Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security Desktops (Apple) Apple

Apple Devices Held For Ransom, Rumors Claim 40M iCloud Accounts Hacked; Apple-Related Forums Compromised (csoonline.com) 73

Steve Ragan, reporting for CSOOnline: Since February, a number of Apple users have reported locked devices displaying ransom demands written in Russian. Earlier this week, a security professional posted a message to a private email group requesting information related a possible compromise of at least 40 million iCloud accounts. Salted Hash started digging around on this story after the email came to our attention. In it, a list member questioned the others about a rumor concerning "rumblings of a massive (40 million) data breach at Apple." The message goes on to state that the alleged breach was conducted by a Russian actor, and vector "seems to be via iCloud to the 'locate device' feature, and is then locking the device and asking for money."In a separate report, the publication reports that three websites owned by Penton Technology -- MacForums.com, HotScripts.com, and WebHostingTalk.com -- have been compromised and their databases are now being sold on the Darknet. While nothing is confirmed, there is a possibility that some of the rumored 40M compromised Apple ID credentials may have come from these forums, or from LinkedIn's recent hack.
This discussion has been archived. No new comments can be posted.

Apple Devices Held For Ransom, Rumors Claim 40M iCloud Accounts Hacked; Apple-Related Forums Compromised

Comments Filter:
  • the publication reports that three websites owned by Penton Technology -- MacForums.com, HotScripts.com, and WebHostingTalk.com -- have been compromised and their databases are now being sold on the Darknet. While nothing is confirmed, there is a possibility that some of the rumored 40M compromised Apple ID credentials may have come from these forums, or from LinkedIn's recent hack.

    People who post info on social media are fools!

    Oh. Wait.

    • Re: (Score:2, Insightful)

      by NatasRevol ( 731260 )

      This doesn't even make sense. There's no way these sites were using AppleID accounts, or collecting them.

      Now, reverse engineering based on login is possible, but that's user stupidity, not Apple's fault that people use the same log in for multiple things.

      • by amicusNYCL ( 1538833 ) on Friday July 08, 2016 @05:18PM (#52474743)

        This doesn't even make sense. There's no way these sites were using AppleID accounts, or collecting them.

        Seriously, it is not even in the realm of things that are possible that someone who prefers using devices that are marketed as "it just works" would use the same credentials on multiple services. In fact, such a thing is literally inconceivable. It's so inconceivable that I don't even know what I'm talking about. None of this makes sense.

        • by Gr8Apes ( 679165 )

          In fact, such a thing is literally inconceivable. It's so inconceivable that I don't even know what I'm talking about.

          You keep using that word, I do not think it means what you think it means

        • Oh, yes. You have a great point. I'm sure O N L Y Apple users do this...

          • There is a very, very large amount of middle ground between "It couldn't possibly be Apple" and "It could only be Apple". You're the only one going to these two extremes.
        • Interesting. I make six figures using devices that "just work". So do most people working in Silicon Valley. Clearly I must be a moron incapable of having good passwords. So are all the smart people on Windows? Just curious.

    • People who post info on social media are fools! Oh. Wait.

      No worries, this is Slashdot. This is anti-social media.

  • Who is responsible for devices getting hijacked? With PCs you can argue the end user is responsible for what is done with the machine. For more locked down devices is the manufacturer ultimately fully responsible for the function of the device?

    There will be legal lawsuits for sure. Class action and individual.
    A bigger question will be what view does the public take? Do they blame themselves of the manufacturer?

    • If the company was hacked and the passwords were stored insecurely, then it is responsible. If a second company gets hacked and you shared the same passwords, the second company is responsible for the damage done to it, and you are responsible for the damage done to you. The first company should not be held accountable. They didn't decide your password. They allow you the freedom to set it yourself. Don't be a fool and split passwords among various services. Seriously.

      You can't complain when it has been
      • If the company was hacked and the passwords were stored insecurely, then it is responsible. If a second company gets hacked and you shared the same passwords, the second company is responsible for the damage done to it, and you are responsible for the damage done to you. The first company should not be held accountable. They didn't decide your password. They allow you the freedom to set it yourself. Don't be a fool and split passwords among various services. Seriously. You can't complain when it has been repeated so often NOT TO USE COMMON PASSWORDS. YOUR SECURITY IS THAT OF THE WEAKEST PASSWORDS. You can't complain because you failed to enable two-factor. You can't complain if your password was easy to guess and the attackers guessed it (you can if the company allows millions to be tested without locking out your account and blocking the attack, this is a brute force password break, and should be mitigated in authentication software).

        Ahh, because when you visit icloud.com your monitor will eject a fingerprint scanner for you to use. I forgot about that feature!

      • by DRJlaw ( 946416 )

        If a second company gets hacked and you shared the same passwords, the second company is responsible for the damage done to it, and you are responsible for the damage done to you. The first company should not be held accountable.

        Foreseeable consequence of disclosing the password, so whether the first company can be held accountable is very much open to debate, unless they've had the foresight to drop something appropriate into their terms and conditions. Even then, the FTC has a few things to say concerni

      • Ugh, no.

        Use weak, shitty passwords for weak services. Who cares? Let them take your forum account. Use the same dumb easy to remember password in as many places as you can get away with so you can remember a strong password for each important service.

        It's hard to remember a lot of passwords, and some things aren't worth protecting, honestly. It just takes up headspace to try. But make sure you've got something good when it counts and don't use it anywhere else.

        • No... just no.

          Use a good password manager instead, one that uses an encrypted database. Store that database on a cloud sync service such as Dropbox or OneDrive so you can share it among your devices. Even if the cloud service is compromised, your data is safe and you still have your local copies, and you only have to remember a small number of passwords.

  • Let's be clear... (Score:5, Insightful)

    by friedmud ( 512466 ) on Friday July 08, 2016 @03:49PM (#52474239)

    These are not "compromised Apple ID credentials"... they are compromised email addresses and passwords for for OTHER mac/apple related websites... so if you're dumb enough to reuse your Apple ID email address and password on those sites they might match up.

    • If you have a set of Apple ID credentials, and someone steals credentials from another site and then notices they also work on the Apple service, wouldn't you call that a compromised set of Apple ID credentials?

  • What hack? (Score:5, Informative)

    by ilsaloving ( 1534307 ) on Friday July 08, 2016 @04:14PM (#52474423)

    I read this, thinking, "What hack?" cause I haven't had any issues at all. Then I realized the what actually happened. This sounds like the same thing that happened with the supposed hacking of Teamviewer. It was a matter of people reusing the same credentials in multiple locations, so as soon as one low-security place is compromised, you're still screwed in other places even if they have high security.

    All I can say is that, today, you *have* to use either MFA, a personal password database, preferably both. I use 1password to store all my passwords, and Duo Security (free for personal use) for MFA. There are other options as well, such as Google Authenticate for MFA, or keypass for password storage.

    1password is relatively expensive, but it's virtually hassle free and will let me sync my db across all my devices (Linux is read-only, unfortunately) and integrates with all major browsers. I don't use Keypass, but IIRC it works on all platforms including Linux, but it's browser plugins are lacking.

    The most important aspect of password databases, is that they let you generate a very long, random password that is unique to the site you visit. You don't care what the password is, because you can just call it up from the database, but it makes your account essentially unhackable (provided the site you're accessing doesn't do something stupid like store the passwords in plain text).

    This is 2016, not 1970. People can no longer afford to be naive about password management anymore. It would be nice if articles like these could take a couple moments out of their breathless handwaving to let people know that these options exist.

  • You KNOW I hate Apple. This just makes me smile. I know you hate making me smile, so what gives?
  • Someone reset my Apple ID password on February 27th 2016 do you think it could be related?

    Account has since been recovered and as far as I can tell nothing else was changed.

"Maintain an awareness for contribution -- to your schedule, your project, our company." -- A Group of Employees

Working...