Apple Won’t Pay Ransom & Denies Any Breaches, But Hackers Could Still Go Through With Mass iPhone Resets
After staying silent for a few days, Apple has finally responded to claims of a hacker group that says it has access to over 600 million iCloud accounts.
Earlier this week, a Motherboard story reported that a group of hackers calling itself the “Turkish Crime Family” had gained access to over millions of iCloud and other Apple accounts. The group warned that they would remotely wipe the victims’ devices if Apple refused to pay a $75,000 ransom price. The group had later said the ransom price was $150,000. As the original report had noted, there appeared to be several inconsistencies in the claims of this group, however, they may really have access to some data.
After the first story went live, Turkish Crime Family contacted Wccftech showing screenshots of their communication with Apple. The group also claimed that the inconsistencies were due “one of” their media members that is no longer working with the group due to “inaccuracy and lack of professionalism.”
No Apple hack, but LinkedIn or Yahoo data could come back to bite us
Many feared that Apple’s no-response policy would put users at risk if they won't get any official email to reset their passwords. Thankfully, the Cupertino tech giant has finally spoken, clarifying that there have not been any breaches of its systems and that user data is safe.
However, there remains a possibility of this group having access to this data through some other source, not due to a breach of Apple systems. In a statement to Fortune, Apple said:
“There have not been any breaches in any of Apple’s systems including iCloud and Apple ID,” the spokesperson said. “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.”
While Apple has denied that its systems suffered any breach, they do seem to have validated the details of this claim as the company said the data appears to have been obtained from other "third-party services."
Ahead of Apple's statement, while talking to Wccftech, security expert Chris Vickery had also noted that "there's a good chance that [...] this group really has only been breaching Apple fan forums. If you have a site for Apple enthusiasts, and a forum on that site, it's likely that many forum users will re-use the same password from their iCloud accounts."
"When the enthusiast forum is breached, the attackers will try the forum passwords on iCloud," Vickery added.
Then there's a possibility that hackers are using passwords that were previously dumped after massive breaches that sites like Yahoo, LinkedIn and others suffered over the years and the data was mostly dumped in 2016. Since many users reuse their passwords, it would still be possible for the group to carry out their threats.
In an email to Wccftech, the Turkish Crime Family noted their "increasing" processing power that will help them carry out mass resets.
"From our calculations if everything goes to plan we'll have enough power to factory reset 150 accounts per minute per script, Our server strength can currently handle 17 scripts per server,
150 x 17 = 2550 accounts factory reset per minute per server
2550 x 250 servers = 637500 accounts per minute
637500 x 60 minutes = 38250000 million accounts reset per hour
Update: We are still strengthening our infrastructure for the attack, we now have more people getting involved with us day by day that are providing us with more databases for the attack which will be on 7 April 2017."
They also claimed that the number of user accounts they have gained access to "has been bumped up from 519 million to 627 to then 717 million," thanks to other hackers joining them. "We're assured that this number will carry on growing until the day of attack," they wrote.
Why wouldn't Apple go for a reset?
As it's clear that the group does have at least a small fraction of data that is legitimate, why is Apple not asking customers to reset their passwords? Considering the possibility of this threat, Apple said the company "is actively monitoring to prevent unauthorized access to user accounts," and is also "working with law enforcement to identify the criminals involved."
This means the company wouldn't (and shouldn't) pay the ransom and is hoping to catch the criminals before they do anything. However, what if more groups have access to this data? What if someone else uses it in the future? Wouldn't it be wiser if Apple would just ask its customers to reset their passwords?
"To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication," Apple added. Good suggestion, but how many Apple users are going to read this statement and follow this "recommendation."
As a user, all you can do is to change your password and save yourself from being caught in between hackers and tech companies. Whatever happens (or doesn't) on April 7, if you are someone who tends to reuse passwords, better to do a simple password reset. And while we are at it, don't forget to activate two-factor authentication, too.