Apple hints password reuse, not iCloud hack, at heart of locked iDevice ransom attacks

A compromise of Apple's services is not to blame for the recent ransom lockouts via Find My iPhone, according to the company.

Apple says an iCloud breach is not to blame for the recent spate of iOS devices held hostage by malicious actors via Apple's Find My iPhone service. Many users in Australia and several other countries have reported being locked out of their iDevices by a third party who demanded $100 to return control of the iPhones and iPads to their rightful owners.

The messages say the devices have been hacked by "Oleg Pliss," according to numerous Apple forum reports. The name Oleg Pliss appears to be an alias for a hacker, or group of hackers, responsible for the ransomware-like attack.

The bad guys sent the messages using Apple's Find My iPhone service, which is designed to let iOS device owners lock down their devices if they are lost or stolen. Using Find My iPhone, you can put your phone into lost mode, which locks the phone with a four-digit passcode. You can also force the device to make a loud beeping sound (even if the mute switch is on) and send a text message to the device.

It's not clear how the hackers were able to get access to the Find My iPhone settings of a large number of users, but Apple says their services aren't to blame.

Apple was unavailable for comment at this writing, but the company released a statement to ZDNet earlier:

Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.

Although the company didn't explicitly say so, Apple seems to be implying that these attacks were the result of reusing the same username and password across multiple online accounts. Troy Hunt, a developer and web security specialist based in Sydney, Australia, has also suggested this as the most likely scenario.

If password reuse was the culprit, that means the hackers probably gained access to the users' accounts by sifting through usernames and passwords from previous password database breaches.

And there certainly have been enough of those.

Password problems, password solutions

Adobe, AOL, Avast, Canonical, eBay, LaCie, and Ubisoft have all suffered major database breaches in the past year. EBay, the most recent company to lose control of its password database, had 128 million active users affected alone.

With so much password and username hacking going on, reusing the same passwords across multiple sites is just plain not a good idea. The best way to protect yourself from password breaches is to use strong, unique passwords for each website you frequent, never using the same password twice. To do otherwise is to risk a visit from Oleg Pliss.

It isn't as hard as it sounds. You can create unique passwords using either a password manager's random password generator or by coming up with a memorable system for managing passwords site-to-site. You'll definitely want to do it especially sensitive online accounts such as email, social networking, banking, shopping sites like Amazon, and Apple's Find my iPhone or Google's Android Device Manager. Enabling two-factor authentication on any service that supports it is another smart security precaution.

Finally, make sure you know how to protect yourself against all kinds of PC-based scams out there such as phishing, fake emails, and phony update warnings.

It may be a pain to have different passwords for all your sensitive online accounts, but the alternative is exposing yourself to losing control of your devices or, as Wired writer Mat Honan discovered in 2012, losing your personal data completely.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicshacksecuritysmartphonesiPhoneiDevices

More about Adobe SystemsAmazon Web ServicesAOLAppleAvasteBayEnablingGoogleLaCieUbisoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts