‘Turkish’ hackers threaten to reset millions of iCloud accounts

A new band of hackers, styling itself the “Turkish Crime Family”, is claiming it has secured the details of some 200m iCloud accounts and that if Apple doesn’t pay a whopping $75,000 bitcoin or ethereum ransom (or $100,000 in iTunes gift cards) it will wipe the lot.

There are a few problems to face initially. First, Apple says its systems haven’t been breached. The company told Naked Security:

There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.

So 200m accounts obtained from previously compromised third party services is OK? Obviously not, but there’s no suggestion that Apple itself is responsible for any compromised security. The Turkish Crime Family itself appears to be new on the security scene, believed to have started life in Istanbul but now resident in Green Lanes, north London, according to one report. Helpfully, the organisation has a Twitter account.

Another curious facet of the alleged breach is that asking for payment in extremely traceable iTunes vouchers seems more than slightly curious; why would you not ask for something with a less clean audit trail? The group itself disputes the amount that’s been reported and blames a media relations operative (presumably the same one who put an email address for media inquiries on the Twitter profile):

This sum of $75,000 is incorrect, this was submitted by one of our old media guys that is not a part of our group. The sum is a lot higher

— Turkish Crime Family (@turkcrimefamily) March 23, 2017

The organisation has posted what it claims is video evidence to the Motherboard site.

David Kennerley, director of threat research at Webroot, is among the first to wonder whether the threat is actually real.

There are a lot of questions that need to be answered such as, do these hackers really have access to the data they claim? How did they get hold of such a large amount of data? Was it a vulnerability in Apple’s infrastructure or breach of third-party tool or organisation? Or does the fault lie with good old password re-usage between sites and apps from a consumer side?

Wherever the data originates, assuming it’s genuine, Apple faces the decision of whether to pay the ransom or to tough it out. Whichever way it goes, it will want to take precautions to see that this never happens again. Kennerley says:

Whether [the breach] proves to be huge news, or no news at all – it’s always good to remind ourselves, no matter the reputation of the organisation that we trust to protect our digital lives we should always take extra measures to protect our own privacy and data.

Our advice would be to assume the data has been compromised somehow; if it turns out to be a hoax, the worst thing that can happen is that your data is more secure.

Precautions include:

• If your data is stored anywhere online, assume it could be compromised by a faulty server, deliberate action or the host company going bust. Have a backup – so if your primary host is wiped for any reason you still have your data.
• Use two factor authentication where possible. Apple encourages it, and here’s an article about the whys and wherefores that we wrote a few months ago.
• Don’t use the same password everywhere. We can’t say this often enough but people still do it.
• Pick a strong password – here’s our advice on how to do that
• Observe the standard security hygiene protocols – don’t click on links from unknown sources, go to the website independently.

Finally, there are still people who believe their Apple hardware is completely safe from malware just because it’s Apple. It’s great kit and it works beautifully but nobody is safe – see our article on Apple security.