If you follow Gizmodo on Twitter, you may have noticed our account started spewing some garbage last night. We got hacked. Here's how it happened, and some steps you can take to keep it from happening to you.
The weak link in the security chain turned out to be the seven digit alphanumeric password to our good buddy and former contributor Mat Honan's iCloud account. After presumably brute-forcing his way into iCloud, the nefarious hacker was able change the password of and gain access to Mat's Google account, remote wipe his Macbook Air, iPhone, and iPad, get into his Twitter, and then use that to get access to ours. While we managed to snatch our Twitter account back from the claws of evil, Mat's been having a bit more trouble. You can read more about his harrowing tale on his blog.
As awful as getting hacked always is, it's a learning experience. So what can you do to help avoid a similar fate? A few things.
Use super-secure passwords and use different ones for everything. Use numbers, symbols, uppercase letters, lowercase letters, all that jazz. You probably know how to make a secure password, it's just annoying to do. If you can't be bothered to memorise a whole bunch of alphanumeric gibberish, pick up a password manager like 1Password or LastPass, and lock it down with one insanely secure (and unique) master password.
Whenever you've got the option, turn on two-step authentication, especially on your Google account or any other account you use as a hub. That way, even if script kiddies manage to get your (super-secure) password, it'll be useless unless they have access to your phone or computer.
Check up on and clean out your permissions from time to time. There's pretty much a 100% chance that somewhere in your web of accounts, something has access to account it doesn't need to have access to anymore. In our case, Mat's Twitter still had access to ours. By going through and cutting these deprecated ties, you can make it less likely that one of your less used, possibly less secure accounts can help a hacker get to one of your more important ones.
Don't rely on the cloud. It's great to have online storage you can get at from all your various devices, but when the shit goes down and your under attack, nothing is more secure than a hard drive you can unplug and hide in a shoebox in the closet. It's not the most convenient way to back up, but you'll thank yourself for it.
No matter what steps you take, you can't totally rule out the possibility of getting hacked; if someone's really out to get you, they can probably get you eventually. You're going to want to take every step you can though, just be safe, because if you do get hacked, your going to be kicking yourself hard for every little precaution you could have taken but didn't.
For any of you who saw any of the offending tweets last night, we're sorry about that, and we've tightened up security a bit. It's never a bad time for you to do the same. And show some love for Mat, who we hope will be back in working order soon.