Report verifies some iCloud credentials held by hacker group as valid

Posted:
in General Discussion edited March 2017
A hacker group attempting to hold Apple ransom with claims it has hundreds of millions of iCloud credentials in its possession recently sent a batch of 54 UK-based accounts for testing, all of which were deemed legitimate.




The self-proclaimed "Turkish Crime Family" provided ZDNet with the iCloud credential sample set in an apparent bid to bolster its extortion efforts. The publication used Apple's online password reset tool to verify the 54 accounts belonging to iCloud customers based in the UK.

According to Thursday's report, the credentials tested date back to 2000, with some user accounts bearing Apple's legacy "mac.com" domain. Other Apple IDs in the package were identified as "me.com" and "icloud.com" accounts, the latter being Apple's current cloud product offering handed out alongside new device purchases.

While the 54 accounts were valid according to Apple's database, ZDNet was only able to verify the passwords of ten individuals. As part of its verification protocol, the publication reached out to each potential victim through iMessage, and presumably email, though most were no longer tied to Apple's messaging service.

At least one person noted their confirmed password was changed about two years ago, suggesting the hacker group's data originates from a breach dating back to 2011 to 2015, the report said.

Of the ten people who confirmed the passwords provided were correct, most said they have used the same login credentials since opening their iCloud account. At least two people noted someone attempted to reset their iCloud account in the past day, while another received an unknown login notification on Twitter, the report said.

Backing up Apple's claims that its systems were not breached and any loose data can be tracked back to third-party services, most of the people whose passwords were verified said they used the same login credentials on other sites. Interestingly, three people noted the passwords confirmed by ZDNet were specific to iCloud, a fact potentially incongruous with Apple's official stance.

The Turkish Crime Family claims to have anywhere from 250 million to 599 million iCloud credentials -- at least two different figures were given to media outlets by two separate members -- at its disposal, and is threatening to use them to remotely wipe connected iPhones and iPads unless Apple pays up. The group is seeking $75,000 in cryptocurrencies or $100,000 in iTunes gift cards by April 7.

Apple in its response yesterday denied media reports that its servers were breached, claims later backed up by the hacker group. Some have floated the idea that some of the data stems from a 2012 LinkedIn hack, though the theory has yet to be proven.

While the source of the alleged iCloud data remains unknown, Apple is keen on quelling customer concerns. In its statement, the company said it is "actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved."

Apple went on to urge customers to use strong, unique passwords and recommended against recycling credentials across services. In addition, the company encourages users to enable two-factor authentication whenever possible.
«1

Comments

  • Reply 1 of 37
    foggyhillfoggyhill Posts: 4,767member
    What does that prove... Seriously, this is all a big joke and tech journalism is close to dead.
    zroger73watto_cobra
  • Reply 2 of 37
    Turn on NatGeoWILD and morn for the zebra that didn't make it across the river full of alegators with the rest of its hurd as it wasn't smart enough to use unique passwords between different business entities (and likely also shared their most intimate financial and personal info with anyone who ever asked them to confirm it), maybe even while hyena-laughing at those that don't.  In the future, app/services will be subject to monitoring for compliance with a whole suite of laws that seek to protect consumers, but those kinds of mandates are always 10-15 years behind reality, during which time there's plenty of prey to be exterminated while positioning for the future. Worst case they can marry ugly and travel the globe trying oh so hard to do as the one whose made up for the Homestead Strike.
  • Reply 3 of 37
    Rayz2016Rayz2016 Posts: 4,518member
    Backing up Apple's claims that its systems were not breached and any loose data can be tracked back to third-party services, most of the people whose passwords were verified said they used the same login credentials on other sites. Interestingly, three people noted the passwords confirmed by ZDNet were specific to iCloud, a fact potentially incongruous with Apple's official stance.

    Three people said that their passwords were specific to iCloud. It is also not known if they were tricked into giving their passwords away. 

    So stating it as a "fact" might be stretching it. 
    redgeminipaspacekidpscooter63watto_cobra
  • Reply 4 of 37
    Why doesn't Apple just send an email / push notification to users reminding them to regularly change their passwords, use strong and unique ones? I say reminder and not ask people to change it so as not to cause panic or make it look like there was a breach.
    redgeminipawatto_cobra
  • Reply 5 of 37
    JanNLJanNL Posts: 251member
    Rayz2016 said:
    Three people said that their passwords were specific to iCloud. It is also not known if they were tricked into giving their passwords away. 

    So stating it as a "fact" might be stretching it. 
    True. And maybe too far-fetched to have some (those 3) accomplices in the sample set who are trying to put pressure on Apple?
    williamhredgeminipapscooter63
  • Reply 6 of 37
    bloggerblogbloggerblog Posts: 1,807member
    Great! Now that I need to change my password, Apple has Locked my account!! Even after providing my CC#, Tel#, and entering a code sent to my personal iPhone. They said your account might take a few days to "Recover!"

    Thanks Apple! What a bunch of jokers!
    jbishop1039
  • Reply 7 of 37
    spacekidspacekid Posts: 160member
    simply258 said:
    Why doesn't Apple just send an email / push notification to users reminding them to regularly change their passwords, use strong and unique ones? I say reminder and not ask people to change it so as not to cause panic or make it look like there was a breach.
    I would make my Apple ID password much stronger or change it more often if you didn't have to enter it so often. Not only for various Apple apps on iOS, but on my mac. And from time to time, I have to re-verify it for no reason.
    markiezyy
  • Reply 8 of 37
    Is that why Apple Store is down right now?
    All I get is the rotating, multi language, "We've got something special in store for you. Check back at 8:01".
    (It's now 8:20)

    Oops, that's PDT (Another three hours to go.)
    edited March 2017
  • Reply 9 of 37
    mjtomlinmjtomlin Posts: 1,792member
    Mikeymike said:
    Is that why Apple Store is down right now?
    All I get is the rotating, multi language, "We've got something special in store for you. Check back at 8:01".
    (It's now 8:20)

    Oops, that's PDT (Another three hours to go.)

    Apple Store comes up fine for me.
  • Reply 10 of 37
    JanNLJanNL Posts: 251member
    mjtomlin said:
    Mikeymike said:
    Is that why Apple Store is down right now?
    All I get is the rotating, multi language, "We've got something special in store for you. Check back at 8:01".
    (It's now 8:20)

    Oops, that's PDT (Another three hours to go.)

    Apple Store comes up fine for me.
    Not here, Apple Store closed (W-Europe)
  • Reply 11 of 37
    mjtomlin said:
    Mikeymike said:
    Is that why Apple Store is down right now?
    All I get is the rotating, multi language, "We've got something special in store for you. Check back at 8:01".
    (It's now 8:20)

    Oops, that's PDT (Another three hours to go.)

    Apple Store comes up fine for me.
    It's closed for the new products they announced couple days ago.
    I didn't realize they were not available until today.

    edited March 2017
  • Reply 12 of 37
    mrboba1mrboba1 Posts: 267member
    It's 3.24 - the day they open ordering for the new products. And I get the same message.
  • Reply 13 of 37
    lkrupplkrupp Posts: 6,530member
    Just look at a couple of the responses above blaming Apple for everything that goes wrong and tell me this whole thing isn’t designed to panic the tin foil hat crowd. When the date for ransom payment comes and goes and nothing happens tech blogs will speculate that Apple paid the ransom secretly. Wait for it, it will happen. Hell, they’re already doing it probably. Instead of realizing that this was a prank the tech blog universe will create a conspiracy theory that will live forever, just to get clicks. 
    edited March 2017 pscooter63StrangeDayswatto_cobra
  • Reply 14 of 37
    cckeelercckeeler Posts: 1unconfirmed, member
    I received no email but got a pop up last night of someone logging in using my Apple ID from a different state. I had set up the 2 step authorization luckily though. My password was unique to my Apple ID. This is very concerning.
  • Reply 15 of 37
    lkrupplkrupp Posts: 6,530member
    Mikeymike said:
    Is that why Apple Store is down right now?
    All I get is the rotating, multi language, "We've got something special in store for you. Check back at 8:01".
    (It's now 8:20)

    Oops, that's PDT (Another three hours to go.)
    The Red iPhone and new iPad go on sale today. No conspiracy theory here.
  • Reply 16 of 37
    rob55rob55 Posts: 1,249member
    lkrupp said:
    Just look at a couple of the responses above blaming Apple for everything that goes wrong and tell me this whole thing isn’t designed to panic the tin foil hat crowd. When the date for ransom payment comes and goes and nothing happens tech blogs will speculate that Apple paid the ransom secretly. Wait for it, it will happen. Hell, they’re already doing it probably. Instead of realizing that this was a prank the tech blog universe will create a conspiracy theory that will live forever, just to get clicks. 
    I've received a handful of half-panicked emails from some friends with Apple devices asking if they should be worried. So yeah, it does appear to be panicking some people anyway. This is a non-issue, especially if you (the general Apple-using public) have a good, strong, unique password, and have two-step verification turned on.
    edited March 2017
  • Reply 17 of 37
    mjtomlinmjtomlin Posts: 1,792member
    Mikeymike said:
    mjtomlin said:
    Mikeymike said:
    Is that why Apple Store is down right now?
    All I get is the rotating, multi language, "We've got something special in store for you. Check back at 8:01".
    (It's now 8:20)

    Oops, that's PDT (Another three hours to go.)

    Apple Store comes up fine for me.
    It's closed for the new products they announced couple days ago.
    I didn't realize they were not available until today.


    My bad. Thought I was at the store... Was at the main apple.com page.
  • Reply 18 of 37

    According to Thursday's report, the credentials tested date back to 2000, with some user accounts bearing Apple's legacy "mac.com" domain. Other Apple IDs in the package were identified as "me.com" and "icloud.com" accounts, the latter being Apple's current cloud product offering handed out alongside new device purchases.


    Well I would love to update my legacy "mac.com" domain on my AppleID, or better yet, let me change my AppleID to my Gmail email address. Unfortunately, that's not possible. I either need to create an entirely new account, or stick with mac.com forever. I can update the email on record for communications, but not the AppleID. Oh well, I've gotten used to it.
  • Reply 19 of 37
    GeorgeBMacGeorgeBMac Posts: 3,404member
    This marks a major change in the world of hacking:
    Traditionally, the personal data of customers would be stolen from a major corporation (such as the Target), but the only losers were the customers -- the corporation bore no significant financial harm or risk.

    But now, with this:  the hacker is going after the corporation rather than just selling the customer's data.

    Regardless of whether Apple was hacked or not, I see this as a significant improvement because, using Target as an example:  Because they had no financial risk or loss, they had no incentive to improve their security.  Thus, after the hack, they turned down ApplePay and continued to use the same systems that had been hacked!

     

    watto_cobra
  • Reply 20 of 37
    Just 2 factor auth. Then it doesn't matter if someone gets your password or not.
    watto_cobra
Sign In or Register to comment.