This story has been updated.
Some Aussie Apple users woke up Tuesday morning to a booming “Find My iPhone” app alarm and a message alerting them their devices had been hacked and locked, effectively held hostage.
iPhones can be located remotely by owners with a password and made to sound an alarm, locked or erased.
The alleged attacker gave a name — which may or may not be real — and demanded a ransom of $100 in some cases to unlock the affected iPhones, iPads and Macs. According to reports in Apple’s support forum, the message gave a name of the attacker and stated: “For unlock device, you need send voucher code by 100 usd/eur (Moneypack/Ukash/PaySafeCard) to email:email@example.com for unlock.”
— Aaron Lucas (@AaronLucasBris) May 27, 2014
The Sydney Morning Herald reported users who had passcodes on their devices seemed to be able to unlock them. Those who had not set passcodes were unable to.
And some who had not assigned strong passcodes reported having to reset their devices to factory settings to gain access and, in the process, lost all stored data.
“Apple takes security very seriously and iCloud was not compromised during this incident,” Apple spokesman Laura Newell told The Washington Post. “Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.”
Troy Hunt, an IT security expert, spoke with the Morning Herald, speculating hackers could be using compromised log-in credentials from recent data breaches such as those affecting Adobe, eBay and Yahoo, to gain access to accounts and lockout users. Since many Internet users often use the same passwords for multiple logins, other accounts can become vulnerable that way.
“It’s quite possible this is occurring by exploiting password reuse,” Hunt told the Morning Herald. “Regardless of how difficult someone believes a password is to guess, if it has been compromised in another service and exposed in an unencrypted fashion, then it puts every other service where it has been reused at risk. Of course, it also suggests that two-factor authentication was likely not used as the password alone wouldn’t have granted the attacker access to the iCloud account.”
Wired magazine states the theory makes sense since the hijack seems to have affected only a small number of Apple users, though many on Apple’s support forum say they had not reused passwords — at least, not that they remember.
The majority of the victims on the support forum are in Australia, but there has been at least one report each from the United States, the United Kingdom and New Zealand.
So now what?
9To5Mac details a few steps unaffected Apple users can take to make sure they stay that way:
Use unique passwords. Using the same password on multiple services (iCloud, Gmail, Facebook, etc) put all of your accounts at risk. An attacker who gains your password for one service can then try it on the others. If you use the same password on some of them, they’ll have access to everything. One great way to ensure you’re using a unique password on each website is to use an app like1Password to manage them.
Use two-factor authentication. Two-factor authentication boosts your online security by requiring you to enter a time-sensitive code after logging in and before accessing your account. Not all web services offer this extra layer of security, but many do, including Gmail, Facebook, Twitter, and yes, even your Apple ID. You can use an app like Google Authenticator or Authy to manage these codes, or get them via SMS.
Use a passcode or Touch ID on your iOS devices. If you’re not already using Touch ID or a passcode to secure your iOS devices, it’s a good idea to add one. That will prevent malicious users from remotely adding one to lock you out. As noted above, unprotected devices can be remotely locked, while devices secured with a passcode or Touch ID cannot.
Apple also provides suggestions on its Web site for creating strong passwords.