Digital erasure: how to avoid it happening to you

Mat Honan lost everything. Here's how to ensure you don't.

On Friday night, Mat Honan, a senior reporter for Gizmodo, got hacked. Hard:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. . .

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter.

The full account of his travails is terrifying for anyone who lives a largely digital life. In fifteen minutes, Honan lost most of his digital property (photos, emails, documents and so on), and most of his ways of communicating with the outside world. Not just email and twitter, but phone calls, and text messages.

How it happened has only become clear since Friday, and presents a worrying picture of security at Apple. The initial breach, in Honan's iCloud account, was done by someone who successfully convinced Apple support to reset the password without knowing the original password, or any security questions associated with the account. Simply put, that should not be possible. From there, however, a series of easily made but unfortunate decisions allowed it to spiral out of control.

What's particularly scary about Honan's situation is that, in a number of ways, he followed best-practices. His iCloud account password was unique, alphanumeric, and never got leaked or cracked. Yet he still lost everything. But there are two things which may – just – have been able to improve the situation.


It sounds really simple, and you have in fact probably been told it before, but back-up. Back-up everything, and preferably back it up more than once. As Marco Arment says, if you can afford a MacBook Air, iPhone and iPad, you can definitely afford an external hard drive.

More importantly, don't confuse what are two separate services: back-up and syncing. If all your precious photos are stored on Dropbox or iCloud, that protects you against some types of data loss – dropping your laptop in the bath, that sort of thing – but not others. And frankly, most data loss these days isn't hardware or software failure but "wetware" – your brain. It's when you delete a file, and empty the trash, and only then realise that you actually really wanted to keep that piece of data (yes, I have done this (with my entire Applications folder (it hurts))). If you are using a backup service which deletes the backup when you delete the original, that's not a huge help. And even worse is that many of them will delete the original if you delete the backup.

This is especially useful if you have a service – like iCloud – which allows remote wiping. If you turn on a switch which allows all your data to be erased, it's probably worth making sure you have a plan in case you have to hit that switch. If you don't keep back-ups, turn that off.

Password resets

If you are sensible – and many people aren't – you'll have different passwords for every service. Honan did. The problem is that although that removes most possibilities for losing multiple accounts, it doesn't take away the weakest link. If Linked.In gets hacked, that password shouldn't be able to gain access to anything else, but if your email account is hacked, you may well be screwed. Most services are designed to allow anyone with a password or access to the registered email account ​to log-on. Making the former secure and then leaving the latter open is not the best move. So what's the best thing to do?

Step one is to make sure that the email address password resets go to is the most secure possible one. For most people who don't have extra-strong security needs, that means a Gmail account with two-step encryption. Every time you try to log-on from a new computer, you get sent a text (or check a special app) with a code to finish the log-in. Unless someone steals that as well, you're safe.

Step two is to remove password resets from that address. There's no point having a secure email address if you can reset the password by requesting it from a less secure one. Step three is to stop​ using it for anything but account registrations. It will be impossible to keep it totally secure, because of the number of services which still identify you by your address, but it's better than handing it out to everyone.

But the question that still remains is whether Apple and iCloud can be trusted at all. Following Honan's story, it certainly seems a bad idea to link any other accounts to your iCloud. Until the company responds, however, we can't know quite how bad it will be.


Mat Honan has now made public just how the hack happened, and it's even scarier than we thought. There are severe security flaws in Amazon and Apple's password reset procedures that allow someone to take over both accounts with just your name, email address and billing address. This is not, by any stretch of the imagination, confidential data – yet until those procedures are changed, it would be best to treat it as such, and to attempt to limit the amount of damage which would happen if those accounts were compromised.

How to trick Amazon:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry's published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you've lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account -- not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn't have anything to share by press time.

Delete – even if you don't want to. Photograph: Cari McGee/

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Show Hide image

Connected - to save time, money and lives

Businesses and the public sector in the UK are increasingly exploring new ways they can work with the help of connected technology – and the benefits this will bring.

We live in a world that’s increasingly connected. EE was born three years ago and has spent this time creating one of the fastest and most reliable 4G networks in any country. The effect of this growth means more for the British population as a whole, along with its critical infrastructure and emergency responders, than it does for individuals and consumers.

Why? Mobility, according to analysts CCS Insight, is “the fulcrum of digital transformation”. In the short time that mobile networks have existed – and the even shorter and more profound growth arc of 4G – mobility has moved from being about faster speeds and more services on our phones to a whole new world of possibilities for the way we live and work.

The latest mobile technologies can make small companies look big. And, the experts warn, they can make big companies look unintentionally small.

Over 500,000 businesses in the UK use our network and services to increase productivity and save money. Much of the public sector uses it to save money too – and save lives. We’d like to walk you through the stories emerging from this new world – sharing some examples of what happens when workers, customers and machines become truly connected.

Connected Vehicle

Businesses in the UK have long treated their cars, vans and other vehicles as their mobile offices, workshops or command centres, whether for field engineers, sales reps or dozens of other roles. But it’s not always been easy. 

That’s changing. Take utility Northumbrian Water. It is responsible for 55,000km of pipelines, many in rural parts of the UK. It has found a solution in the Connected Vehicle service from EE that is based on transportgrade equipment. External antennae on a van connect to a ruggedised router that deals with extreme temperatures and can handle vibrations from road surfaces. 4G becomes a shared WiFi connection for workers and devices out in the field, increasing their efficiency significantly as workers can stay connected on site, rather than having to travel back to the office.

And is it effective?

“The business case writes itself,” said Alan Sherwen, head of IS service and operations at Northumbrian Water, which is now looking at a wider rollout.

Beyond the private sector, the public sector is throwing off its image as a technology laggard. Blue-light fire, police and ambulance services are doing more than just seeing the potential.

East Midlands Ambulance Service’s head of IM&T, Steve Bowyer, describes his experience with 4G’s “reliable, consistently fast data connections” as “quite transformational”.

The ambulance service knows that every second counts, especially when accidents occur in remote locations.

Bowyer calls the use of 4G-connected vehicles “an extension of our control room” – for example, 4G-equipped ambulances allow paramedics to send vital information to hospitals ahead of arrival.

And it’s a similar story with the police. Officers collect and submit evidence from the scenes of crimes and accidents. Staffordshire Police has started to use connected vehicles and more broadly estimates its 4G devices provide the equivalent of 250,000 additional hours of policing time on the beat each year. That’s the equivalent of 100 extra officers.

Rapid Site

The technology we’re talking about – fast, robust, often rural connectivity – isn’t always about being on the move. Industries such as construction that occupy a location sometimes for a matter of months are also employing high-speed, managed services to serve those on site.

Jackson Civil Engineering used to have to wait three months to get a line installed. It was holding back the business.

“The challenges I face are making sure the guys on site get connectivity and transmit information from laptops, mobile phones and tablets,” said Justin Corneby, the company’s IT manager. “If there’s no connectivity for our guys on the ground it almost stops them working completely.” Now setup at a new location takes under three days, and speeds tend to be up to 60Mbps where, before, a fixed line gave the company 8Mbps.

Housing association Green Square faces a similar challenge in its efforts to supply about 400 homes every year in the west of England.

Mark Gingell, ICT service manager at Green Square, said: “[We have] some challenges about how do we get our staff access to the internet. What we want is a seamless process for them to be able to log on and have the information at hand. The ultimate goal is to make great places where people can live.”

Public WiFi – in a box

Other types of business are on this connected journey too. Richardson’s operates 310 holiday boats on the Norfolk Broads and 4G Public WiFi from EE means not only coverage and simplicity for customers wanting internet access but knowing that compliance and online safety for families, through web filtering, is taken care of. In fact a whole range of businesses are now possible, many employing mobile payments systems which through their security and 4G connections open up a world of pop-up possibilities to businesses big and small.

Connected Health 

And lastly, the NHS is showing us that innovation can be built on even relatively simple technology. ‘Did not attend’ – or DNAs – cost the health service around £900m every year. That breaks down as £137 for every missed hospital appointment, £45 for each at a GP’s surgery. 

Intelligent messaging from EE means patients get a text message and simply reply to cancel or confirm an appointment. DNAs have been reduced by 67 per cent in one case, freeing up slots for others. That means there is the potential to save the NHS over £500m annually, just by improving the booking and scheduling service for patients with intelligent messaging. Meanwhile healthcare professionals get to target groups by demographics – for example, elderly people when it’s flu jab season. In short, this approach saves time, saves money and even saves lives.

Now you can

When we were the first to launch 4G in the UK, we had a simple message: Now you can. Most people took that to mean simply that smartphones, tablets, laptops and upcoming smart devices could get a faster network connection. But it’s been about much more than that.

Today, being connected in this way is a vital component for business and Britain’s vital public services. Our recent research of 1,000 UK businesses shows that 50 per cent of customers say 4G is critical to their business success. They report a 10 per cent uptick in productivity when adopting 4G – and gains can be greater in the public sector.

And we’re nowhere near finished. Now any organisation in the private or public sector can share in this connected story, employing new technology and innovative approaches as a managed service or in any way that best works for them. We are just as excited about the next three years as the last three.