Scammer Infiltrated Thousands of iCloud Accounts to Find Nude Photos

[Denzo]

Not all heroes wear capes.
All jokes aside, disgusting behaviour and this would be awful to discover happen to you or a loved one, but I’m a little disappointed that it wasn’t taken seriously by authorities enough to act upon until a prominent person experienced this hardship.

 

[danny842003]

People who take obscene pics of themselves get what they deserve.

Imagine being such a prude in 2021. Consenting adults don’t deserve to have their privacy invaded.

 

[ikunalz]

There isn’t enough free porn in the world already? Who pays this guy money? Just go to a free site, take care of business, and go to sleep people. No need to ruin lives.

I suppose, people like jilted lovers or people otherwise holding a grudge against the victims, probably constituted a large chunk of Hao Kuo Chi's customers. A revenge porn thing.

 

[Marshall73]

What I got from this is that 4,700 users shouldn't have a computer, be allowed on the internet or employed by any company that likes to keep its data secure.

 

[Shirasaki]

In the not too distant future the fact that we would autheticate via username+password will look like the stone age.

While dismissing the advantage of username password combo and kissing goodbye to internet anonymity. But sure, for security.

 

[Shirasaki]

I just want to remind you guys: eliminating the criminal can never be achieved. But controlling criminal activities can.

With that being said, I suspect 2FA would not help much, since that website looks legit and people in a hurry could forget there must be 2FA pop ups before login. The whole purpose of 2FA in the login process is notifying you login attempt after entering password, not before. And fake website will not trigger 2FA, otherwise it’d be legit apple website. By the time they hit enter key, the password is already leaked.

 

[himanshumodi]

what-ev-rrrrrrrrrrr living my best life (takes selfie)

and puts it as the display pic.

 

[justperry]

And was too stupid/arrogant to use a VPN.

Not all VPN providers are waterproof, actually...few of them, there are really less than 5.

 

[JosephAW]

Doesn’t anyone use 2fa?
I thought smart people used Apple devices but I guess I’m wrong. That’s a lot of gullible people.

 

[marco114]

It's a good time to remember to get a VPN before you start your hacking career.

 

[IIGS User]

At least 620,000 photos/videos of people having sex have been uploaded to iCloud? Come on people!

Seriously. There's this bud of mine I met at Kelly's Logan House and he had his Mac with him. He was showing me pics on his MBP and I was like WHOA, DUDE! He said he had like 1,000's more just like it and I was just blown away. Then someone spilled a drink in on his computer and it was, like all full of water and he said it wasn't a problem. He had all those pictures uploaded into the cloud, that he could take his laptop over to the Mac Store in Trolley Square and get it fixed. He also mentioned he had tons of coin, so getting another laptop and downloading the pics back wasn't an issue.

He never picked up that laptop, he just got a new one. I don't think anything came of it, though. I think he's probably responsible for about half those 620K pics you talked about!

He invited me to party with him in Vegas a while back, and I said naww. He's too wild for me, man....

 

[BigKahunaBurguer]

Don't share your passwords!! under no circumstance. I can't believe people do that in 2021. Don't tell me not to blame the victims. We are in 2021.

 

[laptech]

Just goes to show, it does not matter how strong a company makes their secuirty system because there will always be naive and gullable people who will always fall for scams, fake emails and social engineering attempts to get their account login details.

People then say 'do not victim blame' and my reply would be, why not? If someone does not know how to drive, they do not get behind a steering wheel because they know they could do serious harm to not only themselves but to others. Therefore, if someone does not know how to use email or social media then they should not be using it, end of. If a person is not tech savy then they should get tech savy, if not then they should stay away from the internet and computers and smartphones because they are only going to do harm to themselves (fall prey to scams)

 

[whiteonline]

It's hard to argue something doesn't pass the sniff test because with no standard way of securing our credentials everything smells different now.

As the saying goes, the great thing about standards is that there are so many to choose from.

I agree with your sentiment. The problem is the most ubiquitous option for 2FA is the inherently insecure SMS.
If the telco's would fix that, we'd have better protection for everyone. Though I think even in its current state, SMS is much better than nothing.

 

[matrix07]

Oh my god that’s disgusting. The photos ended up on a porn site? I mean there are so many of them though. Which one?

I’m searching for “iCloud leaks” on ******* right now.

 

[Reed_College_Dropout]

Having something stolen from your home is not "victim mentality", it's being a victim. Calling the victim a Muppet rather than the thief a criminal is bizarre.

Leaving a gold bar on your front porch, having it stolen, and not taking ownership of your mistake of leaving the gold bar on your front porch is 100% victim mentality. "But, but, but...it shouldn't have been stolen." When did I ever mention that the person who stole the gold bar wasn't a thief? Anyone with a brain in their head knows that someone who steals someone else's property is a thief. Clearly you are not comprehending what I am saying. Anyway, have a nice day.

 

[randyhudson]

make 2FA mandatory.

It's fun logging in to iCloud on a friend's device when you're trying to locate your missing phone.

 

[matrix07]

I suspect 2FA would not help much … The whole purpose of 2FA in the login process is notifying you login attempt after entering password, not before.

I’m not sure this is correct. I have my 2FA on and I have to give access to anyone trying to access my account (in every case it’s myself though) on MY device. In this scenario this Chi guy wouldn’t be able to access mine if I don’t purposefully giving permission on my device to allow him to.
I fully understand that some naive people will just tap that Allow button without reading it first though.

 

[Reboot1]

Did those people have 2FA turned on, or did they give him the code in real time too?

The article never really said did it.

 

[jseymour]

I’m glad that worked out for you, but realistically it’s only doable in enterprise. I’m talking more about your average user as most iCloud accounts are probably personal accounts. How would you go about educating them systematically?

I dunno. Point them at the relevant reading material and tell them to read it? If they don't, it's on them.

Yes, yes: There will be people who will be utterly confused by said reading material no matter how it's put, or how simply. You can't save everybody.

True. In any competent software development training, you are taught that users will do any and everything.

“Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.” ― Rick Cook, The Wizardry Compiled

More succinctly: Build more idiot-proof software and God will build a better idiot.

You’re correct, though naivety is excusable to an limit.

Indeed. E.g.: Who can possibly not know of the "Nigerian" scam by now? It's been all over the "news" and the Internet for ages. Yet people still fall for it. Who can possibly believe the IRS will call them on the phone to inform them of overdue taxes, then demand immediate payment in the form of gift cards? Yeah, people fall for that, too.

As I said, above: Some people cannot be saved. Sad, but true.

 

[Shirasaki]

I’m not sure this is correct. I have my 2FA on and I have to give access to anyone trying to access my account (in every case it’s myself though) on MY device. In this scenario this Chi guy wouldn’t be able to access mine if I don’t purposefully giving permission on my device to allow him to.
I fully understand that some naive people will just tap that Allow button without reading it first though.

The issue here is: when 2FA notification pops up? It must happen after the user enters Apple ID and password, and said website or application must send a login request to Apple, and then Apple triggers 2FA for users to confirm. Will that fake Apple ID website triggers 2FA login prompt, which depending on people's stupidity, could either tap allow or don't allow. For me, when I try to log in to my Apple ID from https://appleid.apple.com from a browser that is not trusted, 2FA will trigger, as soon as I hit the arrow. Will that 2FA website triggers it? Or it is just a fancy keylogger that saves your entered Apple ID and password without triggering 2FA?

If someone could brief me on these details I'd be much appreciated.

 

[Ethosik]

It would be more like giving the keys to your store or your car to the person wanting to rob you.

While that person claims to be an employee that can lock up the store. Or better yet claims to be police.

People thought this person was an Apple Employee. Not just some random Joe that wanted username and password.

 

[Ethosik]

The issue here is: when 2FA notification pops up? It must happen after the user enters Apple ID and password, and said website or application must send a login request to Apple, and then Apple triggers 2FA for users to confirm. Will that fake Apple ID website triggers 2FA login prompt, which depending on people's stupidity, could either tap allow or don't allow. For me, when I try to log in to my Apple ID from https://appleid.apple.com from a browser that is not trusted, 2FA will trigger, as soon as I hit the arrow. Will that 2FA website triggers it? Or it is just a fancy keylogger that saves your entered Apple ID and password without triggering 2FA?

If someone could brief me on these details I'd be much appreciated.

But the user isn’t logging in right? This scammer is getting credentials THEN logging in themselves. So when the scammer try to log in, 2FA would have kicked in. Notifying them of something suspicious.

 

[Bandaman]

While that person claims to be an employee that can lock up the store. Or better yet claims to be police.

People thought this person was an Apple Employee. Not just some random Joe that wanted username and password.

Yes, that is a good point. They usually pose as some official person and then use fear to make someone that isn't in the know about scammy things to make all their logic go out the window.

 

[MacBH928]

Your first sentence is incorrect. Apple has never been known to open personal photos uploaded to iCloud, and it has been known (repeatedly) to resist government requests for such photos. You might be thinking of the recent news articles about Apple's proposed new hash-matching system, but that system has not yet been implemented and, from what we know, targets only those photos that match hashes associated with known child pornography. The e-mail I responded to was about uploading nude personal photos generally, and called it the "most moronic" thing a person could do on a computer. I simply disagree. iCloud is intended for photos, including personal photos.

Although your second sentence is correct, it is something many people address by using a secure password, two-factor authentication, etc. That obviously didn't work here, but these are the measures that are generally used to protect personal documents and information stored remotely.

As to your view that "there is zero reasons to take nude pictures of yourself and store them" in the cloud, I would suggest that the reasons are the same reasons people would use to store any photos in the cloud -- convenience being the main one. Simply put, people who take photos tend to want easy access to those photos. Perhaps your real point wasn't that "there is zero reasons," since there obviously are reasons, but rather that those reasons are outweighed by countervailing factors?

1-Apple will hand the government any information they legally have to. Its the law

2-AFAIK iCloud is not encrypted and thus Apple employees can access it and will hand it over with all its content to any legal request.