Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Bahamut Eos

macrumors member
Original poster
Mar 29, 2008
84
9
Los Angeles
My iCloud account was hacked last night. I was on my computer, and I saw a notification that my iCloud account was trying to log in somewhere in India. I clicked don't allow, changed my password played around on my home computer for a bit, and went to bed. When I got to work my iMac there was locked out, showed a weird lockout screen, and had a note to send an e-mail to an address ending in @GMX.com.

I did some googling, didn't find anything this morning. Took my computer in to the apple store where they said they would unlock it. Later that night I found my laptop as well locked. (Have to take that in later.)

Found this apple discussion thread this evening.

https://discussions.apple.com/thread/7940180?start=-15&tstart=0

Seems it's happens to a few people now. Some of the other people say they had two step authentication set up. I have it turned on now, we will see. I'm pretty sure I don't use that exact password on any other websites, so the exact password wouldn't have been leaked at some point.

Anyone else having this issues here?

Sorry if this isn't the right place to post this, I will move if need be.
 
As you know, I also suffered this fate. Luckily it was a computer that I purchased new and the Apple Store fixed me up.

Pretty much the same with me. I had a iMac and a laptop hacked. The laptop was pretty old, around 2009, so was worried I couldn't find a Proof of Purchase for it, but managed to keep it. I had another apple guy quote me $45 bucks to fix it if Apple Store wouldn't do it. I've known that guy for years, so I don't think he would have required a receipt from me.

My wife's ATM card was messed with soon afterwards, not sure if it's related or not. I don't think she has used her ATM online anywhere. Waiting to see what happens.
 
How did the hack occur, meaning what steps could be done to prevent this? The some of those people had 2FA is a little worrisome.
 
After seeing this thread, I've read a bit about this and it appears to be happening to quite a few people. So, if I understand this correctly. Someone can log into your iCloud account if they have/guess your ID and password, but they can't access your files if you use 2FA without a device to approve access and give them the 6 digit code. However, they can lock out a device after they put in the ID and password even if you don't approve via 2FA. If that's the case, would it be best to turn off Find My iPhone/Mac on all of my devices, iPhone, iPad and Macs until Apple figures out a way to fix, or come up with a better solution to, the issue?
 
Last edited:
How did the hack occur, meaning what steps could be done to prevent this? The some of those people had 2FA is a little worrisome.

Note only one person said they had had it enabled, and actually said they had two step (the old one, that doesn't pop up on your ios devices) enabled.
 
After seeing this thread, I've read a bit about this and it appears to be happening to quite a few people. So, if I understand this correctly. Someone can log into your iCloud account if they have/guess your ID and password, but they can't access your files if you use 2FA without a device to approve access and give them the 6 digit code. However, they can lock out a device after they put in the ID and password even if you don't approve via 2FA. If that's the case, would it be best to turn off Find My iPhone/Mac on all of my devices, iPhone, iPad and Macs, until Apple figures out a way to fix or come up with a better solution to the issue?

Actually, you are very right and gave me the solution that I am going to use for now. The Apple Store suggested that I add a firmware password to each of my Macs. Any device that has a passcode gets locked but the passcode is the one that you already set.
 
Actually, you are very right and gave me the solution that I am going to use for now. The Apple Store suggested that I add a firmware password to each of my Macs. Any device that has a passcode gets locked but the passcode is the one that you already set.


You sure about that? I read over on the Apple forums that the Lock Out feature of iCloud still allows for a passcode to be set up, separate from the firmware code you may create. Basically, they were saying that it won't stop the issue. Who knows?
 
After seeing this thread, I've read a bit about this and it appears to be happening to quite a few people. So, if I understand this correctly. Someone can log into your iCloud account if they have/guess your ID and password, but they can't access your files if you use 2FA without a device to approve access and give them the 6 digit code. However, they can lock out a device after they put in the ID and password even if you don't approve via 2FA. If that's the case, would it be best to turn off Find My iPhone/Mac on all of my devices, iPhone, iPad and Macs until Apple figures out a way to fix, or come up with a better solution to, the issue?

But if you have 2FA enabled, it should require that to even get the Find My Phone section of iCloud from where you can lock devices. Otherwise, the 2FA isn't doing anything at all.

I have 2FA enabled on my account and going to either icloud.com or appleid.apple.com, I can't get fully logged in without the 2FA number..

Regards
 
You sure about that? I read over on the Apple forums that the Lock Out feature of iCloud still allows for a passcode to be set up, separate from the firmware code you may create. Basically, they were saying that it won't stop the issue. Who knows?

No, I'm not sure that it would work but for now, I have removed all my Macs from the Find My Mac in iCloud. I will enable it again when I feel this has been dealt with in a way that won't leave me with a potential paperweight. Several of my computers were purchased second hand. I would not be able to get Apple to reset them.
 
But if you have 2FA enabled, it should require that to even get the Find My Phone section of iCloud from where you can lock devices. Otherwise, the 2FA isn't doing anything at all.

I have 2FA enabled on my account and going to either icloud.com or appleid.apple.com, I can't get fully logged in without the 2FA number..

Regards

Go to the iCloud login page from a browser not on a trusted device. When you login, which will send a trusted device a 2FA code, look below where you put in the 6 digits on the browser. There are 3 icons there and the one on the left is a link to Find my iPhone. There and you can view your devices and lock them out even without getting into the rest of your iCloud data. Bear in mind that I haven't had a chance to try this on a computer browser, it's just something I read on the Apple forums so I may be wrong in how this works, but I do recall the icons being there last time I logged in from a browser. Anyway, I assume that this option is there so that you can remote lock a device, even if you don't have access to a trusted device at that time. I guess that's how they are doing it.
 
Go to the iCloud login page from a browser not on a trusted device. When you login, which will send a trusted device a 2FA code, look below where you put in the 6 digits on the browser. There are 3 icons there and the one on the left is a link to Find my iPhone. There and you can view your devices and lock them out even without getting into the rest of your iCloud data. Bear in mind that I haven't had a chance to try this on a computer browser, it's just something I read on the Apple forums so I may be wrong in how this works, but I do recall the icons being there last time I logged in from a browser. Anyway, I assume that this option is there so that you can remote lock a device, even if you don't have access to a trusted device at that time. I guess that's how they are doing it.

I have tried it. You can lock devices even if you say, "Don't Allow" on your trusted device. You are right, it is exactly how they are doing it. A poster gave a great suggestion that I am using until this is fixed, and that is removing the check mark from the Find My Mac in Settings on my Macs, especially those that I purchased used or do not have a handy copy of the receipt.
 
I have tried it. You can lock devices even if you say, "Don't Allow" on your trusted device. You are right, it is exactly how they are doing it. A poster gave a great suggestion that I am using until this is fixed, and that is removing the check mark from the Find My Mac in Settings on my Macs, especially those that I purchased used or do not have a handy copy of the receipt.

Yep. I think a fix Apple could put in place to help would be to require the device PIN or password to be put in when you try to lock a device from iCloud. When the lock signal is sent to the device, if the PIN or password don't match, then the device won't lock. This would effectively stop this from happening as a hacker would probably not know your Apple ID, password and device PIN or password to lock you out. I would think that this would be a rather easy thing for Apple to implement, but I doubt they'll even acknowledge the issue in order to fix it.
 
Go to the iCloud login page from a browser not on a trusted device. When you login, which will send a trusted device a 2FA code, look below where you put in the 6 digits on the browser. There are 3 icons there and the one on the left is a link to Find my iPhone. There and you can view your devices and lock them out even without getting into the rest of your iCloud data. Bear in mind that I haven't had a chance to try this on a computer browser, it's just something I read on the Apple forums so I may be wrong in how this works, but I do recall the icons being there last time I logged in from a browser. Anyway, I assume that this option is there so that you can remote lock a device, even if you don't have access to a trusted device at that time. I guess that's how they are doing it.

Thanks for the explanation, I just tried it and indeed with just my username/password I was able to get to the Find my Phone screen and see all of my devices and play sounds and likely lock them out. This is quite a huge security hole..

I guess it's a good thing my Apple ID password is quite secure and hard to crack..

Should send a bug/request into Apple about this..

Regards
 
Thanks for the explanation, I just tried it and indeed with just my username/password I was able to get to the Find my Phone screen and see all of my devices and play sounds and likely lock them out. This is quite a huge security hole..

I guess it's a good thing my Apple ID password is quite secure and hard to crack..

Should send a bug/request into Apple about this..

Regards

I just sent Apple a feedback comment on the issue and threw out my suggestion of requiring the device PIN or Admin Password in order to remote lock a device. Who knows if they will bother, but if anyone else is concerned, please send them some feedback about the issue.
 
I just sent Apple a feedback comment on the issue and threw out my suggestion of requiring the device PIN or Admin Password in order to remote lock a device. Who knows if they will bother, but if anyone else is concerned, please send them some feedback about the issue.

I also sent in feedback about this issue..
 
Thanks for the explanation, I just tried it and indeed with just my username/password I was able to get to the Find my Phone screen and see all of my devices and play sounds and likely lock them out. This is quite a huge security hole..

I guess it's a good thing my Apple ID password is quite secure and hard to crack..

Should send a bug/request into Apple about this..

Regards

I thought so, too. Then I went to the Apple Store with my receipt in hand where I spent just over an hour earlier this week.
 
Thanks for the explanation, I just tried it and indeed with just my username/password I was able to get to the Find my Phone screen and see all of my devices and play sounds and likely lock them out. This is quite a huge security hole..

I guess it's a good thing my Apple ID password is quite secure and hard to crack..

Should send a bug/request into Apple about this..

Regards

Tried it on my secondary phone, can indeed lock iOS devices without accepting any sort of 2FA (and even after hitting decline!). According to apple support, they can't be erased without the use of 2FA. locking them also uses the existing passcode, so its not really an issue.

i don't have a second mac to play with but... https://support.apple.com/kb/PH2700?locale=en_GB the bottom of this page suggests you could just use find my iphone to disable lost mode and everything should be hunky dory? can anyone have a try and confirm?

also, if an EFI password is already set, does the lost mode one override it? can both be used? does it just lock with the EFI passcode like an iOS device would lock?
 
Tried it on my secondary phone, can indeed lock iOS devices without accepting any sort of 2FA (and even after hitting decline!). According to apple support, they can't be erased without the use of 2FA. locking them also uses the existing passcode, so its not really an issue.

i don't have a second mac to play with but... https://support.apple.com/kb/PH2700?locale=en_GB the bottom of this page suggests you could just use find my iphone to disable lost mode and everything should be hunky dory? can anyone have a try and confirm?

also, if an EFI password is already set, does the lost mode one override it? can both be used? does it just lock with the EFI passcode like an iOS device would lock?

Apparently this is a much bigger deal with Macs than with i devices because of the EFI password. I haven't tried this, but according to some over on Apple's forums, the Lost Mode code overrides the EFI password that you might set so you would be locked out. I don't think that it replaces the EFI password, but it looks like you would need the lockout passcode to unlock. It's unclear as some say it's no different and some say it is. Also, I've read over there that people are not able to unlock through Find my iPhone, but to be honest, I haven't tried it as I've gone ahead and turned off Find my iPhone on all my devices for now.

Regardless, you shouldn't be able to lock someone out of their device, permanently if they don't have a receipt, nor should you be able to track someone with just an ID and password. Especially not with 2FA turned on. I understand Apple's reasons for not requiring 2FA to track and lock a device, since some people only have the one device and may not be able to receive a code, but they need to find something to add, perhaps a separate password or use the Admin Password or PIN as an additional layer to avoid this situation.
 
Last edited:
Tried it on my secondary phone, can indeed lock iOS devices without accepting any sort of 2FA (and even after hitting decline!). According to apple support, they can't be erased without the use of 2FA. locking them also uses the existing passcode, so its not really an issue.

i don't have a second mac to play with but... https://support.apple.com/kb/PH2700?locale=en_GB the bottom of this page suggests you could just use find my iphone to disable lost mode and everything should be hunky dory? can anyone have a try and confirm?

also, if an EFI password is already set, does the lost mode one override it? can both be used? does it just lock with the EFI passcode like an iOS device would lock?

If there is an EFI password already set then it uses that one. This is why my iPads, and iPhones were able to be unlocked in seconds. One of my MacBooks was a bigger problem because it did not have an EFI which resulted in it locking with an unknown 6 digit password.
 
Apparently this is a much bigger deal with Macs than with i devices because of the EFI password. I haven't tried this, but according to some over on Apple's forums, the Lost Mode code overrides the EFI password that you might set so you would be locked out. I don't think that it replaces the EFI password, but it looks like you would need the lockout passcode to unlock. It's unclear as some say it's no different and some say it is. Also, I've read over there that people are not able to unlock through Find my iPhone, but to be honest, I haven't tried it as I've gone ahead and turned off Find my iPhone on all my devices for now.

Regardless, you shouldn't be able to lock someone out of their device, permanently if they don't have a receipt, nor should you be able to track someone with just an ID and password. Especially not with 2FA turned on. I understand Apple's reasons for not requiring 2FA to track and lock a device, since some people only have the one device and may not be able to receive a code, but they need to find something to add, perhaps a separate password or use the Admin Password or PIN as an additional layer to avoid this situation.

I'd prefer non-2fa access to be optional (dependent upon amount of registered devices) or based on some kind of behaviour based security question only the owner should know the answer to. like, where was your iphone on monday at 2?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.