Apple's password reset process reportedly was broken by hackers, enabling anyone with an email address and associated birthday the ability to reset an individual's password.
The hack was reported by The Verge Friday afternoon. The publication declined to post a link to the website hosting the technique, which required the user's date of birth and email address. By inserting a specially crafted URL into the address bar, hackers were able to bypass the verification process resetting the victim's password.
Apple worked quickly to address the issue, bringing its iForgot password reset website down for maintenance for several hours on Friday. When the website was brought back online the hacking technique was blocked.
Apple has an estimated 400 million accounts and has been adding mechanisms to buttress its account verification process following reports that password resets can be easily pulled off by a determined hacker. Last year, hackers gained access to the Apple account of Mat Honan, a reporter for Wired, after resetting his password by phone.
The company introduced two-step verification on accounts last week, locking down the process of resetting passwords to those who have enabled it with their devices.
Users can enable two-step verification for additional protections by browsing to Apple's account management Web page. Apple will send the device a verification code to confirm the implementation. Once signed up device owners will be issued a recovery key that is used to access the Apple account in the event the password is lost or the device is lost or stolen.
The company also introduced security questions last April in an attempt to further authenticate users attempting to make account changes. Those who have enabled two-step verification will not be prompted with security questions, under Apple's two-step implementation.
Google has had a two-step verification process in place since 2011. It can be used for password recovery and account access. Two-step verification adds a layer of security because it combines username and password with the user's physical device.
PUBLISHED MARCH 25, 2013