Apple’s 2-Factor Authentication Crumbles – Criminals Remotely Lock Macs & Demand Bitcoins


Earlier this week, we shared a report that essentially proved all of us need to dump SMS-based two factor authentication. While that report focused on sophisticated hackers getting access to flawed SS7, it at least gave us the consolation that not every random Joe was going to attack us. What happens when you don't have any kind of authentication? Well, Apple users are finding that out the hard way.

Several Apple users over the past two days have tweeted being locked out of their machines after cybercriminals took over their iCloud accounts. The problem is that these users actually had 2FA enabled. They just never received a code...

Apple Held a 62% Market Share in Premium Phone Category for Q1 2022, iPhone 13 Remains Best-Seller Since October 2021

Cybercriminals render Apple's two factor authentication completely useless

Apple apparently allows you to get "partial" access to iCloud even without a texted code. When you enter the email and password on and then click on the Find My iPhone instead of entering the code, you can see the complete list of your devices.

As seen in the above screenshot, you won't get access to your data, but, you will see the list of your devices and the ability to erase or lock them.

This appears to be a design flaw that Apple probably included to enable its users to lock their devices when they are lost or stolen, even when they can't get in iCloud because they might not be able to receive the authentication code.

Apple Releases iOS 16, iPadOS 16, macOS 13 Ventura, and watchOS 9 Beta 2 to Developers

So, why exactly are we talking about this

Hackers have apparently come up with a way to manipulate this issue. Over the last 30 hours or so, several Mac users have reported being locked out of their machines. Cybercriminals appear to have signed into their iCloud accounts probably using an email-password combination dumped in some of the mega data breaches of 2016. Without two-factor authentication and using the Find My iPhone, hackers were able to lock users out even if they couldn't get access to their data.

But data is not something they are after in this case. They want money - cryptocurrency, to be exact.

They aren't demanding a lot of money, similar to ransomware campaigns seen earlier this year. With amount as small as $20 or $50, users are more inclined to pay the ransom. And as some victims of this iCloud ransomware campaign have reported, they can't even get a Genius Bar appointment on time, so many might just pay the hackers instead.

So far, no one seems to have paid the criminals, though, which either shows that the target list is still very small or that the users have more trust on Apple responding to them soon.

NOT an Apple hack, but definitely an issue the company will need to address ASAP

The attacks don't seem to be widespread at the moment, however, it's unclear why the iPhone maker hasn't responded to users who have tweeted to the company at least two days ago. While not an Apple hack, the data being used to lock iCloud users out of their accounts could have easily been mined from a data dump after sites like LinkedIn, Tumblr, Yahoo, and several others that were breached earlier but exposed last year.

To stay safe from this iCloud ransomware campaign:

  1. Change your Apple ID password and never reuse passwords.
  2. Enable two-factor authentication, for whatever it's worth in this case.
  3. Most importantly, disable the Find My iPhone feature.

It seems to be the only kill switch right now. If you are a victim of this iCloud ransomware campaign, reach out to Apple or visit a nearby Store to have this lock removed and get access to your device back.