Some Of Hacker Group's Claims Of Having Access To 250M iCloud Accounts Aren't False

Earlier this week, a hacker group claimed that it had access to 250 million iCloud accounts. The hackers, who called themselves part of Turkish Crime Family group, threatened to reset passwords of all the iCloud accounts and remotely wipe those iPhones. Apple could stop them, they said, if it paid them a ransom by April 7. In a statement, Apple said, "the alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services," and that it is working with law enforcement officials to identify the hackers. Now, ZDNet reports that it obtained a set of credentials from the hacker group and was able to verify some of the claims. From the article: ZDNet obtained a set of 54 credentials from the hacker group for verification. All the 54 accounts were valid, based on a check using the site's password reset function. These accounts include "icloud.com," dating back to 2011, and legacy "me.com" and "mac.com" domains from as early as 2000. The list of credentials contained just email addresses and plain-text passwords, separated by a colon, which according to Troy Hunt, data breach expert and owner of notification site Have I Been Pwned, makes it likely that the data "could be aggregated from various sources." We started working to contact each person, one by one, to confirm their password. Most of the accounts are no longer registered with iMessage and could not be immediately reached. However, 10 people in total confirmed that their passwords were accurate, and as a result have now been changed.

Dictionary attack?

[known_coward_69]

chances are people reuse passwords and they were able to log on to people's icloud using credentials from another site.

Re:Dictionary attack?

[Anubis+IV]

More or less. Here's some information not mentioned in the summary...

• Most of the people admitted to reusing the password on other major sites, though a few claimed they hadn't.
• None of the people ZDNet reached had changed their iCloud password since first opening it.
• All of the people ZDNet was able to reach were located in the UK. The hackers refused to turn over any US-based account credentials.
• ZDNet seems to think the compromise(s) must've happened somewhere between 2011 and 2015, based on info from the users, but I'm not sure I trust that assessment (they indicated none of the passwords had changed, but also said at least one of the passwords was no longer in use which allowed them to specify a date range, but I don't see how both can be true).

By all appearances, Apple's assertion that this is a collection of information obtained from other sources, rather than an actual iCloud leak, appears to be true, so it's not likely a dictionary attack against iCloud, so much as it is data obtained from other hacks. Even so, that doesn't negate the risk these users face; it merely shifts the blame to third-parties. Of course, the fact that a lot of this data appears to be outdated or else linked to accounts no longer in use may end up saving quite a few people from the hassle of dealing with the fallout of a hacked account.

Also, sounds like this hacking group is a farce, given that they "fired" one of their members and have been sending conflicting messages to the media while asking whether or not CBS will cover them.

Re:Dictionary attack?

[goombah99]

If this is true then why hasn't apple sent me a password reset notice? In this particular case I agree with them not paying the ransom as there's no way to verify the passwords would be deleted.

verifying 50 is not a convincer they have millions. turning over 5 to 10% of the number would be. The fact they could easily have done that and didn't tells me they don't have this.

Of course that didn't stop me from changing my password just in case.

Re: Dictionary attack?

[Zero__Kelvin]

They mean nobody has used it in a long time. Presumably the account owner switched to Android or created a second account and used that after a certain date.

Re: Dictionary attack?

[Anubis+IV]

Even if we took it to mean that, it doesn't change ZDNet's inability to use the info to narrow the range of dates.

The password was clearly still associated with an account, even if that account was no longer is active use. Likewise, the password may have been reused with inactive accounts elsewhere, any one of which may have been compromised at any time. Just because the person only used the account in question between 2011 and 2015 doesn't mean that that's the only time the credentials could have been stolen.

Re:Dictionary attack?

[n3r0.m4dski11z]

"By all appearances, Apple's assertion that this is a collection of information obtained from other sources, rather than an actual iCloud leak, appears to be true"

"Most of the people admitted to reusing the password on other major sites, though a few claimed they hadn't."

I re use passwords too. There ain't no one who doesn't. That some had unique passwords is significant, yet you gloss over that. You can think that some users are lying, but i'll bet its for real. I re use passwords, but for very important services they are of course unique. Having remote whipe on a phone seems to fall in that category, so I am inclined to believe that some are telling the truth.

If even one is, it means that somewhere got compromised. Maybe they only have a few hundred accounts, but still, they probably do have the ability to do what they say they can do, and most users should change their passwords in any case.

can't be too careful...

Re:Dictionary attack?

[Anubis+IV]

I re use passwords too. There ain't no one who doesn't.

Sure there are. You're talking to a site full of nerds who use password managers that generate unique passwords. Hell, I've got my parents and wife doing it too.

Not False

Is it true then?
Maybe they have 249,998,743. If that's so, the claim of them having 250M accounts is a blatant, egregious lie and everyone involved should be taken to task and reprimanded.

It might not always be partially incorrect

[theraptor05]

Some (but not all) parts of the headline are mostly not entirely unlike parsable English

Re:It might not always be partially incorrect

[DontBeAMoran]

I read your comment while drinking a cupful of liquid that is almost, but not quite, entirely unlike tea.

Re:It might not always be partially incorrect

[sexconker]

It's fucking ridiculous.

"Some Of Hacker Group's Claim Of Having Access To 250M iCloud Account Aren't False"

Let's start with the easiest thing to correct. "250M iCloud Account" should be "250 Million iCloud Accounts".
And while we're telling shitty headlines to fuck off, we can tell them to at least follow their own bullshit rules and not capitalize the first letter of "of". I fucking hate style guides (because they're arbitrary, inconsistent, and ambiguous) but no major style guide (such as AP, Chicago, APA, and MLA) says to capitalize "of" in a headline.
Now let's tackle the core problem here: "Some", "Claim", and "Aren't". As far as I know, we're counting this as a single claim, so we can say that "some" of it "isn't false". If we're counting it as multiple claims, we can say "some" of the "claims" (plural) "aren't false".
For bonus points, we can kill off the double negative as well.

Re:It might not always be partially incorrect

[fluffernutter]

I have notea, want some?

Re:Can we get some diversity in the submissions he

[DontBeAMoran]

You could watch Thomas Sanladerer for 16h48m while he builds a Prusa i3 Clone from low-cost parts bought on AliExpress:
Part 1 (2h40m)
Part 2 (2h27m)
Part 3 (2h55m)
Part 4 (2h08m)
Part 5 (2h37m)
Part 6 (4h01m)

Re:Hookers turned gay man straight

[DontBeAMoran]

The cake is a lie.

So compared to The Fappening ...

[Plumpaquatsch]

They have more iCloud account credentials than the Fappening "hacker" had, but less than he had Google account credentials.

And likely they used the same primitive phishing methods to get them. The End.

Re:So compared to The Fappening ...

[93+Escort+Wagon]

But no one wants the photos from these iCloud accounts...

Re:iDontCare

[K.+S.+Kyosuke]

Well, it would be a nasty lesson, but still a lesson. Don't trust random online services with anything sensitive.

Ding Dongs

[pablo_max]

And there are still so many ding dongs that keep naked pics of themselves an other sensitive information in the cloud. Just carry your dick pics in attache case to easily hand out to stranger, like a normal person.Sheesh.

Re:Can we get some diversity in the submissions he

[ArchieBunker]

Head over to SoylentNews. Very little politics and actual tech/hacker stuff. Plus they even have more creative trolls.

Lession Learned

[Monkier]

email addresses and plain-text passwords, separated by a colon

Always have a colon in your passwords!

Re:iDontCare

[ColdWetDog]

You insensitive clod.

Seems like an easy fix

[Why2K]

It seems like this would be pretty easy for Apple to prevent. They know this is coming, and they control the servers that would initiate the remote wipes. If they suddenly saw 250 million requests for remotely wiping devices, why would they actually carry those out?

Speaking as the "Phone Guy" in IT

[Cyberglich]

I am debating in talking my boss into a company wide email (that 90% of people will ignore) to reset iphone passwords. Or just making up a sign explaining what happened and putting out side my cube when the phones start resetting..

Re:My idea for a solution:

[fluffernutter]

They could at least reset the passwords of accounts that are known to have been obtained.

Re:Can we get some diversity in the submissions he

[fluffernutter]

We don't talk NEARLY enough about grabbing pussy.

Re:Can we get some diversity in the submissions he

[fluffernutter]

*gasp* you forgot Uber in your item #2 that contains almost everything technical in the world.