Leaked iCloud cre­den­tials ob­tained from third par­ties

Ap­ple is con­fi­dent its iCloud and Ap­ple ID ser­vices haven’t been com­pro­mised,

iPad&iPhone user - - NEWS - re­ports Lu­cian Con­stantin

Agroup of hack­ers threat­en­ing to wipe data from Ap­ple de­vices at­tached to mil­lions of iCloud ac­counts didn’t ob­tain what­ever log-in cre­den­tials they have through a breach of the com­pany’s ser­vices, Ap­ple said. “There have not been any breaches in any of Ap­ple’s sys­tems in­clud­ing iCloud and Ap­ple ID,” an Ap­ple rep­re­sen­ta­tive said. “The al­leged list of email ad­dresses and

pass­words ap­pears to have been ob­tained from pre­vi­ously com­pro­mised third-party ser­vices.”

A group call­ing it­self the Turk­ish Crime Fam­ily claims to have lo­gin cre­den­tials for more than 750 mil­lion icloud. com, me.com and mac.com email ad­dresses, and the group says more than 250 mil­lion of those cre­den­tials pro­vide ac­cess to iCloud ac­counts that don’t have two-fac­tor au­then­ti­ca­tion turned on.

The hack­ers want Ap­ple to pay $700,000 – $100,000 per group mem­ber – or “$1 mil­lion worth in iTunes vouch­ers.” At the time of writ­ing they threat­ened to start wip­ing data from iCloud ac­counts and de­vices linked to them on 7 April.

In a mes­sage, the group said it also asked for other things from Ap­ple, but they don’t want to make pub­lic. “We’re ac­tively mon­i­tor­ing to pre­vent unau­tho­rized ac­cess to user ac­counts and are work­ing with law en­force­ment to iden­tify the crim­i­nals in­volved,” the Ap­ple rep­re­sen­ta­tive said. “To pro­tect against these type of at­tacks, we rec­om­mend that users al­ways use strong pass­words, not use those same pass­words across sites and turn on two-fac­tor au­then­ti­ca­tion.”

The hacker group con­firmed there has been no breach of Ap­ple ser­vices and hinted the leaked cre­den­tials were ob­tained through com­pro­mises on third-party web­sites.

To some ex­tent, that would be pos­si­ble be­cause many users re­use their pass­words across mul­ti­ple web­sites and be­cause most web­sites ask users to log in with their email ad­dresses. How­ever, the un­usu­ally high num­bers ad­vanced by the group are hard to be­lieve.

It’s also hard to keep up with the group’s claims, as at var­i­ous times, it has re­leased con­flict­ing or in­com­plete in­for­ma­tion that it has later re­vised or clar­i­fied.

The group claims that it started out with a data­base of more than 500 mil­lion cre­den­tials that it has put to­gether over the past few years by ex­tract­ing the icloud.com, me.com and mac.com ac­counts from stolen data­bases its mem­bers have sold on the black mar­ket.

The hack­ers also say that since they’ve made their ran­som re­quest pub­lic a few days ago, oth­ers have joined in their ef­fort and shared even more cre­den­tials with them, putting the num­ber at more than 750 mil­lion.

The group claims to be us­ing 1 mil­lion high-qual­ity proxy servers to ver­ify how many of the cre­den­tials give them ac­cess to un­pro­tected iCloud ac­counts.

Ap­ple pro­vides two-fac­tor au­then­ti­ca­tion for iCloud, and ac­counts with the op­tion turned on are pro­tected even if their pass­word is com­pro­mised.

The lat­est num­ber of ac­ces­si­ble iCloud ac­counts ad­vanced by the Turk­ish Crime Fam­ily is 250 mil­lion. That’s an im­pres­sive ratio of one in ev­ery three tested ac­counts.

“I think the whole thing is a beat-up,” se­cu­rity ex­pert Troy Hunt, cre­ator of the HaveIBeenPwned.com web­site, said by email. “At best they’ve got some reused cre­den­tials, but I wouldn’t be sur­prised if it’s al­most en­tirely a hoax.”

He hasn’t seen the ac­tual data that the Turk­ish Crime Fam­ily claims to have, and there isn’t much ev­i­dence aside from a YouTube video show­ing a few dozen email ad­dresses and plain text pass­words. How­ever, he has sig­nif­i­cant ex­pe­ri­ence with val­i­dat­ing data breaches and has seen many bo­gus hacker claims over the years.

To be on the safe side, users should fol­low Ap­ple’s ad­vice and cre­ate a strong pass­word for their ac­count and turn on two-fac­tor au­then­ti­ca­tion or two-step ver­i­fi­ca­tion at the very least.

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.