Apple responds to hacker claims, says systems not breached

Posted:
in General Discussion edited March 2017
Apple in a statement late Wednesday responded to claims that a hacking group is threatening to wipe hundreds of millions of iPhones and iPads using stolen credentials, saying its own systems have not been compromised.




Earlier in the day, Motherboard reported a group calling itself the "Turkish Crime Family" is holding Apple ransom with some 559 million email and iCloud accounts. The hackers are threatening to remotely wipe hardware associated with the alleged credentials unless Apple hands over $75,000 in cryptocurrency or $100,000 in iTunes gift cards by April 7.

While Apple did not go so far as to debunk the report or the legitimacy of a stolen list of IDs and passwords, a company spokesperson told Fortune that any loose user information did not originate from its servers.

"There have not been any breaches in any of Apple's systems including iCloud and Apple ID," the spokesperson said. "The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services."

Citing a person familiar with the contents of the Turkish Crime Family's data, the report goes on to say that many user names and passwords appear to come from a 2012 LinkedIn breach. Whether that hack contained Apple user IDs and passwords is unknown, though the possibility seems slim. A more likely threat is the possibility of credential recycling. People often reuse usernames and passwords across different services.

Apple went further to allay fears that customer iOS devices might soon be remotely wiped without their knowledge or consent. In the statement, Apple said it is "actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication."

To be safe, users of Apple's iCloud who apply the same credentials to other services are urged to update their passwords. Taking Apple's advice and enabling two-factor authentication for Apple ID and the iCloud web client is also highly recommended.

Comments

  • Reply 1 of 8
    fallenjtfallenjt Posts: 4,056member
    Turkist hackers can eat shits!
    jbdragonwatto_cobra
  • Reply 2 of 8
    calicali Posts: 3,494member


    (Everyone's thinking it)



    I can imagine the emails...
    "or just give us iTunes gift cards bro"


    edited March 2017 Dan Andersenwatto_cobra
  • Reply 3 of 8
    mike1mike1 Posts: 3,436member
    cali said:


    (Everyone's thinking it)



    I can imagine the emails...
    "or just give us iTunes gift cards bro"


    iTunes gift cards which would be logged and traced back. That's assuming anybody would consider paying.
  • Reply 4 of 8
    lkrupplkrupp Posts: 10,557member
    Sounds like a bunch of twelve year olds looking for attention. Can we start a betting pool (in Las Vegas where it’s legal) as to how this turns out? What are the odds this is legit? What are the odds it turn out to be a juvenile prank? What are the odds it’s some blogger clickbait? Place your bets at the table.
    watto_cobra
  • Reply 5 of 8
    jbdragonjbdragon Posts: 2,312member
    Be smart, turn on 2 factor authentication!!! Even if someone got your password they still wouldn't be able to get into your account to do anything.
    watto_cobra
  • Reply 6 of 8
    linkmanlinkman Posts: 1,046member
    mike1 said:
    cali said:


    (Everyone's thinking it)



    I can imagine the emails...
    "or just give us iTunes gift cards bro"


    iTunes gift cards which would be logged and traced back. That's assuming anybody would consider paying.
    I am very familiar with an elderly person that paid a scammer in iTunes gift cards -- over $100k worth. The police working on the case said that there was no way to track down the criminal(s). All of the scamming was done by phone. The cards would have been sold at a discount online. Yes, it was a lot of cards and time spent reading the codes to the scammer.
  • Reply 7 of 8
    I got an email the other day claiming it was from Apple and that my account had been accessed on another machine and I need to log into the website which clearly linked to a non-Apple site.

    They could have got details that way.
  • Reply 8 of 8
    MarvinMarvin Posts: 15,481moderator
    I got an email the other day claiming it was from Apple and that my account had been accessed on another machine and I need to log into the website which clearly linked to a non-Apple site.

    They could have got details that way.
    There's a few large services that have been breached over the last few years. LinkedIn was a large one with 167 million accounts:

    http://fortune.com/2016/05/18/linkedin-data-breach-email-password/

    People reuse passwords, this happened on a small scale with iCloud already. Apple got the blame even though other services were compromised. If Apple could get the breached databases, maybe directly from LinkedIn/Microsoft and others, they could run a password check to see which have been reused on iCloud services.

    They can limit the damage by restricting device wipes to one per IP per day if they haven't already and they could always disable the service entirely if they saw a surge in reset requests.
Sign In or Register to comment.