Hackers are demanding Apple pay a ransom in bitcoin or they’ll blow the lid off millions of iCloud account credentials.
Beyond the primary headline, however, there are a bevy of loose ends and nuances to ponder.
So far, we know that a London-based hacker group, calling itself the Turkish Crime Family, has claimed to have access to 250 million accounts (at the time of writing). The hackers are threatening to reset the passwords on those iCloud accounts and remotely wipe iPhones if Apple doesn’t pay a ransom by April 7. Those demands have since changed and increased. Motherboard, which first reported the story, noted that the media-hungry group has approached multiple outlets, possibly to help its extortion efforts.
For its part, Apple has said it hasn’t been hacked. In a brief statement, the company said the data came from “previously compromised third-party services,” and that it is “actively monitoring to prevent unauthorized access to user accounts.”
That seems to tie in with what the hackers said in an email to some members of the press late on Wednesday. The hackers denied any direct breach of Apple systems. What muddies the water is that the hackers also appear in some cases to have passwords that have been only used for iCloud. Welcome to the wonderful world of security nuance.
We have worked for the past few days to get to the bottom of this. Here’s what we’ve learned.
ZDNet obtained a set of 54 credentials from the hacker group for verification. All the 54 accounts were valid, based on a check using the site’s password reset function.
These accounts include “icloud.com,” dating back to 2011, and legacy “me.com” and “mac.com” domains from as early as 2000. The list of credentials contained just email addresses and plain-text passwords, separated by a colon, which according to Troy Hunt, data breach expert and owner of notification site Have I Been Pwned, makes it likely that the data “could be aggregated from various sources.”
We started working to contact each person, one by one, to confirm their password. Most of the accounts are no longer registered with iMessage and could not be immediately reached.
However, 10 people in total confirmed that their passwords were accurate, and have now changed them.
Those 10 people we spoke to were based in the UK, and had UK cell phone numbers. All the people we spoke to were on different cell networks. (A person representing the hacker group, who is allegedly no longer a member, told me that the data is “handled in groups” but would not explain how or why. The hackers refused to hand over a US-based sample of accounts.)
The same 10 people confirmed that they had used the same password since opening their iCloud accounts.
According to the responses, most of the people had the same passwords on their accounts for “about four or five years” since iCloud’s debut. One person said specifically that the password he confirmed with us was no longer in use as of about two years ago, which narrows down the possible date of a breach or multiple breaches to somewhere between 2011 and 2015.
Some of the people we spoke to only own iPhones, while others own Macs and iPads but do not own an iPhone. That may rule out if an individual Apple product line was compromised in some way.
We also asked if their accounts were used on other services to potentially verify if another site had been compromised.
Most of the people we spoke to confirmed that they used their iCloud email address and password on other sites, such as Facebook and Twitter.
However, three people said that their iCloud email address and password were unique to iCloud, and were not used on any other site — a key anomaly that, if accurate, we can’t explain.
Two of the people we spoke to confirmed that someone had tried to reset their iCloud accounts in the past day. One of the people said that they had received login notifications on Twitter, which used the same iCloud email address and password. This seems fitting with the hackers’ apparent desires to reset accounts as they claim.
“All from London [where the hackers claim to be located], from different browsers at the same time,” confirmed the iCloud account holder.
It’s clear that there’s something to the hackers’ claims, given that they have some working iCloud account credentials. But it’s not known exactly how many, or if the sample that was sent was representative of the wider pool or was carefully selected.
Based on our experience and our interactions with the group and its members, it’s evident that the group is naïve and inexperienced. Based on its grandiose claims and its cherry-picking media outlets to cover its claims, it’s also clear that the group is gunning for publicity. When we began asking the group questions, the conversation quickly turned to whether or not CBS News (which like ZDNet is also owned by CBS), would also cover the group’s claims.
The group also appears disorganized, and unable to maintain order within its own ranks — seen by the apparent “firing” of one of its members, who ran the Twitter account. It also can’t seem to stay on message, as evidenced by the need to correct the record after reporters “misunderstood the situation.”
“A breach means nothing in 2017 when you can just pull the exact same user information in smaller scales through companies that aren’t as secure,” said the group in a Pastebin post.
We can’t be sure that this is something big, but based on our reporting, we can’t say that it’s nothing.
Those using two-factor authentication or Apple’s trusted device system should be protected.
But concerned users should change their Apple iCloud password through this link. Look for the green padlock icon in the address bar and that the web address clearly says “iforgot.apple.com”.
Change your password to a long password with differently-cased letters and numbers with special characters. Using a password manager can considerably help in generating strong passwords, as well as storing them. We have more security advice here.
Apple did not respond to questions we sent earlier on Thursday.