The next thing they needed was the last four digits of Honan's credit card number. They got this through Amazon by calling its Amazon's support line and added a fake credit card account.
Then the hacker called Amazon again and claimed to have lost the account password. Phobia used the fake credit card number, and added a new email account which then allowed him to view the last four digits of Honan's credit card.
The hacker then called AppleID and used the credit card number as well as Honan's birthdate to get a temporary password.
It was all too easy, and has caused a bit of a problem for Amazon and Apple, which have been touting their various cloud systems as secure. Amazon has come up with the best policy. It has stopped allowing people to change their account settings via a phone call.
Apple is currently freezing all AppleID password requests made over the phone and is thinking up a new policy. But the question is what possessed anyone to think that using the last four digits of a credit card to verify someone's identity for such powerful services on linked devices passes for security.
Phobia said he wanted " to publicise security exploits, so companies will fix them". He seems to have managed that.