Turkish Hackers say they can Hack 250 Million iCloud Accounts
The actress Jennifer Lawrence had her nude photos published on the internet when hackers guessed the challenge response questions to her iCloud account. There are two lessons here: (1) don’t take photos of yourself in the nude and (2) always use two-factor authentication. (TFA only works on iOS 9 or OS X El Capitan or newer.)
Now people who have not done item (2) find themselves under possible threat by the Turkish Crime Family of hackers. They claim to have access to 250 million iCloud accounts. They say they will change all those passwords on April 7. The company is holding Apple ransom for $700,000. One wonders why Apple does not just do as LinkedIn did which is change everyone’s password now. But their threat is perhaps overblown, according to Apple.
Apple says this is not a new threat as the hackers appears to be using passwords and email addresses they got from some other site that was hacked. Obviously lots of those passwords are going to work on the iCloud since people tend to use the same password everywhere.
As for using some automated way of hacking those accounts, it seems doubtful that they could muscle their way through the iCloud Captcha screen shown below without raising alerts at Apple. (There are machine languages techniques to do that, like this one.)
And the hacker is going to need the victim’s cellphone, which they will not have, if they try to recover a lost password:
To boost their claim that they really have those passwords the hackers have shown they can log into some accounts. But the keyword here is some, says Apple.
Wired weighed in on this situation. Their suggestion is to use a password manager, a really long password, or TFA.
But a password manager only frees people from having to remember their password. It does nothing to enhance security, unless they are using a single sign on product, like Okta.
Google Chrome has a built-in password manager. So far no one has hacked Google that we know about. As for password managers in general, since you change your Apple ID password on a web page a password manager will work with that. But they are not for storing the iPhone passcode used to unlock the screen. Once you have unlocked the phone you do not need to enter a password to access the iCloud. That’s one issue here which is since the iPhone will sync your photos to the cloud automatically people do not tend to give much thought to their password there. The Apple ID is not commonly used for email either, like Google mail, giving another reason people do not often think about that. And who uses iTune when we have Spotify?
Walker Rowe is an American freelance tech writer and programmer living in Chile. He specializes in big data analytics, cybersecurity, and IoT and publishes the website SouthernPacificReview.com.
Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.
Be Informed. Stay One Step Ahead.
Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies