How Bad Actors Find the Keys to your Credentials

How did the iCloud hack happen?

The bad actor simply went to the Apple site. He found their email addresses online, typed in their emails, and hit “Reset Password”.  At the time on iCloud, you could reset your password one of two ways. It would either email you a password reset, or you could answer some security questions. He chose the latter. According to his own testimony, he found all of the answers to those questions on one website. Anyone know what that would be? You can’t say Google. I consider that cheating. All of the answers: first car, favorite color, dog name, etc; he found through Wikipedia. So he answered the questions, logged in, and changed the password. He found the photos and shared them.

This is what I mean by a shared security model. Apple, Google, all of the tech companies, say “I’m going to protect the backend, the vault, but I’m going to give you keys”. We call those credentials. It’s a form of your username and password on those websites. Your credentials give you access, but when there’s a data breach, the company is blamed. We don’t take our credentials very seriously. It would be like if you go to the Ford dealership, pick up a car, and drive to the local sports game. You leave your car in the parking lot, take your key, put it on the hood, and you walk into the game. You walk out of the game, and there’s no car. And you think Ford. Right? That doesn’t make any sense. But that’s what we do as individuals every day in this shared security model. We think it’s the company’s fault. It’s their service, but they give you keys. So we operate in a shared security model.