It turns out that all you need is a billing address and the last four digits of a credit card to get Apple to reset an account password, and these details are easier to obtain than you might think.
Apple tech support confirmed to me twice over the weekend that all you need to access someone's AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. "That's really all you have to have to verify something with us," he said.
Apple spokesperson Natalie Kerris told Wired, "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer's data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected."
Today, Wired tried to use the hacker's technique themselves. They were successful.
Briefly, here's how the hacker was successful in this case. At Honan's website he found his gmail address. Using gmail's password recovery page he was shown enough of his @me.com address to decipher the full username. Then Honan's billing address was found via a whois of his website's domain. The hacker then contacted Amazon and added a fake credit card to Honan's account. Next the hacker contacted Amazon again and added a new email address to the account using the fake credit card as authorization. Using the new email account he requested a password reset and gained access to see the last four digits of all cards on file. Finally, the hacker called Apple with the email address, billing address, and last four digits of the credit card to have Apple support reset the password.
While this may seem a bit lengthy of a procedure, a delivery person could do the same without going through any of those hoops.
You can find the full story at the link below...