Apple Responds to Hack Threats, Says There Were No iCloud or Apple ID Breaches

[GaymerAdam]

When they introduced 2FA I turned in on and it caused my 3rd gen Apple TV to become almost unusable. Having to enter your password, then a symbol, then the 2FA code, all in the space of a few seconds with that awful remote typing, every single time you switched the ATV on. If they've fixed that, I'll happily turn it back on.

 

[Robert.Walter]

No, no, no. Absolutely no. They were never _believed_ to have access to millions of accounts. They _claimed_ to have access.
[doublepost=1490259773][/doublepost]

If Apple sends you an email, they have your name (or at least the name you supplied when you created your AppleID, which may not be your real name). They will address you with your real name. An email starting with "Dear client..." doesn't come from Apple. An email starting with "Dear Aleco" might be from Apple.
[doublepost=1490260216][/doublepost]
My personal recommendation is a password made of three personal items that _you_ can easily remember of which at least one is secret. Having three items makes brute force password cracking very difficult by sheer length. "Personal items" means that an automated attack against a badly protected database (one that stored hashed but not salted passwords) won't work because your password will be unique. The one secret item makes sure that someone attacking you personally isn't going to get in.

And use a password that is iPhone friendly and easy to type in

Plus use this password on sites that you trust to keep it secret. For example, if you book a hotel and they want some password, use a throwaway password.

It sounds as though you recommend reusing the strong p/w except for weak sites. A p/w should never be reused or built up in a modular fashion. Given the good p/w manager built into every Apple device (iCloud Keychain which generates a 15-char complex p/w and autofill sit into a site's authentication fields), there is only one p/w that you need create in a memorable form, your AppleID p/w.
[doublepost=1490261183][/doublepost]

I've had the same happen to me. When the location is 100km off, it's not as useful as it could be. Well, I guess I should be happy it gets even the country right.

I have this too. I think it depends on the head station which connects your isp to the web.
[doublepost=1490261598][/doublepost]

Totally agree (well more or less) the use of long random passwords using lots of alphanumeric characters along with various dashes, exclamations and other punctuation symbols are the best option. Keep them all unique and use 2 factor when it's available.

I don't use 1password or any others though, although I will say they look like a good option, with good security measures. But call me paranoid if you like, but the last thing I'm about to do is go to all of that trouble and then store all of my most guarded passwords in one centralised location via an internet service. I know they have an offline option as well but I'm just too sceptical these days with the continual stream of hacks on websites and services.

I know it's not an option to everyone but I use my own password manager which has security up the wazzo and no internet access whatsoever. When I need to sync between devices it's done locally, off-line, using an encrypted transfer.
Overkill? Probably, but I trust me more than I trust anyone else

"last thing I'm about to do is go to all of that trouble and then store all of my most guarded passwords in one centralised location via an internet service"

This is known as a SPOF, single point of failure. Whether you use or don't a p/w manager depends on how much effort one wants to put forth to improve and how much effort they want in daily use. For the folks who reuse passwords, or have a list of unique but weak passwords, etc., the SPOF risk is smaller than sticking with obsolete password designs and use strategy.

 

[gnasher729]

It sounds as though you recommend reusing the strong p/w except for weak sites. A p/w should never be reused or built up in a modular fashion. Given the good p/w manager built into every Apple device (iCloud Keychain which generates a 15-char complex p/w and autofill sit into a site's authentication fields), there is only one p/w that you need create in a memorable form, your AppleID p/w.

"A password should never be built up in a modular fashion" - that's nonsense. Your password will have a total entropy which is the sum of the entropy of all parts. Three components each good for 20 bits is as good as one 60 bit component.

And then there's the fun you have with sites that don't accept your auto-generated password, and sites that want the same password in different places that Safari doesn't recognise...

Password reuse is bad if you used your password on a site that gets hacked and stores your password in an insecure way. Use the same password on ten secure sites, no problem. Use the same password on ten secure sites and one insecure site, you've got a problem. So you decide who you trust to keep your password safe and who you don't trust.

 

[Alonzozo]

That would explain my iPad telling me someone in west Sacramento trying to login to my account.

When I needed to reinstall my girlfriends iPhone, she got a notification that somewhere in the US a person was trying to login to her phone. How is this possible, is the hack the cause for this? Or is it just a bug? Myself I don't think it can be a bug ofcourse.

 

[wackymacky]

Would explain this phishing attempt... But I'm not trying to deal with this, I turned on two-factor earlier today.

I got the same email, except mine said the supposed hacker was in Russia. Too bad though the IP address was Canadian.

I'm sure though these emails trick a substantial number of users who are firstly a little naive to click embedded links also can't spot a phoney email address or dodgy looking URL.

My dear wife admitted she might have clicked on the link if presented with one of these emails.

 

[dugbug]

Seems like the hackers don't have evidence if Apple have come out and said this. Given the potential huge reputation damage to Apple, I'm sure they are on top of this iCloud security as much as Google is.

It's not about that. They probably do have the account data. Apple is saying there was no direct breach on their side. Implying other service breached accounts such as yahoo had been tested by the hackers to see if the same credentials worried on iCloud and they found some.

This would work against any service that allows traditional login and credentials are the same.

 

[Paul Dawkins]

The people behind this kind of thing need to be set on fire, it's just evil behavior, whether or not they actually have the details they purport to have. I'm going to venture a guess that this, indeed, isn't a hack of Apple itself, and do simply have some password-reuse email/password combinations from other sites.

Time to turn on 2FA, if you haven't already, and never use the same password in more than one place - get a good password manager (I like 1Password) and use it to keep long random passwords that are separate for every site.

Do you have a plan how to remember these passwords?

 

[DoubleU]

For those people wondering about inaccurate sign in locations, from Apple's website:

"This is an approximate location based on the IP address the device is currently using, rather than the exact location of the device. The location shown might reflect the network you're connected to, and not your physical location."

It's been explained to me that this can show the location of your broadband provider's nearest hub which can be a couple of hundred miles away. So if you get a notification that states it's in the same state or country when you're trying to sign in it's probably you, if it indicates the sign in attempt is from another country then that's suspicious.

https://support.apple.com/en-gb/HT204915

 

[mattopotamus]

This will only be confirmed/denied by celeb leaks

 

[gnasher729]

When I needed to reinstall my girlfriends iPhone, she got a notification that somewhere in the US a person was trying to login to her phone. How is this possible, is the hack the cause for this? Or is it just a bug? Myself I don't think it can be a bug ofcourse.

I go to the iCloud website, type in Alonzozo@gmail.com, enter a random password, and if I guessed your email address right you will get exactly that message, except it will say "someone in the UK". Someone tried to login to your phone, and it didn't work. It's very easy possible. Going beyond the "try" is the hard part for any hacker. For that I'd need your actual password, and if you used 2FA (two factor authentication) then there will be a text message on your phone with a six digit key, and I would need that six digit key which I obviously don't have.

There is no hack - these are just clueless kids. There is no bug. Anyone who knows or guesses your AppleID can do this. And you may be one of the millions of people whose email address was taken, so your email and AppleID is really alan.smith124@gmail.com because alan.smith and alan.smith123 were taken. If alan.smit123@gmail.com tries to log in and types the email address wrong, you get this message.

 

[Alonzozo]

I go to the iCloud website, type in Alonzozo@gmail.com, enter a random password, and if I guessed your email address right you will get exactly that message, except it will say "someone in the UK". Someone tried to login to your phone, and it didn't work. It's very easy possible. Going beyond the "try" is the hard part for any hacker. For that I'd need your actual password, and if you used 2FA (two factor authentication) then there will be a text message on your phone with a six digit key, and I would need that six digit key which I obviously don't have.

There is no hack - these are just clueless kids. There is no bug. Anyone who knows or guesses your AppleID can do this. And you may be one of the millions of people whose email address was taken, so your email and AppleID is really alan.smith124@gmail.com because alan.smith and alan.smith123 were taken. If alan.smit123@gmail.com tries to log in and types the email address wrong, you get this message.

I understand what you mean and thank you for your reply.

Though I find it very strange that I get this message at the same times as i'm trying to reset the phone. I understand that I will get an notification if someone enters the wrong password from somewhere else. But why do I get the notification at the moment when I am trying to reset the phone? Hope you understand what I mean.

 

[where is it]

Apple's geolocation seems to be really unreliable - when I log in legitimately, it tells me that someone's tried to log in from a completely different part of the country.

That is because your location is based on your IP address which isn't always local to where you physically are. Causing confusion.

 

[TrueBlou]

It sounds as though you recommend reusing the strong p/w except for weak sites. A p/w should never be reused or built up in a modular fashion. Given the good p/w manager built into every Apple device (iCloud Keychain which generates a 15-char complex p/w and autofill sit into a site's authentication fields), there is only one p/w that you need create in a memorable form, your AppleID p/w.
[doublepost=1490261183][/doublepost]
I have this too. I think it depends on the head station which connects your isp to the web.
[doublepost=1490261598][/doublepost]

"last thing I'm about to do is go to all of that trouble and then store all of my most guarded passwords in one centralised location via an internet service"

This is known as a SPOF, single point of failure. Whether you use or don't a p/w manager depends on how much effort one wants to put forth to improve and how much effort they want in daily use. For the folks who reuse passwords, or have a list of unique but weak passwords, etc., the SPOF risk is smaller than sticking with obsolete password designs and use strategy.

The point isn't about how good/strong a person's passwords may or may not be. Nor even if every one is unique or not. The point is no matter how good your passwords are, if you then store all of those passwords in any centralised online location, you are potentially just as vulnerable to a hack.

 

[TwitchyPuppy]

I knew it was fake as soon as I saw the amount of money they wanted for that.
And "Turkish Crime Family". Come on.. I almost chocked on my coffee as I read that

 

[TwitchyPuppy]

600 millions hostage and all they ask for is iTunes credit? I am calling BS right here and now.

It reminds me of the IRS scam where you're required to pay your back taxes in iTunes credit.

 

[maflynn]

Would explain this phishing attempt... But I'm not trying to deal with this, I turned on two-factor earlier today.

I got the same email, and when I was on my computer, I hovered over the link and it was clearly not Apple. Plus the lack of proper introduction (no name), was another red flag.

 

[mabhatter]

Grand Moff Tarkin says protect your data from orbit!

 

[Boyd01]

When they introduced 2FA I turned in on and it caused my 3rd gen Apple TV to become almost unusable. Having to enter your password, then a symbol, then the 2FA code

I started using 2fa last year. No problems on my two AppleTV3's. I also changed my AppleID password awhile ago. Now that was a real pain, there were a bunch of different places that it had to be entered on all my devices. But after I got through that, everything was fine.

 

[maflynn]

I turned on 2FA on my phone and its awkward in its execution. I wished they allowed the use of apps like Google Authenticator.

 

[snakes-]

since 2 months i have some account looks/freeze, cant login in mail, iTunes or other Services.
then i need to unlocking my account manually over link

dosent know why this happend

 

[JeffyTheQuik]

Forgive my ignorance, but isn't a digital transaction, like Bitcoin, like the easiest thing in the world to figure out where the money went?

"I want $1,000,000 on an unmarked Visa Gift card," said the robber
"But, you have to have the Visa number on the gift card."

Maybe I'm missing something...

 

[jennyp]

Do you have a plan how to remember these passwords?

The whole idea of 1Password is that it remembers them for you. And your central 1Password database has end-to-end AES-256 encryption and PBKDF2 key derivation. I haven't heard of anyone opening one of those, which news would I guess be massive. I've memorised a 25-character random string for my master password which I never type anywhere - it's meatware. I feel that should be sufficient, though I'm always vigilant - paranoid, even - about social engineering threats.

 

[JVNeumann]

My account actually was locked for "security reasons" today so I have to assume that I was breached / targeted. For anyone more well-versed in this stuff than me, I have a couple of questions that I'm truly desperate to find out:

1. If my account gets locked like this, is it possible that that's actually a good thing insofar as it means the security must've kicked in before any breach actually occurred? My reasoning here being that they either had a password from some other site that didn't match my iCloud, or that their totally foreign IP / location triggered a lock-down. Or is this wishful thinking on my part?

2. Supposing someone did get in, is there any foolproof way for me to know once I regain access to my account (it's currently locked out for 8 hours)? Like, can Apple Support look on their system and go "Nope, I'm 100% sure no-one got in", or "Yep, someone definitely got in"?

 

[BvizioN]

Typical Apple. Blame others first then admit to fault later, if ever.

Blaming other for what? For Apple not having the iCloud accounts compromised?

 

[jhfenton]

When they introduced 2FA I turned in on and it caused my 3rd gen Apple TV to become almost unusable. Having to enter your password, then a symbol, then the 2FA code, all in the space of a few seconds with that awful remote typing, every single time you switched the ATV on. If they've fixed that, I'll happily turn it back on.

I had to do it one time on my 3rd gen Apple TV and never again. And it gets unplugged and sits idle for long periods. I plugged it back in last night to watch something on Netflix in the kitchen, and I didn't have to log back in.

And you should be able to use the remote app on your phone to type.