Let's say I wanted to access iCloud Drive on one of our lab machines? I should NOT get a box that says "allow here is your code" on that macchine. And I do.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Hackers Claim Access to 300 Million iCloud Accounts, Say Apple Refused to Pay $75,000 Ransom
- Thread starter MacRumors
- Start date
- Sort by reaction score
Let's say I wanted to access iCloud Drive on one of our lab machines? I should NOT get a box that says "allow here is your code" on that macchine. And I do.
It isn't a negotiation, it's an extortion, and this is how extortion works. Pay me now before it gets even worse.
I see. I don't think the system was designed with that kind of usage in mind. There really should be different trust tiers. But I guess that would get way too complicated for the average Joe. (It is already pretty messy to set up)
Agreed. Perhaps it was a bug that was fixed, and maybe my iMac gets the code because it is already a known trusted device. I'll try today and see what happens on a machine I have never used before.
Good point. But I never had such call before. I am aware of scam calls that says a Mac or iOS devices needs repair or some other scams.
The automated call specifically said about my apple account, so it got me alarmed.
[doublepost=1490211338][/doublepost]
Obviously I am aware of that. That wasnt the point.
I called Apple because someone has my information (my contact, fact that I have an iPhone, and that I use apple account)
And they said there was a problem with my Apple account (coincidence as this news article came out)
And I never get these kinds of scam phone call. I am very technologically acknowlegeable and I NEVER use my real info when signing up on things
Sounds like bull **** to me.
$75k? For a flaw that big? You'd get more money from Apple for the bug bounty.
Turkish Crime Family?
Someone's being smoking their hooka a bit too much.
$75k? For a flaw that big? You'd get more money from Apple for the bug bounty.
Turkish Crime Family?
Someone's being smoking their hooka a bit too much.
A single hacker or group of hackers who have identified themselves as the "Turkish Crime Family" allegedly have access to at least 300 million iCloud accounts, but they are willing to delete the alleged cache of data if Apple pays a ransom by early next month, according to a report from Motherboard.
The hackers have allegedly demanded $75,000 to be paid in cryptocurrencies Bitcoin or Ethereum, or $100,000 worth of iTunes gift cards, by April 7, or they will reset a number of the iCloud accounts and remotely wipe victims' Apple devices. The email accounts are said to include @icloud.com, @me.com, and @mac.com addresses.
The report said that the hackers "provided screenshots of alleged emails between the group and members of Apple's security team," while the hackers also shared an unlinked YouTube video that seemingly shows proof of them accessing "an elderly woman's iCloud account" and "the ability to remotely wipe the device."
If the screenshotted email is accurate, which it very well might not be, a member of Apple's security team turned down the ransom, noting that Apple does "not reward cyber criminals for breaking the law."Apple did apparently request to see a sample of the dataset, according to the report, but it is unclear if the hackers obliged.
"I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing," one of the hackers said.
The report should be treated with a healthy dose of skepticism, as these allegations could be untrue, and Apple has yet to confirm or comment on the matter.
Update: The group claims additional hackers have stepped forward and shared additional account credentials, putting the number of accessible iCloud accounts at over 627 million, according to security-centric website CSO Online.
Article Link: Hackers Claim Access to 300 Million iCloud Accounts, Say Apple Refused to Pay $75,000 Ransom
re: the amount. It could be a threshold they came up with that minimizes any sentencing they might get if convicted.
But I have no idea if that even matters.
But I have no idea if that even matters.
Just curious, how do you *know* these things? I may have missed it, but I didn't see where you said they identified you with any personal information. It sounds like a call to a random number saying your account had been compromised. They don't need to know if you have an iPhone or if you have an Apple account. If you have an iPhone and an account, you get worried. If you don't, you dismiss the call as a stupid phishing scheme.
[EDIT] I get dumb phishing calls all the time and I'm certain I haven't given out my number. I'm sure there's some underground list of valid phone numbers out there. I just ignore them.
if it keeps asking for the follow up then you need to log out of iCloud on your phone, then log back in. this just happen to me when trying to switch from 2 step to 2 form. i kept getting that message when trying to turn on the feature to allow the apple watch to unlock my mac. the only way i could fix it was to log out of iCloud on my iPhone, then log back into iCloud on my iPhone... then i had to unpair the apple watch and pair it again. it all works now.
Given that my password is 32 characters long, and I have 2 Factor Authentication turned on, I don't believe the hackers would have a real chance (in this lifetime) of gaining access to my account.
I call random numbers, and then I say "there's a problem with your Apple account and your iPhone". The reply is either "you stupid scammer, I have a Samsung phone" (in that case you'll get a call next week about your Google Store account and your Samsung phone, but I'll hang up for now), or "Oh my god, are there hackers that broke into my iPhone?"
As someone else mentioned, last week I received an email from Apple stating that my icloud account had been accessed by someone in Russia.
Without actually clicking on anything, I looked at the URL that was used to "update password". Looked official. No weird spacing, extra characters or spelling.
However, not wanting to take ANY changes, I logged into my account, changed my password then used the "sign out of all browsers" option on iCloud.
Without actually clicking on anything, I looked at the URL that was used to "update password". Looked official. No weird spacing, extra characters or spelling.
However, not wanting to take ANY changes, I logged into my account, changed my password then used the "sign out of all browsers" option on iCloud.
Probably, but what's to prevent the crooks just deleting the accounts then? How can Apple ever know they've not made copies? There's no way to prove they've deleted what they stole. Even if they paid cash, how do they know they won't go ahead and delete them anyway? If Apple really thinks the crooks have the real thing, Apple's only play is really to invalidate all access (or at least refuse all requests to delete account info), and go thru some tedious re-registration process. I don't see how paying crooks anything would ever work.Even if the FBI had the crooks behind bars, how do they know they've not already been stashed somewhere on the dark net or in a farmhouse in the middle of nowhere? If the breach is real, Apple has a very expensive internal problem to fix as well as a customer relations nightmare. The damage would already be done and way more expensive to correct than what these guys are supposedly asking. It's easy to believe somebody can pillage individual accounts, but surely they'd have very strong 2FA and more for anyone to be able to access the data for 300 million people. You'd think they'd have access patterns nailed down for access requests and have a system in place that would track external access requests and only allow a very few internal systems to access the core data outside that pattern without security's support phones going off immediately and requiring some kind of joint authorization to restore "normal" remote access.
Was it actually an email from Apple?
I've seen some really incredible fakes recently from all sorts of companies.
...or $150,000 in McDonald's gift certificates.
[doublepost=1490224132][/doublepost]
[doublepost=1490225008][/doublepost]
[doublepost=1490224132][/doublepost]
Brilliant. Awesome you posted this. Thank you.Might be a good time to:
1) Make sure you have your own independent backup of all your data in iCloud. You should do this regardless of hacker threats.
2) Change your Apple ID password.
3) Check your signed-in devices list for any devices you don't recognize, and remove them.
4) For the love of whatever deity you believe in, enable two-factor authentication. C'mon, people.
[doublepost=1490225008][/doublepost]
I CANNOT imagine that Apple doesn't have the ability to issue iTunes cards to these Turkish hill people and then zero-out the value of those cards based on the unique codes in the batch of cards they give them.
It's a good thing the people who run phishing scams have no idea how to write. Anyone who is literate would look at that message and realize immediately that it's not coming from a large corporation that can afford copywriters...
[doublepost=1490225157][/doublepost]
No way that was real.
A real e-mail from Apple would not include a link to reset your password. It would just advise you to reset it, if the login looks suspicious to you.
Also, maybe delete 100 accounts right out of the gate to show that your firepower is real, and not just a "pointed finger gun" inside your jacket pocket.
Last edited:
Yeah but presumably they would still have the 627 million accounts. And Apple could try to force resets, but not everyone would reset their passwords in the meantime.