Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Devices Held For Ransom, Rumors Claim 40M iCloud Accounts Hacked; Apple-Related Forums Compromised (csoonline.com)

Posted by msmash on from the security-woes dept.

Steve Ragan, reporting for CSOOnline: Since February, a number of Apple users have reported locked devices displaying ransom demands written in Russian. Earlier this week, a security professional posted a message to a private email group requesting information related a possible compromise of at least 40 million iCloud accounts. Salted Hash started digging around on this story after the email came to our attention. In it, a list member questioned the others about a rumor concerning "rumblings of a massive (40 million) data breach at Apple." The message goes on to state that the alleged breach was conducted by a Russian actor, and vector "seems to be via iCloud to the 'locate device' feature, and is then locking the device and asking for money."In a separate report, the publication reports that three websites owned by Penton Technology -- MacForums.com, HotScripts.com, and WebHostingTalk.com -- have been compromised and their databases are now being sold on the Darknet. While nothing is confirmed, there is a possibility that some of the rumored 40M compromised Apple ID credentials may have come from these forums, or from LinkedIn's recent hack.

73 comments

  1. Hahahaha Social Media by ColdWetDog · · Score: 1, Troll

    the publication reports that three websites owned by Penton Technology -- MacForums.com, HotScripts.com, and WebHostingTalk.com -- have been compromised and their databases are now being sold on the Darknet. While nothing is confirmed, there is a possibility that some of the rumored 40M compromised Apple ID credentials may have come from these forums, or from LinkedIn's recent hack.

    People who post info on social media are fools!

    Oh. Wait.

    --
    Faster! Faster! Faster would be better!
    1. Re:Hahahaha Social Media by NatasRevol · · Score: 1, Insightful

      This doesn't even make sense. There's no way these sites were using AppleID accounts, or collecting them.

      Now, reverse engineering based on login is possible, but that's user stupidity, not Apple's fault that people use the same log in for multiple things.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:Hahahaha Social Media by amicusNYCL · · Score: 4, Insightful

      This doesn't even make sense. There's no way these sites were using AppleID accounts, or collecting them.

      Seriously, it is not even in the realm of things that are possible that someone who prefers using devices that are marketed as "it just works" would use the same credentials on multiple services. In fact, such a thing is literally inconceivable. It's so inconceivable that I don't even know what I'm talking about. None of this makes sense.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    3. Re:Hahahaha Social Media by Gr8Apes · · Score: 1

      In fact, such a thing is literally inconceivable. It's so inconceivable that I don't even know what I'm talking about.

      You keep using that word, I do not think it means what you think it means

      --
      The cesspool just got a check and balance.
    4. Re:Hahahaha Social Media by Paradise+Pete · · Score: 1

      People who post info on social media are fools! Oh. Wait.

      No worries, this is Slashdot. This is anti-social media.

    5. Re:Hahahaha Social Media by NatasRevol · · Score: 1

      Oh, yes. You have a great point. I'm sure O N L Y Apple users do this...

      --
      There are two types of people in the world: Those who crave closure
    6. Re:Hahahaha Social Media by ahabswhale · · Score: 1

      Interesting. I make six figures using devices that "just work". So do most people working in Silicon Valley. Clearly I must be a moron incapable of having good passwords. So are all the smart people on Windows? Just curious.

      --
      Are agnostics skeptical of unicorns too?
    7. Re:Hahahaha Social Media by Tourney3p0 · · Score: 1

      There is a very, very large amount of middle ground between "It couldn't possibly be Apple" and "It could only be Apple". You're the only one going to these two extremes.

    8. Re:Hahahaha Social Media by amicusNYCL · · Score: 1

      Well, I make six figures using Windows and Linux machines, so obviously you and I are a fantastic set of data points.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    9. Re:Hahahaha Social Media by ahabswhale · · Score: 1

      So now you care about data points? rofl

      go troll elsewhere

      --
      Are agnostics skeptical of unicorns too?
    10. Re:Hahahaha Social Media by Anonymous Coward · · Score: 0

      In fact, such a thing is literally inconceivable. It's so inconceivable that I don't even know what I'm talking about.

      You keep using that word, I do not think it means what you think it means

      i think you're the one who doesn't know what it means. a quick google shows he used it correctly... means unimaginable, unbelievable, unable to be grasped mentally.

      yep, only an idiot calls someone out for something when they're actually the one who is wrong.

    11. Re:Hahahaha Social Media by Wovel · · Score: 1

      I make 7 figures, but I prefer big chief pads and pencils. What a wacky world.

    12. Re:Hahahaha Social Media by Gr8Apes · · Score: 1

      Whoosh

      --
      The cesspool just got a check and balance.
  2. meta discussion who is responsible for hacks? by Anonymous Coward · · Score: 1

    Who is responsible for devices getting hijacked? With PCs you can argue the end user is responsible for what is done with the machine. For more locked down devices is the manufacturer ultimately fully responsible for the function of the device?

    There will be legal lawsuits for sure. Class action and individual.
    A bigger question will be what view does the public take? Do they blame themselves of the manufacturer?

    1. Re:meta discussion who is responsible for hacks? by saloomy · · Score: 0

      If the company was hacked and the passwords were stored insecurely, then it is responsible. If a second company gets hacked and you shared the same passwords, the second company is responsible for the damage done to it, and you are responsible for the damage done to you. The first company should not be held accountable. They didn't decide your password. They allow you the freedom to set it yourself. Don't be a fool and split passwords among various services. Seriously.

      You can't complain when it has been repeated so often NOT TO USE COMMON PASSWORDS. YOUR SECURITY IS THAT OF THE WEAKEST PASSWORDS.
      You can't complain because you failed to enable two-factor.
      You can't complain if your password was easy to guess and the attackers guessed it (you can if the company allows millions to be tested without locking out your account and blocking the attack, this is a brute force password break, and should be mitigated in authentication software).

    2. Re:meta discussion who is responsible for hacks? by Anonymous Coward · · Score: 0

      Except that when 40M people are locked out of their Apple accounts, it will inevitably make Apple look bad, regardless of how dumb their user base is.

      This is why every smart company will move to two factor authentication before long.

    3. Re:meta discussion who is responsible for hacks? by kelemvor4 · · Score: 0

      If the company was hacked and the passwords were stored insecurely, then it is responsible. If a second company gets hacked and you shared the same passwords, the second company is responsible for the damage done to it, and you are responsible for the damage done to you. The first company should not be held accountable. They didn't decide your password. They allow you the freedom to set it yourself. Don't be a fool and split passwords among various services. Seriously. You can't complain when it has been repeated so often NOT TO USE COMMON PASSWORDS. YOUR SECURITY IS THAT OF THE WEAKEST PASSWORDS. You can't complain because you failed to enable two-factor. You can't complain if your password was easy to guess and the attackers guessed it (you can if the company allows millions to be tested without locking out your account and blocking the attack, this is a brute force password break, and should be mitigated in authentication software).

      Ahh, because when you visit icloud.com your monitor will eject a fingerprint scanner for you to use. I forgot about that feature!

    4. Re:meta discussion who is responsible for hacks? by Guy+Harris · · Score: 1, Insightful

      (and modded -5 in 5.. 4... 3... 2... 1... see ya!)

      Posted at 1:48 PM Pacific Daylight Time; it is now 2:21 PM Pacific Daylight time, and its current score is 2.

      So either it was modded -5 and then un-modded, or it wasn't modded -5 at all.

    5. Re:meta discussion who is responsible for hacks? by macs4all · · Score: 1

      Except that when 40M people are locked out of their Apple accounts, it will inevitably make Apple look bad, regardless of how dumb their user base is.

      This is why every smart company will move to two factor authentication before long.

      iOS offers 2FA. However, it is up to the user to use it.

    6. Re:meta discussion who is responsible for hacks? by DRJlaw · · Score: 1

      If a second company gets hacked and you shared the same passwords, the second company is responsible for the damage done to it, and you are responsible for the damage done to you. The first company should not be held accountable.

      Foreseeable consequence of disclosing the password, so whether the first company can be held accountable is very much open to debate, unless they've had the foresight to drop something appropriate into their terms and conditions. Even then, the FTC has a few things to say concerning data breaches, including login/password information breaches.

      You can't complain when it has been repeated so often NOT TO USE COMMON PASSWORDS. YOUR SECURITY IS THAT OF THE WEAKEST PASSWORDS.

      Yes, you can. If a company is disclosing confidential information, you can complain. It remains to be seen whether a reasonable consumer would be expected to use and remember a unique password for the tens to hundreds of sites that they use in a given year. You can tout best practices until the cows come home, but the FTC's standards for a reasonable consumer do not automatically rise to that level.

      You can't complain because you failed to enable two-factor.

      Please explain where and how Apple has promoted two factor to people who are not interested in reading the Apple press. Device notification? Prominent email? Anything? Because this is the first time I've heard of two factor for iCloud/iTunes accounts.

      You can't complain if your password was easy to guess and the attackers guessed it (you can if the company allows millions to be tested without locking out your account and blocking the attack, this is a brute force password break, and should be mitigated in authentication software).

      Undercut your own argument surprisingly quickly on that one...

    7. Re:meta discussion who is responsible for hacks? by thoromyr · · Score: 2, Insightful

      ah, trolls. It was tempting to mod you appropriately (I have the points), but I dislike down-modding and reserve it for the never-give-up (like APK). Do you understand how your smug and self-conceited claim to be moderated into oblivion was, at best, a self-fulfilling prediction (after all, you posted a troll comment, so why would the comment not be moderated as such?)

      This "local Apple fanboy" wouldn't happen to be a figment of your imagination, would he? I mean, such a creature is possible, but considering you are completely ignoring the reported facts you are either a bigger troll than you look, or so self deluded in your hatred of Apple that you are blind.

      Many normal users (who, by the way, are largely *windows* users simply due to the weight of numbers -- platform really is irrelevant) use a single, bad password for everything. So when linkedin gets hacked and their bad password is cracked -- the bad guy now has the password and can do anything the user can do with the password. Which, for iOS devices, includes locking the device and posting a message.

      Is Apple wrong to empower its users with this in case their device is lost?

      Is Apple responsible for users selecting weak passwords and then re-using them?

      Is Apple responsible for the security of unrelated third parties?

      Unless you can answer yes to all of those then Apple is not responsible. And I'm very glad that we do not live in a world where any of those are true.

    8. Re: meta discussion who is responsible for hacks? by Anonymous Coward · · Score: 0

      iCloud.com asks for your pin code, sent to your other devices. Not all two factor is biometrics

    9. Re: meta discussion who is responsible for hacks? by Dixie_Flatline · · Score: 1

      Ugh, no.

      Use weak, shitty passwords for weak services. Who cares? Let them take your forum account. Use the same dumb easy to remember password in as many places as you can get away with so you can remember a strong password for each important service.

      It's hard to remember a lot of passwords, and some things aren't worth protecting, honestly. It just takes up headspace to try. But make sure you've got something good when it counts and don't use it anywhere else.

    10. Re: meta discussion who is responsible for hacks? by Anonymous Coward · · Score: 0

      Two factor will be the ONLY choice in the near future.

    11. Re: meta discussion who is responsible for hacks? by Ronin+Developer · · Score: 2

      Is Apple responsible for users selecting weak passwords? Yes and no.

      Forcing a user to use a TFA protocol significantly reduced the danger of a weak or reused password might pose.

      Can Apple stop someone from reusing a password (weak or otherwise)? No.

      Can Apple force users to use TFA? Yes.

    12. Re: meta discussion who is responsible for hacks? by Anonymous Coward · · Score: 0

      That's still a lot to remember. How about a long pass phrase with the words in different orders on each site? That way you keep the benefit of a good password everywhere and it's not really the same but still only 1 thing to remember.

    13. Re: meta discussion who is responsible for hacks? by macs4all · · Score: 1

      Two factor will be the ONLY choice in the near future.

      Did I miss something in the Keynote?

    14. Re:meta discussion who is responsible for hacks? by myowntrueself · · Score: 0

      Posting ANYTHING negative, or even non-complementary, about Apple on slashdot is guaranteed to get you modded to oblivion, so I figure hey what the hell! I may as well be hung for a sheep as for a lamb!

      --
      In the free world the media isn't government run; the government is media run.
    15. Re:meta discussion who is responsible for hacks? by myowntrueself · · Score: 1

      (and modded -5 in 5.. 4... 3... 2... 1... see ya!)

      Posted at 1:48 PM Pacific Daylight Time; it is now 2:21 PM Pacific Daylight time, and its current score is 2.

      So either it was modded -5 and then un-modded, or it wasn't modded -5 at all.

      I am shocked. SHOCKED. Where are all the fanboys??? Oh maybe all their slashdot accounts got hacked too! :D

      --
      In the free world the media isn't government run; the government is media run.
    16. Re: meta discussion who is responsible for hacks? by Anonymous Coward · · Score: 0

      They could get one of the myriad common password lists floating about the internet and deny based on that.

    17. Re:meta discussion who is responsible for hacks? by Anonymous Coward · · Score: 0

      A 3 second google search consisting of "Apple two factor" tells you exactly how their system works. But hey -- great job being an incompetent, useless lazy asshole who knows nothing about what he is talking about. You're in good company here on Slashdot these days.

    18. Re:meta discussion who is responsible for hacks? by Anonymous Coward · · Score: 0

      He didn't undercut anything. Type your password wrong into just about any Apple app 3-4 times and you lock your account out for 15 minutes. Keep doing it and you lock the account out for like a day.

      https://support.apple.com/en-us/HT204106

    19. Re: meta discussion who is responsible for hacks? by bheerssen · · Score: 1

      No... just no.

      Use a good password manager instead, one that uses an encrypted database. Store that database on a cloud sync service such as Dropbox or OneDrive so you can share it among your devices. Even if the cloud service is compromised, your data is safe and you still have your local copies, and you only have to remember a small number of passwords.

      --
      (Score: -1, Stupid)
    20. Re:meta discussion who is responsible for hacks? by Anonymous Coward · · Score: 0

      Nah, good company these days are the people who do a 3 second google search and then pretend they're experts.

    21. Re:meta discussion who is responsible for hacks? by Anonymous Coward · · Score: 0

      He must have used the Edit feature.

  3. We don't know what happened! by Anonymous Coward · · Score: 0

    But we sure like to make lots of noise about it! With important sounding scary woooords!

  4. Safe in the Cloud by Anonymous Coward · · Score: 0

    Don't worry! your data is safe in the cloud. Keep all your data in the cloud. Just pay the ranson, and get all your data back from the cloud.

    Occasionally the cloud rains.

  5. No connection by Anonymous Coward · · Score: 0, Informative

    There's no connection between the hacked forums and the Apple ID incident. According to this Softpedia article (who apparently talked to the hacker), he used a vBulletin zero-day to hack the forums. What does that have to do with Apple? http://news.softpedia.com/news...

  6. Re: FAKE by Anonymous Coward · · Score: 0

    Don't insult gay people, please

  7. Slashdot is deleting comments by Anonymous Coward · · Score: 0, Offtopic

    Sorry for the off-topicness

    Well, it's official.

    I suspected it a while ago, and yesterday I added a comment regarding the Dallas terror / terrorist attacks in one of the other threads. I check now and it's gone. And yes I checked for negative / hidden comments etc..

    I thought Slashdot would not selectively delete comments ?!

    1. Re:Slashdot is deleting comments by sexconker · · Score: 1, Offtopic

      They've been doing it a lot more since the last buyout. I've had several deleted, none of which were even trolling.

    2. Re: Slashdot is deleting comments by Anonymous Coward · · Score: 0

      Good. They have every right to.

    3. Re: Slashdot is deleting comments by Anonymous Coward · · Score: 0

      My thoughts exactly.
      I'm glad you're around to help me decide about things like that.
      Us ACs have to stick together!

    4. Re:Slashdot is deleting comments by amicusNYCL · · Score: 2

      Do you have any proof? Screenshots, internet archive, etc? Anything at all?

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    5. Re: Slashdot is deleting comments by Anonymous Coward · · Score: 1

      To be fair, "productive posters" are usually vitriolic idiots. Real slashdot discussions died about a decade ago.

  8. Re: FAKE by campuscodi · · Score: 0

    Don't censor the people that insult gay people that aren't really gay!

  9. Obviously you thought wrong by Anonymous Coward · · Score: 0

    Then again, this is a new crew, enamoured with vapid breathless bullshit and not so much with... other things.

  10. The Fappening 2: Electric Boogaloo by Anonymous Coward · · Score: 0

    I'm ready.

    Too bad the sequel is never as good as the original.

  11. so... by Anonymous Coward · · Score: 0

    when can we download all of the fappening 2.0 pics?

  12. Re:FAKE by myowntrueself · · Score: 0

    using the word "fanboy" confirms you're gay

    That would be 'fanboipussy'

    --
    In the free world the media isn't government run; the government is media run.
  13. Let's be clear... by friedmud · · Score: 5, Insightful

    These are not "compromised Apple ID credentials"... they are compromised email addresses and passwords for for OTHER mac/apple related websites... so if you're dumb enough to reuse your Apple ID email address and password on those sites they might match up.

    1. Re:Let's be clear... by amicusNYCL · · Score: 1

      If you have a set of Apple ID credentials, and someone steals credentials from another site and then notices they also work on the Apple service, wouldn't you call that a compromised set of Apple ID credentials?

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:Let's be clear... by Anonymous Coward · · Score: 0

      Mod parent up, he has a damn good point. It may not be Apple's fault (that's yet to be decided, it could very well be) but if user b has user a's name and password for their account, it sure as hell sounds like a compromised account to me, regardless of how it was compromised to begin with.

    3. Re:Let's be clear... by Anonymous Coward · · Score: 0

      We're talking about Apple users here.

  14. whew by Anonymous Coward · · Score: 0

    thank god i use linux

  15. Not a Russian by Anonymous Coward · · Score: 0, Interesting

    Smells like another NSA stunt to blame on Russia for cyber-hacking the whole world bullshit. Why would they write instructions in Russian and consequently only directly address a tiny proportion of users? Anyone capable of creating ransomware and targetting the whole world would write it in English, period.

    1. Re:Not a Russian by Anonymous Coward · · Score: 0

      Smells like another NSA stunt to blame on Russia for cyber-hacking the whole world bullshit. Why would they write instructions in Russian and consequently only directly address a tiny proportion of users? Anyone capable of creating ransomware and targetting the whole world would write it in English, period.

      It must be NSA. Everyone who ever lived in ex soviet block knows that majority of Russian population nowdays only speaks "matom". NSA nerds couldn't possibly know that.

  16. What hack? by ilsaloving · · Score: 4, Informative

    I read this, thinking, "What hack?" cause I haven't had any issues at all. Then I realized the what actually happened. This sounds like the same thing that happened with the supposed hacking of Teamviewer. It was a matter of people reusing the same credentials in multiple locations, so as soon as one low-security place is compromised, you're still screwed in other places even if they have high security.

    All I can say is that, today, you *have* to use either MFA, a personal password database, preferably both. I use 1password to store all my passwords, and Duo Security (free for personal use) for MFA. There are other options as well, such as Google Authenticate for MFA, or keypass for password storage.

    1password is relatively expensive, but it's virtually hassle free and will let me sync my db across all my devices (Linux is read-only, unfortunately) and integrates with all major browsers. I don't use Keypass, but IIRC it works on all platforms including Linux, but it's browser plugins are lacking.

    The most important aspect of password databases, is that they let you generate a very long, random password that is unique to the site you visit. You don't care what the password is, because you can just call it up from the database, but it makes your account essentially unhackable (provided the site you're accessing doesn't do something stupid like store the passwords in plain text).

    This is 2016, not 1970. People can no longer afford to be naive about password management anymore. It would be nice if articles like these could take a couple moments out of their breathless handwaving to let people know that these options exist.

    1. Re: What hack? by Anonymous Coward · · Score: 0

      Er and what happens if someone hacks 1password and can either beat their encryption or it turns out that 1password have made a boo boo somewhere and are not as secure as they thought ?
      Their another Corp who might just pay off an attacker,just like most big corps would,how much is their business worth to the owners.
      Exactly what kind of value of damage would be done if an attack was successful and say,1password didn't know/realise they had been opened up,how many folk have their banking credentials etc with 1password ?
      Sorry,but I just don't trust anyone else enough to do a job that I can do myself just as well as they can,possibly better,they,just like you,me and 6 billion others have a pretty good record of cocking things up on a regular basis,most folk seem to be much greedier than I am,I trust no-one else with my security,basically I just don't trust anyone about anything,full stop,not even my partner or our daughter..many would say this must make me a sad git,but I argue that no matter what people say,they do not trust anyone 100%,it's not how humans work,if they do,it's self delusion,lying or being simple minded..

    2. Re:What hack? by Anonymous Coward · · Score: 0

      The problem with 1password and similar solutions is that if a keylogger gets your 1password password you're owned. Multi factor authentication is the only real solution at this point.

    3. Re:What hack? by aralin · · Score: 1

      I use Touch ID to open my 1Password app and hopefully from the next version of macOS, I should be able to unlock it on mac through a Touch ID on my phone.

      --
      If programs would be read like poetry, most programmers would be Vogons.
    4. Re:What hack? by Anonymous Coward · · Score: 0

      What a refreshingly excellent post, free from chicken-little-isms and whining.

    5. Re: What hack? by Anonymous Coward · · Score: 0

      Okey, how do you manage your passwords then ? If you can remember them, you're actually less secure than if you used a password manager.

      If they are in a file text on your hard drive, a malware can pwn you even more easily than if you used a password manager.

      No solution is perfectly safe, and passwords managers are probably the safest.

  17. Stop Trolling Me, Slashdot!!! by zenlessyank · · Score: 0

    You KNOW I hate Apple. This just makes me smile. I know you hate making me smile, so what gives?

    1. Re:Stop Trolling Me, Slashdot!!! by Anonymous Coward · · Score: 0

      But it also gives us the opportunity to laugh at your stupidity.

  18. blackmail by Anonymous Coward · · Score: 0

    But the worse kind of infiltration is the ones that the big boys bury,if someone had a repeatable way in to,say Apple's servers,that Apple could not fathom how it's being done,exactly how much do you reckon they would pay for someone to please stop,and here's a very large sum of money to tell us how your doing it...you really think they would make it public knowledge,if it was done properly,only a very few folk at the top of which ever Corp it Is would have any knowledge of such an attack,+ possibly one or two from their security branch and possibly one or two in government,but a tiny number would be told,just how much is their reputation for being secure worth ?
    I wouldn't say no to 10% of what ever they would pay an attacker to go away and hand over how it's being done !!

  19. I suspected by Anonymous Coward · · Score: 0

    I suspected this was coming, no less than 3 times last week was my iCloud account locked due to multiple failed attempts to login. Of course I expect everything I sign up to will be hacked so my email has a different password (and now 2 factor auth).

  20. ha ha by Anonymous Coward · · Score: 0

    nelson.jpg suck it vapor heads

  21. February you say? by sims+2 · · Score: 1

    Someone reset my Apple ID password on February 27th 2016 do you think it could be related?

    Account has since been recovered and as far as I can tell nothing else was changed.

    --
    Minimum threshold fixed. Thanks!