Leaked iCloud credentials obtained from third parties, Apple says

Apple is confident its iCloud and Apple ID services haven't been compromised

A group of hackers threatening to wipe data from Apple devices attached to millions of iCloud accounts didn't obtain whatever log-in credentials they have through a breach of the company's services, Apple said.

"There have not been any breaches in any of Apple's systems including iCloud and Apple ID," an Apple representative said in an emailed statement. "The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services."

A group calling itself the Turkish Crime Family claims to have login credentials for more than 750 million icloud.com, me.com and mac.com email addresses, and the group says more than 250 million of those credentials provide access to iCloud accounts that don't have two-factor authentication turned on.

The hackers want Apple to pay $700,000 -- $100,000 per group member -- or "$1 million worth in iTunes vouchers." Otherwise, they threaten to start wiping data from iCloud accounts and devices linked to them on April 7.

In a message published on Pastebin Thursday, the group said it also asked for other things from Apple, but they don't want to make public.

"We're actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved," the Apple representative said. "To protect against these type of attacks, we recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication."

The hacker group confirmed there has been no breach of Apple services and hinted the leaked credentials were obtained through compromises on third-party websites.

To some extent, that would be possible because many users reuse their passwords across multiple websites and because most websites ask users to log in with their email addresses. However, the unusually high numbers advanced by the group are hard to believe.

It's also hard to keep up with the group's claims, as at various times over the past few days, it has released conflicting or incomplete information that it has later revised or clarified.

The group claims that it started out with a database of more than 500 million credentials that it has put together over the past few years by extracting the icloud.com, me.com and mac.com accounts from stolen databases its members have sold on the black market.

The hackers also claim that since they've made their ransom request public a few days ago, others have joined in their effort and shared even more credentials with them, putting the number at more than 750 million.

The group claims to be using 1 million high-quality proxy servers to verify how many of the credentials give them access to unprotected iCloud accounts.

Apple provides two-factor authentication for iCloud, and accounts with the option turned on are protected even if their password is compromised.

The latest number of accessible iCloud accounts advanced by the Turkish Crime Family is 250 million. That's an impressive ratio of one in every three tested accounts.

Moreover, if 750 million iCloud passwords are truly the result of password reuse on other websites, the other databases must have had billions of accounts combined or the password reuse ratio must have been unusually high. The largest ever data breach was from Yahoo with a reported 1 billion accounts.

"I think the whole thing is a beat-up," security expert Troy Hunt, creator of the HaveIBeenPwned.com website, said by email. "At best they’ve got some reused credentials, but I wouldn’t be surprised if it’s almost entirely a hoax."

Hunt hasn't seen the actual data that the Turkish Crime Family claims to have, and there isn't much evidence aside from a YouTube video showing a few dozen email addresses and plain text passwords. However, he has significant experience with validating data breaches and has seen many bogus hacker claims over the years.

To be on the safe side, users should follow Apple's advice and create a strong password for their account and turn on two-factor authentication or two-step verification at the very least.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?