account was hacked into. I have always used very secure passwords… eight or more characters, mixed case, letters and numbers. She stated she couldn’t help me. I guess I made a big enough stink that she passed the chat to a “Supervisor”. I demanded to know whether the bad guys were still in there, where they were accessing the account from and what they did while they were in there. This “Supervisor” told me that he didn’t have that info. So I asked “who does”? He told me nobody would have that info. WHAT?????? I run my own mail server for my business and I can do that! Now I’m pissed! I wish I had copied the chat log so you could see the ineptness, but I closed the chat window in disgust!

I remember reading a story on one of the blogs about someone else who had their me.com account broken into, so I decided to Google it. The person who told the story swore she had never been to any questionable sites or used a weak password. I must confess… I questioned her statements too. I didn’t find the article I was looking for, but the very first article I did find, tells how to do it, in first person. Right from the bad guys mouths themselves.

http://www.electronicpulp.net/2009/04/24/salma-hayeks-apple-mobileme-account-hacked-couldnt-have-been-easier/

The second link mentions the place where the purchase was made.

http://rapid4me.com/?q=hack+premium+account

So to the other person who got hacked, my apologies for questioning your security efforts. Clearly Apple by now knows how flawed their system is, yet they choose to ignore the problem. Selma Heyeks problems began in April of 2009. It is now almost September 2009 and nothing has changed. I will admit that my security question was weak, but it was as old as my mac.com account. I used a security question I had abandoned along time ago after I realized how easy it was to find the answer to the question. What I didn’t know was that they would use the question in a web interface, showing it to the world. I though it would be the question used by a Customer Support rep to verify who I was.

So a word of warning. If you have a me.com account, you could already be hacked and not know it. The hackers delete the messages that they initiate as they come in, so you never see them… permanently. I just got lucky and caught them red-handed. They don’t change your password, otherwise you will know something is up.

So until Apple gets their SHIT TOGETHER, I will be abandoning my me.com email address. I run my own mail servers, which I know to be more secure. So maybe I will use something on there. Or there is always gmail. I used the me.com account because I wanted to keep personal stuff separated from business stuff. I’d love to go back, but for know I really worry for the millions of unsuspecting me.com mail users. I hope their new server farm has better security then their mail system.

Angry and stewing in Monroe, CT…

Phil

Filed in: Apple

About the Author:

Comments (7)

Trackback URL | Comments RSS Feed

  1. Mike says:

    It’s standard operating procedure for websites to display your security question to you if you click the “forgot my password” link. If you were not aware of this, and chose an easy-to-guess security challenge, that is neither Apple’s fault nor a fundamental weakness in the system.

    Gmail’s password reset works the same way, so switching to Gmail will not help you.

    It’s a little hard to believe that a self-described “IT expert” would consider this a security problem on the service side — rather than an error on the user side.

  2. Philip Hayes says:

    Hi Mike… Thanks for your thoughts. I guess I didn’t make my point in the blog post. If it can happen to me, it’s going to happen to others with less experience. There was no need to insult my expertise. I have not logged into MobileMe web interface in years. I use a desktop client for mail and only use desktop to connect to my files remotely. The security question was set up years ago and I have never had the need to reset the password. Yes, it was my fault for the weak security question and I take responsibility for that, but they should give hints on what not to use. I was unaware that the password reset process worked like that. Granted I should have been. I have memberships at websites that still send the password via email should I forget it. I haven’t done anything with them yet either. Apple knows that people are hacking into their email accounts easily. There are plenty of stories on the net about it. They need to put out an alert and encourage people to tighten their security questions, providing some examples of things that would be considered strong. If I had known I was using that question for a password reset, I would most certainly have changed it. I really don’t remember doing it and find it hard to believe that I did. But the facts are the facts I guess.

    I think you are right though. Probably no need to abandon me.com mail. I was just so angry last night with their support system for the service. Now that I have calmed down, and know I can come up with a tighter security question, I will probably stick with them. I still stand by my claim that they should alert people to this and provide better support.

    And as far as Gmail goes, I was under the impression that they send an email to an alternate email address with a link to reset it. I have never seen a password reset such as Apple’s at Gmail. Must have missed that.

  3. Gustav says:

    You can suggest Apple require a second email address, but many MobileMe users (especially family members on family packs) do not have another one. The only thing people should take away from your article is to have good security questions. Personally, my security questions are answered with nonsensical answers. For example, I would answer “What is your mother’s maiden name?” with “basketball net”

    You also didn’t say how they got your PayPal account password reset? Did you use the same security question for PayPal? I’d be far more worried that my PayPal was broken into than MobileMe. Are you abandoning PayPal until they get their sh*t together too? ;-)

  4. Philip Hayes says:

    Hi Gustav-

    Once they had control of my email, they clicked the link at PayPal to have the password reset. That sent the email that I saw saying that someone had requested the password be changed. I ignored this at first, unaware that they were in my email. They quickly deleted the password reset request for PayPal which tipped me off that they were in there. If I had not seen that message suddenly disappear, I would never have known. The scary part is that PayPal is connected to my bank account. If I buy something that costs more than what I have in PayPal, they will automatically transfer funds from my bank. While I may not completely abandon PayPal, I will be disabling that feature.

    Your Security Question idea is a great one and is exactly what I started doing after this happened. I think the security question idea is somewhat flawed. I don’t have a solution, but there has to be a better way to get help accessing your email beyond that.

  5. roberto says:

    great article phil and a joy to read

    thanks for taking the time and effort to recite your experience moment by moment

    hope apple does something SOOOON

    ps: i’m sure i read something online about steve’s email a/c get hacked a few months ago!

  6. roberto says:

    UPDATE: hey phil (and others!) i just logged onto me.com to check out the web interface, as i too very very very seldom go there, and was greeted with a ‘Please verify your birth date to continue’ prompt after i’d selected the ‘option 2′ of answering a security question to reset my password

    is this step new? (it wasn’t mentioned in your article)

    ciao for now

    r

  7. Philip Hayes says:

    I just tried it and I didn’t get that. Just needed a user name and password.