Someone claiming to be a group of hackers called themselves the “Turkish Crime Family” has apparently been trying to extort money from Apple. As Motherboard reported a few days ago, the group claims to have login details for hundreds of millions of Apple accounts and is threatening to remotely wipe devices via iCloud unless it’s paid $ 75,000 in Bitcoin or $ 100,000 in iTunes gift cards. Today, ZDNet says that it was able to verify 54 accounts revealed by the hackers, although it’s still unclear how many other accounts they have or how they came by them.
In a statement, Apple said its systems have not been breached, and the alleged list appears to have been obtained from other sources. It also says it’s “actively monitoring” to prevent unauthorized access and is working with law enforcement.
There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.
We’re actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication.
Because of shared passwords, hackers frequently use details obtained in other breaches to try and access more valuable accounts, which may be happening here. Previously, we’ve seen hackers try to extort users directly this way, using Find My iPhone to remotely lock devices until they’re paid. We’ve contacted Apple and will update this post if there are any other details.
Now that at least some of the information has been verified, it seems like a good time for anyone who has (or used to have) an Apple or iCloud account to update and lock down their security settings. Even if these hackers (or someone else) has obtained a password for your account, using two-factor authentication should keep them from being able to access details or remotely wipe devices.
Instructions on setting up two-factor authentication for your Apple ID can be found here. Additionally, if you haven’t changed your password in a while, or have ever shared it with an account anywhere else, it’s a good idea to change it to something strong and unique. Visit Apple’s password reset page at https://iforgot.apple.com/ (check for the secure padlock and correct URL in your address bar) to do that now.