Apple ID hacked

Discussion in 'Mac Basics and Help' started by eladnova, Feb 25, 2016.

Tags:
  1. eladnova macrumors member

    Joined:
    Aug 31, 2012
    #1
    Hey all

    wife had an email today from Apple saying her security questions had been updated.

    Knowing that she hadn't actually done this, we assumed her Apple ID was hacked.I quickly changed the password but logging into her iTunes and purchases, the hacker had already run through 40$ buying some Chinese sheep game and a load of in-app purchases for that App.

    I had a few questions on this one.

    Question 1:
    My wife is careful with her passwords and never writes them down or uses them on unsecured networks.
    How likely is this that her account was compromised from the other side of the planet by some guessing or brute-forcing her account?

    Question 2:
    Logging into her iTunes account, I only see her 3 Apple devices she uses. If someone had her credentials, wouldn't another foreign device show up there?

    Question 3:
    If someone has hacked her Apple ID then presumably they can associate it with a device and download all her Apps, Email, Photos etc
    If she HASN"T recieved notice that there's a new device associated with her account - is it safe to say the hacker only bought an app and hasn't actually widespread account access?

    Thanks guys
     
  2. tjwilliams25 macrumors 6502

    Joined:
    Aug 10, 2014
    Location:
    Montana
    #2
    What I would suggest you should do is turn on two-factor verification. That way, even if they know your password, they can't log in without one of your safe devices in front of them. This same thing happened to me a couple of years ago, however I didn't have them buy anything luckily. I've had two-factor verification on my account ever since and haven't had any issues to speak of. It is an extra step when logging into any devices, but I think it's definitely worth it.
     
  3. glenthompson macrumors 68000

    glenthompson

    Joined:
    Apr 27, 2011
    Location:
    Virginia
    #3
    Does she use the same password on other locations or some small variant? All passwords should be unique. If not that's an easy way to get hacked when some other site gets breached. That's why a good password manager like 1Password is important.
     
  4. Markoth macrumors 6502

    Markoth

    Joined:
    Oct 1, 2015
    Location:
    Behind You
    #4
    Except that doing so puts all your passwords behind a single password, hence the name. Seems foolish to trust it. Eventually, someone's going to hack it.
     
  5. Floris macrumors 68020

    Floris

    Joined:
    Sep 7, 2007
    Location:
    Netherlands
    #5
    You keep storing your 500 unique strong 32 to 50 character long passwords in plain text files then :)
     
  6. ApfelKuchen, Mar 23, 2017
    Last edited: Mar 23, 2017

    ApfelKuchen macrumors 68020

    Joined:
    Aug 28, 2012
    Location:
    Between the coasts
    #6
    First, make sure that mail about security questions isn't a phishing attempt.

    "Hacked" probably isn't the right term. There's almost always going to be a human factor. Brute-force attempts at passwords don't work well, as the password gets locked after about 5 unsuccessful tries. It seems more likely that they managed to obtain the password in a phishing attempt or other kind of human engineering, then needed to reset the security questions so they could make purchases on a new device.

    The weakest link, when you have "standard" security can turn out to be the email address associated with the Apple ID. That can be the key to resetting either password or security questions. If you have any doubts, change that email password, too.

    Questions 2 & 3: Device could have been removed from the account after the purchases were made. Of the other data in the account, the thing I'd worry most about Contacts - they can be grabbed in very short order and the account immediately signed out. Damage done, no need for prolonged/repeat access. Contacts provide the info necessary to make subsequent, convincing fraud attempts ("Hi, Grandma Sally, this is Jane. I just got arrested for speeding and need $1000 for bail..."). Sure, photos can also be valuable, but the less celebrity you have, the less value they're likely to have. They take longer to download, longer to analyze for potential value... maybe not worth the effort for a low-profile target.
    --- Post Merged, Mar 23, 2017 ---
    Overall, the benefits outweigh the risk. It's not so much a matter of putting all those eggs into a single basket as it is putting them into a single vault. It makes it easier to use strong, random passwords for the other accounts. Memorizing one ultra-strong password (that is intentionally very different in form from any other password you use) is easier than memorizing dozens of other passwords - all too often, people end up using a system where most passwords are derived from an easy-to-memorize pattern. And in the end, if passwords are to be strong, memorization alone is inadequate. Somewhere, somehow they need to be documented, and that documentation needs to be password protected (and preferably, encrypted).

    The question is, how does someone hack a password keeper? In my case, they'd need physical possession of one of my devices - they'd need to get past my device's passcode or login password, then get past the app password. I don't use cloud for syncing the devices (in part because I'm too cheap to pay for the cloud subscription, in part because it does reduce the vectors of attack).
     
  7. Fishrrman macrumors G3

    Joined:
    Feb 20, 2009
    #7
    Macintouch.com has reported some phishing attempts lately regarding Apple ID, etc.
     
  8. Markoth macrumors 6502

    Markoth

    Joined:
    Oct 1, 2015
    Location:
    Behind You
    #8
    Storing it in an encrypted database locally is far safer, if you know what you're doing. I suppose 1Password is fine for most people though.
     
  9. Floris macrumors 68020

    Floris

    Joined:
    Sep 7, 2007
    Location:
    Netherlands
    #9
    I use 1Password, it actually does exactly that. Storing it locally in an encrypted database.

    The argument was that a single password isn't safe, well .. what's the alternative?
    What's the difference between me storing it in 1Password - and you storing it in an encrypted database?
     
  10. Markoth macrumors 6502

    Markoth

    Joined:
    Oct 1, 2015
    Location:
    Behind You
    #10
    It also stores it in the cloud, where anyone could potentially access it, and probably will some day. Hence, my point.
     
  11. Floris macrumors 68020

    Floris

    Joined:
    Sep 7, 2007
    Location:
    Netherlands
    #11
    1Password used to be stand alone. And still is. The 'use their .com' subscription model is different, and optional.
     

Share This Page