iCloud not compromised in Apple ID attack: Apple

iCloud not compromised in Apple ID attack: Apple

Summary: Apple has produced a minuscule response to the Apple ID attack that began affecting Australian and New Zealand iCloud users yesterday.

SHARE:
TOPICS: Cloud, Apple, Security
34

Almost a day-and-a-half after a number of Australian users reported finding their iCloud connected devices locked, with a message asking for money, Cupertino has finally acknowledged the situation.

In a short statement, the company said that iCloud was not compromised, and users should change their Apple ID password.

In full, Apple said: "Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store."

Affected Australian users woke up yesterday morning to find their phone, tablet, and even desktop or laptop, showed a message originating from Apple's find my device service stating "Device hacked by Oleg Pliss" and asking user send US$100 to unlock the device.

It is presumed that the attackers gained access to users' Apple ID credentials, and from that point on, have been able to access the Find My iPhone service to lock the devices.

The root cause of the attack has yet to be identified, with a community Apple support thread morphing into a group investigation in an attempt to pin down any commonalities between users.

Users from Australia, New Zealand, Canada, and the US report being hit by the attack.

The attack arrives as reports surface that Apple is set to unveil a home control system at its annual WWDC conference next week.

Topics: Cloud, Apple, Security

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

34 comments
Log in or register to join the discussion
  • Ebay?

    Let me speculate. Their contact details in the recently stolen ebay database used an apple address and they used the same password for ebay and their AppleID? And their password was so weak the hash could be broken by a dictionary attack?
    Sacr
    • IOs is intrinsically insecure

      Apple should have addressed this before it got it off hand.

      Good reason to stay away from IOs.
      Uralbas
      • Off Hand?

        You must not live in the age of the internet. Things get off-hand in minutes here. Not that I'm defending Apple, as their denial and instant statement of "we did no wrong" is very bad. But you have to realize that this statement is about as fast as any company can respond to issues reported in today's lightning fast internet.
        Narg
      • Off hand...

        I'd say you don't have a clue except for making unsubstantiated generalisations. But then it is you after all.
        frogspaw
      • Ridiculous.

        Apple should have stopped another company from being hacked, or users from using the same user ID and password for apple and other services just how now?
        ossoup
    • ebay passwords were encrypted

      the passwords they stole from ebay was not usable as the breach was thru employee access.
      they could reset passwords but would not have been able to decode existing user passwords.
      warboat
      • decode passwords

        Yes, they would have been able to decode existing passwords quite easily, especially weak ones. Google "Dictionary Attack", and if you don't mind math "Rainbow Table".
        Sacr
        • decode passwords

          It's easy to capture the hashes and since most organizations and people use the same passwords to often, the hacker just logs in with the hashes (doesn't have to decode them) and gains access to entire networks and servers.
          wgcross2
        • salting

          Rainbow tables are useless if they salted the passwords prior to hashing them, which is pretty standard practice.
          TheAlbinoEthiopian
          • except when it's not

            I haven't heard any confirmation that the eBay passwords were salted. In at least one recent major breach (don't recall which) the passwords were not salted. Usually the press release simply says passwords were "encrypted" but they don't offer any info as to how they were encrypted or whether they were salted.
            frylock
      • Last year IOs had an eBay issue

        Every few months IOs had issues.

        The SSL big in IOs would always default to meeting anyone in.

        The amount of critical IOs security issues that have happened in the past two years have shown that you should never use IOs if you want zome security.

        Now, other OSs aren't much better, though the user can encrypt their device and data, and security breaches on Android have mostly been taken care of by Google fast. Those that used none Google websites have suffered the most.

        Though hackers may have started to realize that they can make more money on IOs, because of its demographics. When and if they do, that shall become a headache for Apple and is customers.

        I disapprove of any of these methods, though there are so many bored users and nasty organizations dedicated to this, we are all targets no matter what OS you use.

        Apple's tries to manage public perception, leaving IOs users at risk (ssl problem) then takes an eternity to address these security issues. This makes IOs intrinsically unsafe.
        Uralbas
      • ebay passwords were encrypted

        You've got to be kidding. If you think passwords can't be cracked, I've got a bridge in Brooklyn I'll sell you cheaply.
        wgcross2
      • Severely Uninformed

        If you have a list of "encrypted" passwords with common hashes, it's pretty easy to apply that has to a dictionary, if you have not already, and cross referenced. Also, you can see the people who have short weak passwords and go from there.
        ossoup
        • Please forgive quick spell check issue

          I just couldn't believe you actually said that. A loose database of user IDs and passwords is a security risk, even if they are "encrypted". You should know better, and please don't focus on silly grammar/spelling errors. You should know better.
          ossoup
  • iPropaganda

    The official response is late and misleading, not least because Apple ID provides access to iCloud, from a corporation more concerned with playing down the issue to preserve its image than with protecting and informing customers.
    timacheson
    • "iPropaganda" says well known Microsoft worshipper

      "iPropaganda" says well known anti-Apple propagandist/creep and Microsoft worshipper Tim Acheson.
      zato_3@...
    • Same old

      If the same old is different I would be real surprise but it is the same old from good ole timacheson.

      What do I expect from an iHater.
      AdanC
    • Hey Cowboy Tim...

      How's the self congratulatory blog these days?. I guess with Microsoft being so defensive these days, you've got other things to think about.
      frogspaw
    • When your PR department is bigger than R&D

      You fix issues with PR
      warboat
      • Obviously a misinformed rampage

        So another company gets hacked. If their security was light enough to be hacked for months and they didn't know, I imagine they're using a weak standard hash for their passwords too. And if people are uninformed enough to use the same account credentials they do for apple services, I really don't know how you turn this to a blind rage against apple.
        I'd be mad at the hackers, ebay for taking so long to find the leak and let people know, but blaming apple for this regardless of their PR department crosses the border of fanatical blindness.
        ossoup