Apple: iCloud not compromised in Apple ID ransom scheme

“Almost a day-and-a-half after a number of Australian users reported finding their iCloud connected devices locked, with a message asking for money, Cupertino has finally acknowledged the situation,” Chris Duckett reports for ZDNet.

“In a short statement, the company said that iCloud was not compromised, and users should change their Apple ID password,” Duckett reports. “In full, Apple said: ‘Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.'”

“Affected Australian users woke up yesterday morning to find their phone, tablet, and even desktop or laptop, showed a message originating from Apple’s find my device service stating ‘Device hacked by Oleg Pliss’ and asking user send US$100 to unlock the device,” Duckett reports. “It is presumed that the attackers gained access to users’ Apple ID credentials, and from that point on, have been able to access the Find My iPhone service to lock the devices.”

Read more in the full article here.

MacDailyNews Take: The problem is that some people use one password for everything they do online and, when one thing gets compromised (eBay, for example), everything is accessible to criminals.

Use unique passwords and Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.

[Thanks to MacDailyNews Readers “Fred Mertz,” “Arline M.,” and “Lynn Weiler” for the heads up.]

Related articles:
How to defend against ‘Oleg Pliss’ iCloud attack on Apple devices – May 27, 2014
Australian Apple Macs, iPhones, iPads hijacked, digitally held for ransom – May 27, 2014

25 Comments

    1. For Apple inc. to take a day and a half to investigate the so called breach into iCloud and come up with a cohesive statement that covers all multiple points is a credit to their constant due diligence of their network!
      I would have been concerned even worried if they had spoke about the situation within a matter of hours as it would have been a sign of a ‘knee jerk reaction’ to the supposed breach.
      If it had indeed been a breach of iCloud, over 800 million people would have been complaining already and a very fat under exercised lobby addicted DOJ would have been nudged into an anticipated payday of suing Apple inc yet again.

      1. And your comment is relevant to WHAT? You’ve skipped over the context of my comments and are attempting to bandaid a long term trend at Apple. Don’t make excuses for Apple. As I pointed out in the article you didn’t bother to read, Apple DESERVES criticism from the computer community for such profound blunders. Please read up on computer security if you can’t comprehend how this specific blunder is not profound. Read up on the outrageous hacking of SSL over the past year if you can’t comprehend the severe damage to Internet security it has caused. Figure out that keeping SSL security certificates should, within this context, have renewing SSL certificates up on the TOP of Apple’s security list of things-to-do.

        If, after doing your homework, you’re still clueless, don’t come whining to me please.

  1. @MDN I have used everything that you mentioned and also love Apple’s password generator. Never a problem on any device whether it’s the iPhone, iPads or my MacBook Pro.

  2. “‘Device hacked by Oleg Pliss”

    This is not a standard Apple message. So something else is going on. This does not look like a iCloud/Find My iPhone lock. Are these devices jail broken?

    1. No. Via iCloud, you can send a message, any message, to any device connected to that account. The Apple ID was compromised via password reuse, and the attacker gained access to iCloud accounts. He/she then locked the devices and sent out a custom message. All features of iCloud/Find My iPhone.

        1. Correct. It’s actually in the terms when you sign up for two-factor auth. If both your password and your 2F code are compromised, you’re done, unless you have your recovery key and a trusted device.

  3. The story I read said that this was happening on devices where the user had not set a password. It looks to me like somebody found information by hacking another site, like eBay, that gave them enough information to connect to these devices remotely and set a user password on them. That would allow them to customize a new lock screen with a message demanding money, and to lock the users out of their devices.

    1. No, I’m pretty sure it was a “passcode” that wasn’t set on the device. You can’t activate an iPhone without an Apple ID, and an Apple ID requires a password. If the user set a passcode, he or she could enter it to get past the lockout.

      ——RM

    1. You’re a shit-for-brains TROLL, Road Warrior. Why don’t you take your constant anti-Australian comments off to some place populated with like-minded idiots. Perhaps one of the Fandroid forums where they’ll appreciate your oh-so-funny comments.

      1. Awwww is that the best you can do? That second sentence by the way is a question, and when you type a question it usually ends with a question mark (?) to indicate that. It’s something they teach in civilized countries. Now taking into account that it is a question you’ll be happy to know that I make comments at other forums as well as this one. At least while I can, I hear that some won’t be Ho Ho Ho Holden up for much longer. I’m glad you think my comments are oh so funny, you’ve just given me a reason to post more. Thank you.

    1. Yup, that’s about the extent of what I’ve experienced from the useless lot down under. I hope Anustralians one day learn to become wankers some day, to keep them from breeding would be a great benefit to the world.

      Oh, you were going to say wanker and something else. I forgot it takes you a few days to compose a sentence. Take your time and try to remember the the period (.) happens at the end of a sentence not at the start of you name dottle head.

      Here’s hoping you have a miserable day and lots and lots of Anustralians die horrible and painful deaths. Oh yes, it’s pay time time.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.