This happened to me a month ago. I was at the cinema and got multiple 2FA notifications on my phone, all of which I clicked 'Deny' on. When I got home, my mac was locked asking for a code and there was no way for me to bypass it. I had to take it to an apple store to have it reset - quite a struggle for a 27" iMac. I explained I had 2FA enabled and tapped Deny on all the popups. (My 2 phones, and my iPad, all said they were locked, but putting in my passcode unlocked them fortunately).
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments
- Thread starter MacRumors
- Start date
- Sort by reaction score
So someone figured out your Apple ID and password?
[doublepost=1506070171][/doublepost]
You could send the code to another phone (like spouse) or other trusted phone number. You should have an alternative path to retrieving the pin.
[Edit: I looked into this a bit more and I feel perplexed and insecure. I noticed that all of my family's devices are listed under my iCloud account, all of which offer the ability to erase them. I am the head of our family, but I need to check to see if all of our family devices show up when accessed from say my child's account. My iCloud and AppleID password are very strong, but this breach with the lack of information whereby it was instigated does not instill confidence in Apple's security.]
I have the same policy--no iCloud unlock for my Macs and separate complex passwords--so my question is .... Does it increase the security of the Mac to turn off Find My Mac as well?
Also, I seem to remember a discussion here in which even new iPhones were locked to an iCloud account belonging to a person who did not purchase said device. It was inferred that certain shady persons in at least one foreign country were removing chips from stolen iOS devices and reprogramming them with legitimate MEIDs belonging to customers who had purchased a device with the original MEID. In that case, the iOS devices were locked to the account of the thief. Is it possible this is still happening and the stolen MEID is being used to lock the Mac(s) on the same iCloud account?
I have the same policy--no iCloud unlock for my Macs and separate complex passwords--so my question is .... Does it increase the security of the Mac to turn off Find My Mac as well?
Also, I seem to remember a discussion here in which even new iPhones were locked to an iCloud account belonging to a person who did not purchase said device. It was inferred that certain shady persons in at least one foreign country were removing chips from stolen iOS devices and reprogramming them with legitimate MEIDs belonging to customers who had purchased a device with the original MEID. In that case, the iOS devices were locked to the account of the thief. Is it possible this is still happening and the stolen MEID is being used to lock the Mac(s) on the same iCloud account?
Last edited:
Late response. Not sure if you already got an answer, but storing a password's hash is effectively storing the password. Remember all these password heists lately? Many of them aren't because someone got hold of your plaintext password. They got hold of the hashes, and using brute force techniques and hardware, they can test a bunch of passwords with the hashing algorithm.
If Apple or anyone holds the hashes, the government can demand disclosure of the hashes. Even if Apple can't be forced to brute force the hashes themselves, the NSA or any other agency can try. If the Apple does not hold the hashes, then the only way in is to actually brute force the device itself, which is where we get into the whole San Bernardino case. Where Apple held the keys, even if hashes, (iCloud), they gave access to law enforcement. Where they do not, they said to the government "Sorry we can't help." That's why not having a 3rd party hold your keys is the better solution.
The best solution to where keys are being held is 2FA, and I hope Apple figures out a 2FA technique for Find my Device so that we can benefit from 2FA security. My suggestion was that if you have 2+ devices registered, you should be able to force toggle 2FA.
But your device should be password protected, right? So, if someone steals your Mac, and has your password to get in and knows your iCloud details they can login as you online and verify via the stolen Mac. So, no, it’s not easily accessed now is it??
[doublepost=1506108016][/doublepost]
Was your password pretty basic or was it compromised by a breach on another site you had also used it on.
Story suggests always having two-factor authorization enabled, despite article being about 2fa being completely irrelevant to this attack...
[doublepost=1506555287][/doublepost]
I currently track 160+ accounts via a password protected spreadsheet (i know several other people doing the same, all of us by necessity). This insanity needs a better solution than "impossible password requirements and security pundits prescribing them".
[doublepost=1506555287][/doublepost]
I currently track 160+ accounts via a password protected spreadsheet (i know several other people doing the same, all of us by necessity). This insanity needs a better solution than "impossible password requirements and security pundits prescribing them".
Unfortunately, thieves will always be two steps ahead of "the good guys" because crime pays big time. It's why if you want to be rich, you become a defense lawyer, not a prosecutor. It's also why you don't put important infrastructure (e.g. power grids) on the Internet for ANY REASON WHAT-SO-EVER as the consequences to even a slight risk are far too dire to contemplate. But the morons running our government keep pushing for just such "smart grids" even though they COULD put them on a separate network entirely, but hey, it's cheaper to connect it to the existing network so let's do THAT instead.... It works great until the day someone hacks and and shuts down (or worse yet overloads and damages) the entire country's power grid and sends us into absolute chaos. Gee, that was SO WORTH those "smart features' alright.... (sigh).
Late reply, 2FA using TEXT ( i should have said) It is NOT secure regardless of who uses it.
Advising to use KeyChain for all of your passwords is just asking for trouble. There have been new Keychain exploits advertised on the internet on a monthly basis going back several years now...and while most have been addressed, 'most' doesn't cut it when you're talking about several dozen of these instances. There are at least a handful of well publicized exploits that work great right now if you know where to look...and I mean just on the surface web.
Perhaps a 3rd party app could me more secure...but until I do some serious G2 on these, I'll stick to the hard way of using unique passwords...and there are ways to easily remember complex passwords by adjusting several characters to provide uniqueness to these by leveraging the same format but adjusting key characteristics based on the site/account you're visiting. I still write them down but most of the the time I'm able to remember because of the way they are formatted...yet still remain uniquely different including character length except in a small number of cases.
Like I said I will probably do some research on 3rd party apps in terms of security but based on the number of evolving threats out there today with surely more to evolve, keychain is just not an option and surprised this article wold suggest using it.
Perhaps a 3rd party app could me more secure...but until I do some serious G2 on these, I'll stick to the hard way of using unique passwords...and there are ways to easily remember complex passwords by adjusting several characters to provide uniqueness to these by leveraging the same format but adjusting key characteristics based on the site/account you're visiting. I still write them down but most of the the time I'm able to remember because of the way they are formatted...yet still remain uniquely different including character length except in a small number of cases.
Like I said I will probably do some research on 3rd party apps in terms of security but based on the number of evolving threats out there today with surely more to evolve, keychain is just not an option and surprised this article wold suggest using it.
Man this is funny. Anyone dumb enough to give their password to an unknown person deserves this. Teach expensive lesson. Back up, enable 2FA where you can. I can’t wait for 4 factor auth. That will piss lots of people off. Also everyone should have a password on each device.
Agreed. Though I'd be a mess trying to remember passwords. I use an app called PasswordWallet by Selznick. It's been around since the Palm Pilot days and is available for nearly everything. It stores the 'wallet' locally (though you can enable sync of the 'wallet', locally or via cloud). I like being able to manage my own 'wallet' files and backup/archival (that's one file I DO NOT want to lose!), plus I sync locally. I suppose it's possible to compromise that, but extremely unlikely.
But, I'd *AT LEAST* want to use someone specializing in password security with a good track record... not a company with an after-thought 'feature' that has a poor track record (i.e.: Apple).
I seem to be in a similar situation. When I start my Macbook Pro 16'', it asks for a system lock pin code and displays the message "Lucifer". I still have access to my iCloud account, and I've changed the password. Shouldn't I be able to disable the lock via iCloud.com? My Macbook shows up at iCloud.com/settings under "My Devices", but it doesn't show up at icloud.com/find.
(I always use strong passwords and 2FA, so I'm also wondering if there's a keylogger installed on one of my devices...)
(I always use strong passwords and 2FA, so I'm also wondering if there's a keylogger installed on one of my devices...)
I don't have an answer for you, but you'd be better off creating a new thread. This is a 3 year old news article.
Okay, done:
forums.macrumors.com
(I originally posted here just for the sake of continuity with existing discussion. Sorry if that was improper.)
Can't disable "Lost Mode" despite computer being linked to my iCloud account
My Macbook is suddenly locked and unusable. It asks for a six-digit "system lock pin code" and says to go to icloud.com/find (see attached image). It also displays the custom message "Lucifer", which would seem to suggest some kind of hacker may be behind this. The strange thing is that the...
forums.macrumors.com
(I originally posted here just for the sake of continuity with existing discussion. Sorry if that was improper.)
Or even a better one: do not use the same password in different sites, for different accounts.
and when you went to the 'find' page in your account, per the message, was there not a pin to unlock your computer.
You’ll need to send your receipt to Apple to have them remove the lock most likely. You need to report that to them if you haven’t!!!