If you don’t want to get hacked, don’t use the same password across different services.
And if you’re an Apple user, it’s a good idea to check your Apple ID and iCloud account to make sure it’s using a unique and long password today.
That’s because on Wednesday, a hacking group calling itself the Turkish Crime Family claimed to Business Insider that it had in its possession around “600m” iCloud passwords that it threatened to use to reset users’ accounts on April 7.
Apple told Business Insider in a statement that whatever passwords the hackers have did not come from a breach of Apple systems:
“There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.”
It is still possible that the group could have some users’ passwords. Several large breaches, including Yahoo and LinkedIn, have spread across the internet in recent years. If an Apple user used the same password and email across, say, LinkedIn and iCloud, then there’s a good chance that iCloud password is already publicly available.
Here’s what you can do to protect yourself:
- Turn on two-factor authentication. That means when you log on to your iCloud account it will ask for a 6-digit code sent to your phone. It’s annoying, but it’s the best way to ensure that your account remains your own. More info here.
- Don’t use the same password across services. When one of your accounts gets hacked and breached, hackers can essentially access all of your accounts that used the same password. In particular, make sure to use a different password for your Apple ID and your email account — here’s how to change your Apple ID password and here’s how to check if your password may already be public.
- Make sure your password is long, random, and unique. Don’t use your name, birthday, or other common words.
Why this matters now
Over the past few days, the hacking group calling itself the Turkish Crime Family has been contacting media outlets with basically the same story: They have in their possession either 200 million, or 250 million, or 519 million, or as many as 750 million credentials for Apple ID accounts culled from breaches of other services.
The hacking group also claimed that they had been in contact with Apple and were demanding $US75,000 in cryptocurrency like Bitcoin, or $US100,000 in Apple gift cards.
Otherwise, if Apple did nothing, “they are going to face really serious server issues and customer complaints,” a member of the hacking group told Business Insider in an email, in an attack scheduled for April 7. They claim that they are carrying out the attacks in support of the alleged Yahoo hacker.
A report from Motherboard about the ransom demand said that the hackers had shown the outlet an email from one of the hackers to an Apple product security specialist discussing the demands. That email is fake, a person with knowledge of Apple’s security operations told Business Insider.
Apple is in contact with law enforcement about the ransom demand, the person said. Apple isn’t sure if the group’s claims are true but people at the company doubt that they are.
There are other reasons to doubt the hackers’ claims, particularly their thirst for publicity and their fluid and changing story.
But even if they are telling the truth, Apple users can protect themselves by making sure their Apple ID password is unique and hasn’t been revealed in a previous breach.
“A breach means nothing in 2017 when you can just pull the exact same user information in smaller scales through companies that aren’t as secure,” the group purportedly said in a Pastebin in response to Apple’s statement.