"We believe this to be the largest known Apple account theft caused by malware," the blog post said.
Apple did not immediately respond to a request for comment.
The problem appears to be isolated to phones that were altered to bypass Apple's attempts to keep users safe.
Apple keeps tight control over what apps are allowed on iPhones, running basic security tests before allowing them to be downloaded. But some iPhone users have bristled at such restrictions, and to escape them, some people "jailbreak" their phones -- taking steps to get around restrictions built into the devices so can they install things not available in the official App Store.
That's legal at the moment thanks to the Librarian of Congress, which approved an exception to the Digital Millennium Copyright Act, allowing consumers to jailbreak their smartphones. But Apple discourages the practice. And this incident is a good example of why: Jailbreaking a phone can lead to new security risks.
U.S. consumers probably don't have too worry about this specific malware right now: KeyRaider seems to have only been spread through a Chinese app repository used by jailbreakers. More than half of the Apple ID's in the stolen cache were associated with e-mail accounts from a popular Chinese service, according to PaloAlto. Jailbreaking is particularly common in China, where whole industries have taken root profiting from it.
But there are some indications that Apple users in the United States, Britain and a slew of other countries may have also been affected, the researchers noted. And the whole situation is another reason everyday consumers may want to be wary before stepping outside of Apple's walled app garden.