Some Of Hacker Group's Claims Of Having Access To 250M iCloud Accounts Aren't False

Earlier this week, a hacker group claimed that it had access to 250 million iCloud accounts. The hackers, who called themselves part of Turkish Crime Family group, threatened to reset passwords of all the iCloud accounts and remotely wipe those iPhones. Apple could stop them, they said, if it paid them a ransom by April 7. In a statement, Apple said, "the alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services," and that it is working with law enforcement officials to identify the hackers. Now, ZDNet reports that it obtained a set of credentials from the hacker group and was able to verify some of the claims. From the article: ZDNet obtained a set of 54 credentials from the hacker group for verification. All the 54 accounts were valid, based on a check using the site's password reset function. These accounts include "icloud.com," dating back to 2011, and legacy "me.com" and "mac.com" domains from as early as 2000. The list of credentials contained just email addresses and plain-text passwords, separated by a colon, which according to Troy Hunt, data breach expert and owner of notification site Have I Been Pwned, makes it likely that the data "could be aggregated from various sources." We started working to contact each person, one by one, to confirm their password. Most of the accounts are no longer registered with iMessage and could not be immediately reached. However, 10 people in total confirmed that their passwords were accurate, and as a result have now been changed.

Re:Dictionary attack?

[Anubis+IV]

More or less. Here's some information not mentioned in the summary...

• Most of the people admitted to reusing the password on other major sites, though a few claimed they hadn't.
• None of the people ZDNet reached had changed their iCloud password since first opening it.
• All of the people ZDNet was able to reach were located in the UK. The hackers refused to turn over any US-based account credentials.
• ZDNet seems to think the compromise(s) must've happened somewhere between 2011 and 2015, based on info from the users, but I'm not sure I trust that assessment (they indicated none of the passwords had changed, but also said at least one of the passwords was no longer in use which allowed them to specify a date range, but I don't see how both can be true).

By all appearances, Apple's assertion that this is a collection of information obtained from other sources, rather than an actual iCloud leak, appears to be true, so it's not likely a dictionary attack against iCloud, so much as it is data obtained from other hacks. Even so, that doesn't negate the risk these users face; it merely shifts the blame to third-parties. Of course, the fact that a lot of this data appears to be outdated or else linked to accounts no longer in use may end up saving quite a few people from the hassle of dealing with the fallout of a hacked account.

Also, sounds like this hacking group is a farce, given that they "fired" one of their members and have been sending conflicting messages to the media while asking whether or not CBS will cover them.