Apple iCloud hack threat gets worse: Here's what we've learned

Hackers are threatening to remotely wipe an unknown number of iPhones, iPads, and Macs unless Apple pays a ransom. The picture is becoming clearer. This is what you need to know.
Written by Zack Whittaker, Contributor

Hackers are demanding Apple pay a ransom in bitcoin, or they claim they will remotely erase millions of customer iPhones, iPads, and Macs.

We first noted a few days ago several loose ends and nuances to consider in this developing story. New reporting by ZDNet paints a slightly clearer picture.

A new analysis of a larger set of purportedly stolen accounts confirms that a growing number of Apple customers are at risk of having their devices attacked by the hacker group.

We also now believe we know where the data came from, bolstering the theory that hackers obtained millions of passwords from other previously hacked websites and services.

In case you need a recap to get up to speed, a London-based hacker group, calling itself the Turkish Crime Family, has claimed to have access to 250 million accounts. The hacker group is threatening to reset the passwords on those iCloud accounts and remotely wipe customer devices if Apple doesn't pay a ransom by April 7. The hackers have approached multiple outlets, likely in an effort to strengthen its extortion efforts, as noted by Motherboard, which first reported the story.

Apple said in a brief statement to sister-site CNET that it hasn't been hacked and the data came from "previously compromised third-party services."

That point isn't in contention by the hackers, who also denied any direct breach of Apple systems. The hackers said the breached accounts come from other sites and services. (The logic goes that if the same password was used on several sites, it was probably used as their iCloud password, too.)

But that doesn't negate the hacker group's threat of logging in with those valid accounts to remotely erase customer iPhones, iPads, or Macs, causing a catastrophic loss of personal data.

We have continued to dig into this story for the past few days, during which we obtained more data from the hacker group and spoken to more victims, and we believe we have some idea where the data came from.

First time around, we were given 54 credentials, all of which we confirmed to be valid accounts. (You can learn more about how we verify data breaches here.) Ten people in that list responded and confirmed that their passwords were accurate -- and have now been changed.

This weekend, we obtained a larger list of about 70,000 purported iCloud accounts from the hacker group, which were a few thousand short after duplicates were removed.

Our logic was to see if we could pick out 100 accounts of the larger list at random to see if they too were valid accounts. If so, that may make a better determination about the scale of the hacker's threat.

We started working to contact account owners. Cursory checks showed that many of the "icloud.com," "me.com," and "mac.com" accounts in our randomly selected sample were no longer registered with iMessage and could not be immediately reached.

Eventually, we reached out to 65 people, of which 20 people responded. Two people declined to comment. Three people said that the passwords listed for their account was not or never accurate. In total, 12 people confirmed that their password is or was at some point accurate.

It's tough to make perfect determinations given our limited resources. But it's clear that while some of the data is false and inaccurate, the list of confirmed valid accounts is growing, and it isn't confined to a small, cherry-picked list of accounts.

We provided the new batch of records to Troy Hunt, owner of breach notification site Have I Been Pwned, to analyze.

Hunt's analysis showed over 99.9 percent of the records matched to an account in his database. Most of the accounts matched with the Evony data breach from June 2016, while data from the 2012 breaches of Last.fm and LinkedIn social networking site were also likely used to construct the hackers' iCloud data set.

A list of databases allegedly collected by the hacker group appears to contain hundreds of entries.

But, while some of the nuances have been ironed out, some loose ends and questions remain.

We still have no idea exactly how many Apple customers might be at risk, something that the hacker group has been inconsistent in communicating.

A representative of the hacker group said it has in the region of 250 million "confirmed" working iCloud accounts out of about 750 million total accounts that haven't been checked yet.

The sheer volume of numbers said to be affected by the group's efforts has been doubted by security experts, who argue that these so-called credential stuffing techniques could be used to put together a convincing number of valid accounts to help the hacker group's effort to extort Apple for a ransom.

One point that hasn't been disputed is that the hackers may still have enough accounts to successfully crack thousands -- if not millions -- of Apple accounts and devices.

In the meantime, concerned users should change their Apple iCloud passwords. We have a simple guide on how to do that, and we have more security advice here. Those using two-factor authentication or Apple's trusted device system should be protected.

Shy of that, it's looking more likely that Apple has to step up and take preventative action.

When reached, an Apple spokesperson would not comment over the weekend but referred to the company's earlier statement.

Editorial standards