Former Gizmodo writer Mat Honan is having a pretty bad day. As you can read on his Tumblr post (not to mention elsewhere), hackers compromised his iCloud account. They used that access to reset his iCloud password, reset his Gmail password, gain control of his Twitter account (which in turn gave them access to Gizmodo’s Twitter feed and 400K followers) and generally wreak mayhem.
Unfortunately, Honan’s iCloud account was tied to his iPhone and iPad, which both had Find my iPhone/iPad turned on. In the attackers’ hands, the FMI utility was turned against Honan and both devices were remotely wiped. It got worse: his MacBook Air had Find My Mac enabled, which meant the hackers could erase his SSD… and they did.
Honan’s iCloud password was unique to that service, but it was also only seven characters long and hadn’t been changed in years. Given the many points of exposure when iCloud accounts are compromised — and the potential risk of serious consequences if remote wipe utilities like Find My Mac are controlled by malicious actors — we recommend using a memorable but strong password for iCloud.
The easiest way to come up with a strong password is to use a tool such as Diceware, but as our Twitter followers point out you do need to be able to enter your iCloud password quickly and easily on iOS devices if you plan to install or update App Store apps. It’s not always simple to balance security and convenience, but it’s important to consider the risks before you go with an easy-to-crack password.
Our sympathies to Mat; we wish him luck in recovering his data and piecing his digital life back together.