Have iCloud passwords been stolen?

Security vendor Kaspersky has warned users of Apple’s iCloud service to change their passwords immediately. This is because there is a rumour that 40 million iCloud accounts have been compromised.

The source for Kaspersky’s blog is an article on CSO Online. This article reports Apple users claiming that their devices have been locked. The user sees the Find My iPhone app and a ransom demand written in Russian. Anyone experiencing an attack of déjà vu?

In 2014 Oleg Pliss was a hacker who claimed responsibility for an identical attack to this one. He attacked phones in Australia and then moved on to attack phones in the US. In the latter attack the price to unlock devices was $100. In June 2014 two Russian nationals were arrested for that hack including Pliss. Their arrests by the Russian Interior Ministry soon put an end to the attack. Has Oleg been released? This re-emergence of his attack would suggest yes.

CSO Online now says that since February this attack has been happening again. It cites several cases where users across the US have had their devices locked. Users either pay up or do a full factory reset. This means losing all their data but they at least regain control of their devices.

How has this happened?

Hackers are using compromised Apple IDs to gain access to users iCloud accounts. Once in, they enable the Find My iPhone feature and put up a custom message. This message contains information on how to pay the hacker.

Does this prove iCloud has been hacked? Not in this case. There have been a number of huge data dumps over the past few months. These contain stolen data from online services some of whom allow customers to use their Apple IDs to connect with them. Using data mining, hackers get a list of usernames and passwords. These credentials are then used as a brute force attack against all accounts linked to that user. With many people reusing passwords the chances of a successful breach is good.

It is always possible that this data did come from an older iCloud breach back in 2014. At that time Cult of Mac reported on an attack that made it possible for hackers to gain iCloud credentials. Apple did issue a patch but not until the attack was live and months after being warned of the vulnerability. If this attack includes any accounts from that breach then it shows users did not change their security credentials.

More than just about locking a device

There is more at stake here than just having no access to iCloud and devices. This attack gives hackers access to any data that the user has stored in iCloud including backups. It would not be a big jump for them to simply restore user backups to a new machine. They can then copy off all the user data. For corporate users this could lead to a huge problem.

It is also possible for hackers to add another device to the account and then authorise it to access iCloud Keychain. This would give them access to all saved passwords for online services. There is no evidence hackers have yet to do this which only means that there are no reports of this happening.

Conclusion

Apple has always prided itself on its security. That has led to a feeling of safety among users of its devices. The problem is that this is a sense of false security. Attacks against Apple devices, while small, are rising rapidly. The number of new attacks focused on Apple devices in 2016 is already well ahead of 2015. That year was already the highest on record.

Users should change their passwords regularly as a matter of course. Irrespective of whether this attack is using old or new data, change your password and add two-factor authentication. For those users who worry about remembering strong passwords don’t panic. All the security vendors covering this attack are using it to market their own password managers. Every dark cloud holds a silver lining and security vendors want your money as much as hackers.