As posted on iCloud wasn’t hacked for ransom, but you should make sure to keep your account safe, anyway
Earlier this week, a sketchy group of hackers announced a bold claim: they had access to hundreds of millions of Apple emails, and then, threatened to wipe user data from 200 million iCloud accounts if their ransom demands aren’t met by April 7.
The group, which calls itself the Turkish Crime Family (TCF), made those threats through its Twitter handle and an aggressive campaign to convince journalists to cover the story. The threats were first reported by Motherboard.
Apple reps issued a statement to Fortune clarifying the reports as the story developed. “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services,” the spokesperson said.
The TCF certainly hasn’t hasn’t proven to be criminal masterminds—the group’s offered multiple conflicting accounts of its plans and demands, and they’ve directly contacted reporters, myself included, with multiple statements claiming the group’s already ousted rogue members for sharing incorrect information.
Still, the TCF’s claims and threats haven’t totally been put to rest. Apple did confirm that a cache of compromised Apple ID info does, in fact, exist—it just didn’t come from a direct iCloud breach.
Instead, the affected users’ info was compiled by the hackers from multiple databases, which they got from separate, previous online security breaches (Iike Yahoo’s from last year). Profile data obtained from those breaches is sold on the dark web, and buyers like TCF run the info through criminal AI programs to trigger credential stuffing attacks, finding accounts that use the same login credentials on multiple web services. In other words, anyone who uses the same password for more than one thing on the internet, who have iCloud, are going to be the most vulnerable of the affected accounts.
ZDnet took a closer look into the TCF’s claims and obtained a set of 54 account credentials from the group’s alleged cache of over 750 million emails. After confirming that the credentials were valid using Apple’s password reset page, the site was able to contact ten of the affected account holders. All ten people, who were based in the UK, told the ZDnet that the passwords were correct, and that those same logins were used for several different online services.
We reached out to Apple for its latest comment on the controversy. A spokesperson reminded us again that none of Apple’s systems were ever breached, and told us the situation’s being handled.
“We’re actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved,” they told us via email. “To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication.”
So how exactly can you follow Apple’s advice and shore up your accounts? Let’s go through the process, step by step.
1. Change your Apple ID password. NOW.
The first thing you can do to protect your iCloud account is change your Apple ID password. Now. It’s easy—just go to Apple’s reset page, enter your account information, and set up a new password that you’ve never used before for any other online service. Seriously, don’t be a password repeater—that’s how this mess started in the first place.
Once you’ve changed your password, keep it secure. Don’t use it again on any other service—and don’t just take this advice for iCloud. You can keep track of all your passwords using an online manager like LastPass or 1Password, or if you’re really paranoid, just write them all down, and keep ’em in a very, very safe place.
2. Set up two-factor authentication.
You can set up Apple’s two-factor authentication feature to add an extra layer of security. Even if a hacker somehow obtains your password, you’ll be able to keep them from accessing your account from new devices you don’t trust.
You’ll need to designate a phone number or trusted device to receive a verification code every time you sign into a new device.
After you enter your password to log in, you’ll be required to enter the verification code sent to that designated phone number on your new device.
For older Apple products (those not running iOS 9 or X El Capitan or later), you’ll need to use two-step verification, an older, less-secure safeguard that only requires you to clear the verification code on your trusted device. Apple product owners with multiple generations of devices could have some difficulty with the incompatible systems—but you should still apply the extra safety steps as best you can, as soon as you can, too.