Apple Responds to Hack Threats, Says There Were No iCloud or Apple ID Breaches

[MrX8503]

I use 1password and turn on 2FA on every account that has it.

A popular hack to be aware of are accounts with credit cards that don't require re-authorization. For example Groupon and Starbucks does not require re-authorization to use your credit card.

Don't save your CCs anywhere except for Apple or Amazon. Use Apple Pay instead if you can. I removed my CCs from Starbucks, Groupon, Lyft, and Uber.

 

[wjw0111]

I've used 2 factor for a while now and not just Apple. I tried to recommend it to a few people I know, but some of them told me it's too much trouble. Some people have to learn a lesson.

Yeah, I think the companies will just need to make it mandatory to get the stragglers all on board.

 

[Sefstah]

How are they blaming others? They're just saying people use the same user name and passwords. There was no actual scraping of user names and passwords from iCloud database is what Apple is saying. How the heck is that Apple's fault if people use the same username/passwords?

He's right, Apple always points the finger first instead of taking responsibility when it should. #AntennaGate #BendGate...

 

[wjw0111]

He's right, Apple always points the finger first instead of taking responsibility when it should. #AntennaGate #BendGate...
Btw, why are taking it so personal?! Relax dude

Hehe... you're silly! #Silly

 

[Roadstar]

Apple's geolocation seems to be really unreliable - when I log in legitimately, it tells me that someone's tried to log in from a completely different part of the country.

I've had the same happen to me. When the location is 100km off, it's not as useful as it could be. Well, I guess I should be happy it gets even the country right.

 

[dotnet]

It's the Russians! Ask anyone.

 

[Michaelgtrusa]

Years in prison if caught.

 

[ke-iron]

Interesting. I got an automated call today saying my Apple ID was compromised blah blah blah, I hung up the phone because it sounded bogus and I'm sure it was. I currently do not have 2 password authentication enabled and I don't think my account will be hacked simply for the fact that I do not log into my iCloud on public computers but only on my personal devices. Only I know my ID, it is not shared with anyone else. The last reason is my Apple ID is unique and is 18 characters long compared to my other account passwords, it isn't used anywhere else but for my Apple ID.

 

[Floris]

Apple's geolocation seems to be really unreliable - when I log in legitimately, it tells me that someone's tried to log in from a completely different part of the country.

That's just your split personality

 

[ZMacintosh]

Had an odd occurrence the other day where on some of my devices were completely signed out of iCloud services/messages/FaceTime, but others were not affected, and no indication of signing in elsewhere or notifications otherwise, really odd.

 

[Watabou]

He's right, Apple always points the finger first instead of taking responsibility when it should. #AntennaGate #BendGate...
Btw, why are taking it so personal?! Relax dude

And none of them were remotely a problem. Also, imagine you running a company and someone goes around threatening you to fork over cash and there are news articles claiming that your system got hacked. How would you respond to this when you know your database was in fact, not hacked, but a result of people using the same combination of username and passwords? Where would you point your finger then?

And I don't see how you could think I took that comment personally.

 

[dave2010]

Seems like the hackers don't have evidence if Apple have come out and said this. Given the potential huge reputation damage to Apple, I'm sure they are on top of this iCloud security as much as Google is.

 

[MH01]

interesting scenario , if true, so let's assume it's happened, apple can say it was a 3rd party cause the reputation hit will be massive. So attackers would need to provide evidence how they did it and not just emails and passwords. This will either become a non event very quickly or make the Samsung note 7 batteries issue trivial.

As for the rest if us, make sure you have 2 factor on.

 

[bushman4]

Doubt they have anything. If they were real they would be asking for millions

rest easy

 

[MH01]

And none of them were remotely a problem. Also, imagine you running a company and someone goes around threatening you to fork over cash and there are news articles claiming that your system got hacked. How would you respond to this when you know your database was in fact, not hacked, but a result of people using the same combination of username and passwords? Where would you point your finger then?

And I don't see how you could think I took that comment personally.

Let me put it this way, when you get hacked there is not a red flashing light telling your its happened with the location of the hack. You would not know if your database was hacked . Would you know if someone copied a few tables onto a USB ? These are tricky situation and often take a very long time to work out how it was done.

Never trust a PR person though. I'm not saying this instance has merit , but you will deny all day long until hard evidence comes out.

 

[canadianreader]

I enabled 2FA just now. I hate hackers they have no life or dignity whatsoever

 

[Abazigal]

600 millions hostage and all they ask for is iTunes credit? I am calling BS right here and now.

 

[Tech198]

lol.... Not much credit in my account.

 

[WarDialer]

I love how Apple's response is basically "LOL, n00b!"

 

[sofila]

This kind of news will be heard more often as time goes by. There will always be some "entrepeneur" looking for easy money and this iper-connected world with billions-devices and users is very tempting

 

[TrueBlou]

The people behind this kind of thing need to be set on fire, it's just evil behavior, whether or not they actually have the details they purport to have. I'm going to venture a guess that this, indeed, isn't a hack of Apple itself, and do simply have some password-reuse email/password combinations from other sites.

Time to turn on 2FA, if you haven't already, and never use the same password in more than one place - get a good password manager (I like 1Password) and use it to keep long random passwords that are separate for every site.

Totally agree (well more or less) the use of long random passwords using lots of alphanumeric characters along with various dashes, exclamations and other punctuation symbols are the best option. Keep them all unique and use 2 factor when it's available.

I don't use 1password or any others though, although I will say they look like a good option, with good security measures. But call me paranoid if you like, but the last thing I'm about to do is go to all of that trouble and then store all of my most guarded passwords in one centralised location via an internet service. I know they have an offline option as well but I'm just too sceptical these days with the continual stream of hacks on websites and services.

I know it's not an option to everyone but I use my own password manager which has security up the wazzo and no internet access whatsoever. When I need to sync between devices it's done locally, off-line, using an encrypted transfer.
Overkill? Probably, but I trust me more than I trust anyone else

 

[hellopupy]

Only asking for 150k in ransom for some 600MM compromised accounts? Empty threat, these guys have nothing.

 

[codyjmiller]

Bitcoin is still alive?
They could have just ask for payment in form of ApplePay instead.

Very much so.

 

[rudychidiac]

Typical Apple. Blame others first then admit to fault later, if ever.

You'd make a good media reporter!

 

[gnasher729]

Originally the group was believed to have access to 300 million icloud.com, me.com, and mac.com email addresses, but that number later jumped to 627 million due to additional hackers allegedly stepping forward to provide account credentials.

No, no, no. Absolutely no. They were never _believed_ to have access to millions of accounts. They _claimed_ to have access.
[doublepost=1490259773][/doublepost]

Would explain this phishing attempt... But I'm not trying to deal with this, I turned on two-factor earlier today.

Dear client...

If Apple sends you an email, they have your name (or at least the name you supplied when you created your AppleID, which may not be your real name). They will address you with your real name. An email starting with "Dear client..." doesn't come from Apple. An email starting with "Dear Aleco" might be from Apple.
[doublepost=1490260216][/doublepost]

Totally agree (well more or less) the use of long random passwords using lots of alphanumeric characters along with various dashes, exclamations and other punctuation symbols are the best option. Keep them all unique and use 2 factor when it's available.

My personal recommendation is a password made of three personal items that _you_ can easily remember of which at least one is secret. Having three items makes brute force password cracking very difficult by sheer length. "Personal items" means that an automated attack against a badly protected database (one that stored hashed but not salted passwords) won't work because your password will be unique. The one secret item makes sure that someone attacking you personally isn't going to get in.

And use a password that is iPhone friendly and easy to type in

Plus use this password on sites that you trust to keep it secret. For example, if you book a hotel and they want some password, use a throwaway password.