Apple Devices Held For Ransom, Rumors Claim 40M iCloud Accounts Hacked; Apple-Related Forums Compromised

Steve Ragan, reporting for CSOOnline: Since February, a number of Apple users have reported locked devices displaying ransom demands written in Russian. Earlier this week, a security professional posted a message to a private email group requesting information related a possible compromise of at least 40 million iCloud accounts. Salted Hash started digging around on this story after the email came to our attention. In it, a list member questioned the others about a rumor concerning "rumblings of a massive (40 million) data breach at Apple." The message goes on to state that the alleged breach was conducted by a Russian actor, and vector "seems to be via iCloud to the 'locate device' feature, and is then locking the device and asking for money."In a separate report, the publication reports that three websites owned by Penton Technology -- MacForums.com, HotScripts.com, and WebHostingTalk.com -- have been compromised and their databases are now being sold on the Darknet. While nothing is confirmed, there is a possibility that some of the rumored 40M compromised Apple ID credentials may have come from these forums, or from LinkedIn's recent hack.

No connection

There's no connection between the hacked forums and the Apple ID incident. According to this Softpedia article (who apparently talked to the hacker), he used a vBulletin zero-day to hack the forums. What does that have to do with Apple? http://news.softpedia.com/news...

What hack?

[ilsaloving]

I read this, thinking, "What hack?" cause I haven't had any issues at all. Then I realized the what actually happened. This sounds like the same thing that happened with the supposed hacking of Teamviewer. It was a matter of people reusing the same credentials in multiple locations, so as soon as one low-security place is compromised, you're still screwed in other places even if they have high security.

All I can say is that, today, you *have* to use either MFA, a personal password database, preferably both. I use 1password to store all my passwords, and Duo Security (free for personal use) for MFA. There are other options as well, such as Google Authenticate for MFA, or keypass for password storage.

1password is relatively expensive, but it's virtually hassle free and will let me sync my db across all my devices (Linux is read-only, unfortunately) and integrates with all major browsers. I don't use Keypass, but IIRC it works on all platforms including Linux, but it's browser plugins are lacking.

The most important aspect of password databases, is that they let you generate a very long, random password that is unique to the site you visit. You don't care what the password is, because you can just call it up from the database, but it makes your account essentially unhackable (provided the site you're accessing doesn't do something stupid like store the passwords in plain text).

This is 2016, not 1970. People can no longer afford to be naive about password management anymore. It would be nice if articles like these could take a couple moments out of their breathless handwaving to let people know that these options exist.