Billing addresses are easy to find online, and credit card numbers are only slightly more difficult to come by. The hacker had both bits of data on Honan. He'd found the billing address by looking up the registration of Honan's personal website, and he'd gotten the credit card number by calling the support line of another tech behemoth, Amazon. The hacker had asked Amazon to place his — the hacker's — email address on Honan's account, which Amazon happily did. Then the hacker issued a forgotten password request on Amazon's website — this sent a link to the hacker's email, allowing him to change Honan's password and get full access to his Amazon account, including the ability to see the last four digits of his credit card.
Bingo! Now the hacker could get into Honan's Apple account, which allowed him to delete everything connected to Honan's iCloud profile (his iPad, iPhone and Mac). Because Honan had set his Apple account as his Google account's alternate address, the hacker only had to issue another forgotten-password request for Honan's Gmail to fall, too.
This is a sorry tale. There were lots of lapses here — relatively small ones by Honan (he hadn't backed up his data), and huge, glaring, scary ones by Apple and Amazon. But if you examine this epic hack, you'll find a few simple lessons.
Here are the four things users and companies could do immediately to reduce these kinds of attacks:
1) Everyone should turn on two-factor authentication now.
To get into most online accounts, you only need to dig up a single piece of data — a password. (The username on many services — including email accounts, Twitter, and Facebook — is your public handle, available to everyone.)
There was a time when passwords were enough (and you should follow my advice on how to create very strong, easy to remember passwords: http://slate.me/NPHd3h). But now we've all got so many online accounts protecting so much valuable information that we need something in addition to passwords.