Slashdot Mirror

← Back to Stories (view on slashdot.org)

Some Of Hacker Group's Claims Of Having Access To 250M iCloud Accounts Aren't False (zdnet.com)

Posted by msmash on from the security-woes dept.

Earlier this week, a hacker group claimed that it had access to 250 million iCloud accounts. The hackers, who called themselves part of Turkish Crime Family group, threatened to reset passwords of all the iCloud accounts and remotely wipe those iPhones. Apple could stop them, they said, if it paid them a ransom by April 7. In a statement, Apple said, "the alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services," and that it is working with law enforcement officials to identify the hackers. Now, ZDNet reports that it obtained a set of credentials from the hacker group and was able to verify some of the claims. From the article: ZDNet obtained a set of 54 credentials from the hacker group for verification. All the 54 accounts were valid, based on a check using the site's password reset function. These accounts include "icloud.com," dating back to 2011, and legacy "me.com" and "mac.com" domains from as early as 2000. The list of credentials contained just email addresses and plain-text passwords, separated by a colon, which according to Troy Hunt, data breach expert and owner of notification site Have I Been Pwned, makes it likely that the data "could be aggregated from various sources." We started working to contact each person, one by one, to confirm their password. Most of the accounts are no longer registered with iMessage and could not be immediately reached. However, 10 people in total confirmed that their passwords were accurate, and as a result have now been changed.

45 comments

  1. Dictionary attack? by known_coward_69 · · Score: 4, Interesting

    chances are people reuse passwords and they were able to log on to people's icloud using credentials from another site.

    1. Re:Dictionary attack? by Anubis+IV · · Score: 4, Informative

      More or less. Here's some information not mentioned in the summary...

      • Most of the people admitted to reusing the password on other major sites, though a few claimed they hadn't.
      • None of the people ZDNet reached had changed their iCloud password since first opening it.
      • All of the people ZDNet was able to reach were located in the UK. The hackers refused to turn over any US-based account credentials.
      • ZDNet seems to think the compromise(s) must've happened somewhere between 2011 and 2015, based on info from the users, but I'm not sure I trust that assessment (they indicated none of the passwords had changed, but also said at least one of the passwords was no longer in use which allowed them to specify a date range, but I don't see how both can be true).

      By all appearances, Apple's assertion that this is a collection of information obtained from other sources, rather than an actual iCloud leak, appears to be true, so it's not likely a dictionary attack against iCloud, so much as it is data obtained from other hacks. Even so, that doesn't negate the risk these users face; it merely shifts the blame to third-parties. Of course, the fact that a lot of this data appears to be outdated or else linked to accounts no longer in use may end up saving quite a few people from the hassle of dealing with the fallout of a hacked account.

      Also, sounds like this hacking group is a farce, given that they "fired" one of their members and have been sending conflicting messages to the media while asking whether or not CBS will cover them.

    2. Re:Dictionary attack? by goombah99 · · Score: 1

      If this is true then why hasn't apple sent me a password reset notice? In this particular case I agree with them not paying the ransom as there's no way to verify the passwords would be deleted.

      verifying 50 is not a convincer they have millions. turning over 5 to 10% of the number would be. The fact they could easily have done that and didn't tells me they don't have this.

      Of course that didn't stop me from changing my password just in case.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    3. Re: Dictionary attack? by Zero__Kelvin · · Score: 1

      They mean nobody has used it in a long time. Presumably the account owner switched to Android or created a second account and used that after a certain date.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    4. Re: Dictionary attack? by Anubis+IV · · Score: 1

      Even if we took it to mean that, it doesn't change ZDNet's inability to use the info to narrow the range of dates.

      The password was clearly still associated with an account, even if that account was no longer is active use. Likewise, the password may have been reused with inactive accounts elsewhere, any one of which may have been compromised at any time. Just because the person only used the account in question between 2011 and 2015 doesn't mean that that's the only time the credentials could have been stolen.

    5. Re:Dictionary attack? by Anonymous Coward · · Score: 0

      Considering the ransom is only $75,000 and actually losing any decent amount of those accounts would cost Apple millions, I'm betting they pay.

    6. Re:Dictionary attack? by Anonymous Coward · · Score: 0

      Chances are you're twat-waffle.

    7. Re:Dictionary attack? by n3r0.m4dski11z · · Score: 1

      "By all appearances, Apple's assertion that this is a collection of information obtained from other sources, rather than an actual iCloud leak, appears to be true"

      "Most of the people admitted to reusing the password on other major sites, though a few claimed they hadn't."

      I re use passwords too. There ain't no one who doesn't. That some had unique passwords is significant, yet you gloss over that. You can think that some users are lying, but i'll bet its for real. I re use passwords, but for very important services they are of course unique. Having remote whipe on a phone seems to fall in that category, so I am inclined to believe that some are telling the truth.

      If even one is, it means that somewhere got compromised. Maybe they only have a few hundred accounts, but still, they probably do have the ability to do what they say they can do, and most users should change their passwords in any case.

      can't be too careful...

      --
      -
    8. Re:Dictionary attack? by Anubis+IV · · Score: 1

      I re use passwords too. There ain't no one who doesn't.

      Sure there are. You're talking to a site full of nerds who use password managers that generate unique passwords. Hell, I've got my parents and wife doing it too.

  2. Can we get some diversity in the submissions here? by Anonymous Coward · · Score: 0

    Nearly all submissions here lately have to do with one or more of these four topics:

    1) Politics
    2) Apple, Amazon, Microsoft, Google, Facebook, and/or Twitter
    3) "Climate Change"
    4) Movies

    They just repeat over and over and over and over and over and over again.

    It's rare to see a relevant article about computer programming, for example.

    I have to go back almost a week, to last Sunday (it's Friday today), before I find the most recent submission about programming. Now it is a very, very shitty submission, but at least it has something to do with programming.

    I know, I know, I could submit some submissions on my own, but I refuse to do that. Why? Firstly, it requires an account now, which I refuse to make. We didn't need an account to submit stories in the past. We shouldn't need one now. And secondly, it would be a supreme waste of my time. The submissions likely wouldn't end up on the front page because they'd actually be interesting and relevant, which seems like a certain way of getting a submission discarded.

    Editors, let's try to get some interesting submissions on the front page, okay?

  3. Re: Can we get some diversity in the submissions h by Anonymous Coward · · Score: 0

    Agreed.

    [ something about Natalie Portman and grits! ]

  4. Not False by Anonymous Coward · · Score: 1

    Is it true then?
    Maybe they have 249,998,743. If that's so, the claim of them having 250M accounts is a blatant, egregious lie and everyone involved should be taken to task and reprimanded.

  5. Re:Can we get some diversity in the submissions he by Anonymous Coward · · Score: 0

    We need more articles about 3D printing, drones, and SystemD plz. Thanks in advance!

  6. It might not always be partially incorrect by theraptor05 · · Score: 4, Funny

    Some (but not all) parts of the headline are mostly not entirely unlike parsable English

    1. Re:It might not always be partially incorrect by DontBeAMoran · · Score: 2

      I read your comment while drinking a cupful of liquid that is almost, but not quite, entirely unlike tea.

      --
      #DeleteFacebook
    2. Re:It might not always be partially incorrect by sexconker · · Score: 1

      It's fucking ridiculous.

      "Some Of Hacker Group's Claim Of Having Access To 250M iCloud Account Aren't False"

      Let's start with the easiest thing to correct. "250M iCloud Account" should be "250 Million iCloud Accounts".
      And while we're telling shitty headlines to fuck off, we can tell them to at least follow their own bullshit rules and not capitalize the first letter of "of". I fucking hate style guides (because they're arbitrary, inconsistent, and ambiguous) but no major style guide (such as AP, Chicago, APA, and MLA) says to capitalize "of" in a headline.
      Now let's tackle the core problem here: "Some", "Claim", and "Aren't". As far as I know, we're counting this as a single claim, so we can say that "some" of it "isn't false". If we're counting it as multiple claims, we can say "some" of the "claims" (plural) "aren't false".
      For bonus points, we can kill off the double negative as well.

    3. Re:It might not always be partially incorrect by fluffernutter · · Score: 1

      I have notea, want some?

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  7. Re:Can we get some diversity in the submissions he by DontBeAMoran · · Score: 1

    You could watch Thomas Sanladerer for 16h48m while he builds a Prusa i3 Clone from low-cost parts bought on AliExpress:
    Part 1 (2h40m)
    Part 2 (2h27m)
    Part 3 (2h55m)
    Part 4 (2h08m)
    Part 5 (2h37m)
    Part 6 (4h01m)

    --
    #DeleteFacebook
  8. Re:Hookers turned gay man straight by DontBeAMoran · · Score: 1

    The cake is a lie.

    --
    #DeleteFacebook
  9. So compared to The Fappening ... by Plumpaquatsch · · Score: 1
    They have more iCloud account credentials than the Fappening "hacker" had, but less than he had Google account credentials.

    And likely they used the same primitive phishing methods to get them. The End.

    --
    Of course news about a fake are Fake News.
    1. Re:So compared to The Fappening ... by 93+Escort+Wagon · · Score: 1

      But no one wants the photos from these iCloud accounts...

      --
      #DeleteChrome
  10. Re:iDontCare by K.+S.+Kyosuke · · Score: 1

    Well, it would be a nasty lesson, but still a lesson. Don't trust random online services with anything sensitive.

    --
    Ezekiel 23:20
  11. Re:Can we get some diversity in the submissions he by Anonymous Coward · · Score: 0

    Articles on computer programming per se have only been a small part of Slashdot content in the decades that I have been a member. "News for Nerds" has always included a much wider range of nerdly interests. There have always been much better places for articles about the nitty gritty aspects of programming.

    "2) Apple, Amazon, Microsoft, Google, Facebook, and/or Twitter" Those companies between them dominate the IT-verse, so the majority of significant IT-related stories are likely to feature them to some degree. Other companies are mentioned when they do something newsworthy; just in the last couple of pages of stories, I see SixXS, Intel, Uber and WikiLeaks, all not on your list.

  12. Ding Dongs by pablo_max · · Score: 2

    And there are still so many ding dongs that keep naked pics of themselves an other sensitive information in the cloud. Just carry your dick pics in attache case to easily hand out to stranger, like a normal person.Sheesh.

    1. Re:Ding Dongs by Anonymous Coward · · Score: 0

      Heh, I'm using cloud2butt extension for Firefox, so your comment came out:

      And there are still so many ding dongs that keep naked pics of themselves an other sensitive information in my butt.

  13. Re:Can we get some diversity in the submissions he by ArchieBunker · · Score: 1

    Head over to SoylentNews. Very little politics and actual tech/hacker stuff. Plus they even have more creative trolls.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  14. Re:Hookers turned gay man straight by Anonymous Coward · · Score: 0

    It was probably a pastry. Fags are more likely to eat anointed pastries for obvious reasons.

  15. Lession Learned by Monkier · · Score: 2

    email addresses and plain-text passwords, separated by a colon

    Always have a colon in your passwords!

    1. Re: Lession Learned by Anonymous Coward · · Score: 0

      And a comma and a space. An apostrophe and a quotational mark sounds like a good idea too...

  16. Re:Can we get some diversity in the submissions he by AmiMoJo · · Score: 0

    Speaking of shitty submissions...

    "Some Of Hacker Group's Claim Of Having Access To 250M iCloud Account Aren't False"

    should be either

    "Some Of Hacker Group's Claims Of Having Access To 250M iCloud Account Aren't False"

    or

    "Some Of Hacker Group's Claim Of Having Access To 250M iCloud Account isn't False"

    No go mod up some of my submissions if you want some variety.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  17. My idea for a solution: by Anonymous Coward · · Score: 0

    Apple could automatically reset EVERYONE'S passwords, and then send them an email telling them to change their passwords before they log in again. If Apple does this, they can avoid having to pay a ransom. Also, Apple will owe Anonymous Coward 50% of what they would have paid to these terrorists that threatened them.

    1. Re:My idea for a solution: by fluffernutter · · Score: 1

      They could at least reset the passwords of accounts that are known to have been obtained.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  18. Re:Can we get some diversity in the submissions he by Anonymous Coward · · Score: 0

    Gawd, I can remember when /. started as an alt-right political religious discussion forum.
    Good times back then with all of the swearing and "not-nice" speech, it was a great incubator
    for individuals to ratchet up the hostile to any living thing atmosphere we all enjoyed and loved.
    Great place for the less dominate sex, too. But, then z-net bought them out and turned it into
    this news-for-nerds site which offers no hope for humanity. How I miss the olde days!

    CAP === 'playtime'

  19. No password reset warnings by Anonymous Coward · · Score: 0

    It's possible that Apple wants all the @me email domains to go away, as well as an opportunity to force device owners to upgrade. If your device were to be wiped remotely, good luck finding compatible apps anymore. Apple no longer signs iOS 8 and I don't think versions of 9 any more. This would be detrimental to iPhone 5 devices and below such as iPad 2. Basically, eliminating 32-bit. Most, if any of these devices are not covered by a warranty anymore. It's more than likely that Apple would only be held accountable for the iCloud account and not the device.

  20. Re:Hookers turned gay man straight by Anonymous Coward · · Score: 0

    For the 'cream' filling?

  21. Re:iDontCare by ColdWetDog · · Score: 1

    You insensitive clod.

    --
    Faster! Faster! Faster would be better!
  22. Seems like an easy fix by Why2K · · Score: 1

    It seems like this would be pretty easy for Apple to prevent. They know this is coming, and they control the servers that would initiate the remote wipes. If they suddenly saw 250 million requests for remotely wiping devices, why would they actually carry those out?

  23. Speaking as the "Phone Guy" in IT by Cyberglich · · Score: 1

    I am debating in talking my boss into a company wide email (that 90% of people will ignore) to reset iphone passwords. Or just making up a sign explaining what happened and putting out side my cube when the phones start resetting..

  24. You got 54 verified accounts? Means nothing! by Anonymous Coward · · Score: 0

    Obviously the hackers are going to give out accounts they've verified. You've been scammed.

  25. Re:Can we get some diversity in the submissions he by fluffernutter · · Score: 1

    We don't talk NEARLY enough about grabbing pussy.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  26. Re:Can we get some diversity in the submissions he by fluffernutter · · Score: 1

    *gasp* you forgot Uber in your item #2 that contains almost everything technical in the world.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  27. Re:Can we get some diversity in the submissions he by Anonymous Coward · · Score: 0

    but STILL need people shilling for them here...