Report verifies some iCloud credentials held by hacker group as valid

2»

Comments

  • Reply 21 of 37
    macplusplusmacplusplus Posts: 2,116member
    cckeeler said:
    I received no email but got a pop up last night of someone logging in using my Apple ID from a different state. I had set up the 2 step authorization luckily though. My password was unique to my Apple ID. This is very concerning.
    Try logging in and the two-factor authentication will notify you that you are logging-in from another state. Their geo-location feature is not perfect.
  • Reply 22 of 37
    macplusplusmacplusplus Posts: 2,116member
    This marks a major change in the world of hacking:
    Traditionally, the personal data of customers would be stolen from a major corporation (such as the Target), but the only losers were the customers -- the corporation bore no significant financial harm or risk.

    But now, with this:  the hacker is going after the corporation rather than just selling the customer's data.

    Regardless of whether Apple was hacked or not, I see this as a significant improvement because, using Target as an example:  Because they had no financial risk or loss, they had no incentive to improve their security.  Thus, after the hack, they turned down ApplePay and continued to use the same systems that had been hacked!

     

    This is not a hacking incident. This is a conspiracy against Apple, some kind of framing it up with data collected from the black market. They are trying to force Apple to act in some manner. They are not after customers, they are after Apple.

    Corporations may face several blackmail trials like these. There is nothing here to call it a "major change in the world of hacking". This is a common criminal case, nothing else to be sublimated like that.
    edited March 2017 watto_cobra
  • Reply 23 of 37
    revenantrevenant Posts: 621member
    my apple account was locked about three times a week for about three weeks. I called apple and said something fishy is going on. I have changed my password each time.


    the apple person I spoke with suggested I change my apple user id as well.
  • Reply 24 of 37
    StrangeDaysStrangeDays Posts: 13,111member
    Great! Now that I need to change my password, Apple has Locked my account!! Even after providing my CC#, Tel#, and entering a code sent to my personal iPhone. They said your account might take a few days to "Recover!"

    Thanks Apple! What a bunch of jokers!
    1) why did you cause your account to be locked?

    2) Telephone and credit card numbers are anything but secret. If a bad actor had your phone and that basic info, you'd be thankful he couldn't hop in and delete all your stuff. Better to be inconvenienced a few days.  
    watto_cobra
  • Reply 25 of 37
    fallenjtfallenjt Posts: 4,056member
    Use 2-factor verification. Done deal. I received a notification a few months ago saying that someone in South East Asia tried to log in with my Apple ID and asked for my authorization code...yup...hackers are out there trying it everyday. 
    stompyGeorgeBMacwatto_cobra
  • Reply 26 of 37
    boltsfan17boltsfan17 Posts: 2,294member
    I'm highly skeptical this so called hacking group has hundreds of millions of iCloud credentials. If someone actually had over 250 million iCloud credentials, you would think they would be asking for a lot more than $75k. 
    waverboyGeorgeBMacwatto_cobra
  • Reply 27 of 37
    ktappektappe Posts: 824member
    joe28753 said:
    Well I would love to update my legacy "mac.com" domain on my AppleID, or better yet, let me change my AppleID to my Gmail email address. Unfortunately, that's not possible. I either need to create an entirely new account, or stick with mac.com forever. I can update the email on record for communications, but not the AppleID. Oh well, I've gotten used to it. 

    Why would you want to drop your mac.com? Those are now rare and prestigious, from what I understand. It shows you're a long-time user, so it's like having a vanity plate on your car.
    watto_cobra
  • Reply 28 of 37
    foggyhillfoggyhill Posts: 4,767member
    These things were obtained through phishing or mom attacks . People claiming to be apple and then having you log into your account on a fake page

    my mother received an email purporting to be from apple saying someone had bought expensive stuff on her iTunes account and that it may have been hacked and a login prompt to log into a fake iTunes to confirm this

    the email was very well made and the only reason she didn't log in is I told her to never log in from an unsolicited email ever and to contact me if she got one. 

    I inspected the links and saw that they were just disguised as coming from apple  and the email header was forged

    many people fall for this kind of ruse, they can collect credentials easily that way
    watto_cobra
  • Reply 29 of 37
    SpamSandwichSpamSandwich Posts: 33,407member
    Great! Now that I need to change my password, Apple has Locked my account!! Even after providing my CC#, Tel#, and entering a code sent to my personal iPhone. They said your account might take a few days to "Recover!"

    Thanks Apple! What a bunch of jokers!
    Just call them or go to an Apple Store.
    watto_cobra
  • Reply 30 of 37
    GeorgeBMacGeorgeBMac Posts: 11,421member
    This marks a major change in the world of hacking:
    Traditionally, the personal data of customers would be stolen from a major corporation (such as the Target), but the only losers were the customers -- the corporation bore no significant financial harm or risk.

    But now, with this:  the hacker is going after the corporation rather than just selling the customer's data.

    Regardless of whether Apple was hacked or not, I see this as a significant improvement because, using Target as an example:  Because they had no financial risk or loss, they had no incentive to improve their security.  Thus, after the hack, they turned down ApplePay and continued to use the same systems that had been hacked!

     

    This is not a hacking incident. This is a conspiracy against Apple, some kind of framing it up with data collected from the black market. They are trying to force Apple to act in some manner. They are not after customers, they are after Apple.

    Corporations may face several blackmail trials like these. There is nothing here to call it a "major change in the world of hacking". This is a common criminal case, nothing else to be sublimated like that.
    Uh... No...  My point was (which you completely missed) was that this was a hack -- but instead of going after the customer's by selling their data (which they could have done), they went after the company (Apple).   You can be as outraged as you want.   But, that's what happened.

    While Apple has always been very protective of its security and of their customer's private information, and I am sorry that it was Apple that was the victim here; I hope that when hacking occurs, that the hackers go continue to go after the company rather than the users -- so that the company has an incentive to tighten up their security.  Right now, when hackers go after the customer, they have no incentive to fix their weak security systems...
  • Reply 31 of 37
    boltsfan17boltsfan17 Posts: 2,294member
    foggyhill said:
    These things were obtained through phishing or mom attacks . People claiming to be apple and then having you log into your account on a fake page

    my mother received an email purporting to be from apple saying someone had bought expensive stuff on her iTunes account and that it may have been hacked and a login prompt to log into a fake iTunes to confirm this

    the email was very well made and the only reason she didn't log in is I told her to never log in from an unsolicited email ever and to contact me if she got one. 

    I inspected the links and saw that they were just disguised as coming from apple  and the email header was forged

    many people fall for this kind of ruse, they can collect credentials easily that way
    These credentials are from data breaches of other websites such as Linkedln that have been collected over the last 5 years or so. I imagine the credentials this group has are people using the same password for their iCloud account and other websites such as Linkedln. Its possible some are from phishing, but I believe this group said they were collected from third party data breaches. 
    watto_cobra
  • Reply 32 of 37
    evilutionevilution Posts: 1,399member
    Rayz2016 said:

    Three people said that their passwords were specific to iCloud.
    Yeah, plenty of iCloud phishing emails out there.
    watto_cobra
  • Reply 33 of 37
    foggyhillfoggyhill Posts: 4,767member
    foggyhill said:
    These things were obtained through phishing or mom attacks . People claiming to be apple and then having you log into your account on a fake page

    my mother received an email purporting to be from apple saying someone had bought expensive stuff on her iTunes account and that it may have been hacked and a login prompt to log into a fake iTunes to confirm this

    the email was very well made and the only reason she didn't log in is I told her to never log in from an unsolicited email ever and to contact me if she got one. 

    I inspected the links and saw that they were just disguised as coming from apple  and the email header was forged

    many people fall for this kind of ruse, they can collect credentials easily that way
    These credentials are from data breaches of other websites such as Linkedln that have been collected over the last 5 years or so. I imagine the credentials this group has are people using the same password for their iCloud account and other websites such as Linkedln. Its possible some are from phishing, but I believe this group said they were collected from third party data breaches. 
    During those breaches, if they only obtained the encrypted hash, they didn't get much...
    For this to work, the people need to also put WEAK PASSWORDS, otherwise you can't decrypt the password file for this entry.
    Say you get 100M encrypted entries from multiple source, how many of them can you actually get a full credential from? Maybe 1M? of the accounts with the worse passwords ever (there are many of those people). How many of those entries actually match active Apple accounts? Maybe a few percent (Most would either not be relevant to Apple (Android users, or don't have anything Apple) or the hacked credentials are not used on Apple's site by those same people).

    My belief is that most of the password info comes from phishing, groups have been very aggressive in phishing purporting to being Apple these days.
    Me and family got about 20 of these emails faking Apple in the last year.
    edited March 2017 watto_cobra
  • Reply 34 of 37
    MarvinMarvin Posts: 15,496moderator
    foggyhill said:
    foggyhill said:
    These things were obtained through phishing or mom attacks . People claiming to be apple and then having you log into your account on a fake page

    my mother received an email purporting to be from apple saying someone had bought expensive stuff on her iTunes account and that it may have been hacked and a login prompt to log into a fake iTunes to confirm this

    the email was very well made and the only reason she didn't log in is I told her to never log in from an unsolicited email ever and to contact me if she got one. 

    I inspected the links and saw that they were just disguised as coming from apple  and the email header was forged

    many people fall for this kind of ruse, they can collect credentials easily that way
    These credentials are from data breaches of other websites such as Linkedln that have been collected over the last 5 years or so. I imagine the credentials this group has are people using the same password for their iCloud account and other websites such as Linkedln. Its possible some are from phishing, but I believe this group said they were collected from third party data breaches. 
    During those breaches, if they only obtained the encrypted hash, they didn't get much...
    For this to work, the people need to also put WEAK PASSWORDS, otherwise you can't decrypt the password file for this entry.
    LinkedIn used SHA-1 hashing without salt so all of the passwords will be known by now:

    https://www.theregister.co.uk/2016/05/24/linkedin_password_leak_hack_crack/

    "By Friday, Kore Logic had recovered 48,520,000 unique passwords from the LinkedIn hash dump. Four in five (78 per cent) of the unique hashes have cracked at this point. Kore Logic has already recovered the passwords for six in seven (86 per cent) of all LinkedIn.com users in the dump.

    LinkedIn evidently hashed passwords using SHA-1 without using salting, a combination of weak crypto and poor methodology that made it straightforward to crack the leaked password database. All manner of mischief has ensued.

    Some reports suggest that seemingly benign hackers have begun to hijack the profiles of big name personalities using info gleaned from the dump. Twitter co-founder Biz Stone, Minecraft creator Markus “Notch” Persson and others have had their profile hijacked by a group called OurMine Team, Vice reports."

    Considering over 1 million accounts used 123456, it's likely that a significant portion have been reused across multiple services.

    Apple can fix this once and for all by using file key verification instead of passwords. Not only that but they can become a verification process for other services the way Facebook is. They already have the branding with Keychain, they just need Keys. The only way to prevent people using stupid passwords is to take away the option. This also fixes things like Apple TV logins. There can still be a password system to lock access to the keys for multiple users but it can be client-side and can use touch id on devices that have them.
  • Reply 35 of 37
    yoyo2222yoyo2222 Posts: 144member
    revenant said:
    my apple account was locked about three times a week for about three weeks. I called apple and said something fishy is going on. I have changed my password each time.


    the apple person I spoke with suggested I change my apple user id as well.
    Do you have 2-step or 2-factor authentication set up? If not, why not?
  • Reply 36 of 37
    MacProMacPro Posts: 19,851member
    Rayz2016 said:
    Backing up Apple's claims that its systems were not breached and any loose data can be tracked back to third-party services, most of the people whose passwords were verified said they used the same login credentials on other sites. Interestingly, three people noted the passwords confirmed by ZDNet were specific to iCloud, a fact potentially incongruous with Apple's official stance.

    Three people said that their passwords were specific to iCloud. It is also not known if they were tricked into giving their passwords away. 

    So stating it as a "fact" might be stretching it. 
    Yep, brings a whole new meaning to 'a phishing expedition' doesn't it?
  • Reply 37 of 37
    MacProMacPro Posts: 19,851member

    Just 2 factor auth. Then it doesn't matter if someone gets your password or not.
    Unless they stole your Mac and iPhone too :(
Sign In or Register to comment.