Apple has denied that its security has been compromised, following ransom demands from a criminal group that claims it has the usernames and passwords of hundreds of millions of iCloud and Apple email accounts. However, independent verification of samples of this set provided to media outlets indicate that at least some of them are in fact genuine, and that users should be worried.
The relatively unknown organisation calling itself Turkish Crime Family says it will remotely wipe users’ devices and the contents of their accounts on April 7 if Apple does not pay each of its seven members $100,000.
The group has released evidence that it is in contact with Apple’s security team, and has also proactively reached out to various international media organisations to bolster its claims. A public Pastebin post and several tweets describe frustration with reporting of the situation, and clarify that the group never claimed to have hacked Apple directly, but the accounts are genuine and were gathered from multiple insecure third-party sources.
The Turkish Crime Family further claims to be able to reset 150 accounts per minute using 17 scripts running simultaneously on each of its 250 servers, for a total of 637,500 accounts per minute. Those servers have purportedly already verified 250 million of the Apple IDs in the group’s possession, with more being added after checking for simple password modifications such as the capitalisation of the first letter.
ZDNet and TNW have both investigated the situation, and report that while some of the accounts are several years old and not functional, many others are. ZDNet reached out to the Turkish Crime Family and was given a small sample of 54 user IDs and says that Apple’s password reset page accepts them all as valid accounts. ZDNet then tried contacting the users in question, and managed to confirm that ten of the passwords it was given were correct and still in use.
All ten individuals said that they had not changed their passwords since creating their accounts several years ago. One other respondent said that the password in ZDNet’s possession was correct in the past but had been changed by him two years ago, which means at least some of the breach occurred longer ago than that.
Among those contacted, there was no common pattern of ownership of specific Apple devices or using specific iCloud or Apple ID features. While many respondents admitted to using the same password for other major services, three said that their passwords were used only for iCloud, opening up the possibility that this data was harvested from sources other than third-party breaches.
TNW was also provided a sample, and says that it cross-referenced them with accounts known to have been harvested from the massive LinkedIn breach. However, only a few accounts matched, indicating that those users were simply using common email addresses and passwords across services.
No matter whether Apple itself was compromised or not, and whether these credentials have been collated from one breach or multiple sources over multiple years, anyone with an Apple ID should change their passwords immediately and enable two-factor authentication to prevent unauthorised access. This covers Me.com and iCloud.com email accounts, iTunes store accounts, and iCloud itself.