iPhone with 2-factor and Lost mode stolen and thieves remove iCloud :-(

[imactor]

hi,
The iPhone of a friend of mine was stolen a few days ago. She told me that FMI was activated with 2-factor. 15 minutes after the incident we turned on “Lost mode”.
It turned out that the thieves were able to change her iCloud password and remove the iPhone from FMI.
How do they did it?
For the record: she NEVER recieved or opened a phishing email o sms.
She has an iCloud account with Gmail.

I’m trying to reproduce how they did this. Any ideas?

Thanks

 

[noobinator]

Guessed her PW?

 

[Shirasaki]

Does she only have one trusted device and SMS, both are her iPhone?

 

[Jesla]

....or already knew the password.

 

[bufffilm]

Obviously, they guessed or obtained her password.

 

[imactor]

Does she only have one trusted device and SMS, both are her iPhone?

Yes
[doublepost=1506088437][/doublepost]

Obviously, they guessed or obtained her password.

Gmail also had 2-factor

 

[noobinator]

The only logical explanation based on the facts presented is Magic was involved.

 

[bufffilm]

Yes
[doublepost=1506088437][/doublepost]
Gmail also had 2-factor

1. Is she positive 2FA was enabled?

2. What timeout settings were set on the phone when it was stolen?

 

[imactor]

The only logical explanation based on the facts presented is Magic was involved.

Hahahaha
[doublepost=1506101209][/doublepost]

1. Is she positive 2FA was enabled?

2. What timeout settings were set on the phone when it was stolen?

Yes! The gmail password was changed also. But how can they know the address?

The phone had Touch ID (and 6 digit code).

iPhone 7 btw.

 

[Tomloes]

Hahahaha
[doublepost=1506101209][/doublepost]

Yes! The gmail password was changed also. But how can they know the address?

The phone had Touch ID (and 6 digit code).

iPhone 7 btw.

Saw this thread in the Ios11 forum https://forums.macrumors.com/threads/ios-11-security-concern.2070636/

If they had her passcode, they might have used this bug/feature to change her icloud password.