Quiz Entry - updated: 2026.06.12
What are the key lessons and best defenses against account-chaining attacks like the Mat Honan hack?
Enable 2FA everywhere and maintain offline backups.
Key lessons:
- Account chaining is exponential — each compromised account unlocks the next
- Public information is dangerous — email addresses, billing addresses, and partial account details can be pieced together
- Companies have inconsistent security standards — what Amazon considers non-sensitive (last 4 CC digits), Apple used as identity verification
- Customer service is a social engineering vector — phone support staff are trained to be helpful, not suspicious
- Cloud-only data is fragile — Honan lost irreplaceable family photos because he had no local backups
Key facts from the case:
- The attacker was a 19-year-old hacker
- Could have caused far more damage but only wanted the Twitter handle — "lucky" for Honan
- The best protection would have been 2FA and backups
Best defenses:
- Enable 2FA/MFA on every account (preferably hardware keys or authenticator apps, not SMS)
- Use unique, strong passwords via a password manager
- Don't chain recovery emails — use separate recovery methods for critical accounts
- Maintain offline backups (3-2-1 rule: 3 copies, 2 media types, 1 offsite)
- Minimize public information — don't display email addresses on personal websites
Tip: After this incident, Apple suspended phone-based Apple ID resets for 24 hours and Amazon stopped allowing credit cards to be added via phone support.