Apple hints password reuse, not iCloud hack, at heart of locked iDevice ransom attacks
Apple says an iCloud breach is not to blame for the recent spate of iOS devices held hostage by malicious actors via Apple's Find My iPhone service. Many users in Australia and several other countries have reported being locked out of their iDevices by a third party who demanded $100 to return control of the iPhones and iPads to their rightful owners.
The messages say the devices have been hacked by "Oleg Pliss," according to numerous Apple forum reports. The name Oleg Pliss appears to be an alias for a hacker, or group of hackers, responsible for the ransomware-like attack.
The bad guys sent the messages using Apple's Find My iPhone service, which is designed to let iOS device owners lock down their devices if they are lost or stolen. Using Find My iPhone, you can put your phone into lost mode, which locks the phone with a four-digit passcode. You can also force the device to make a loud beeping sound (even if the mute switch is on) and send a text message to the device.
It's not clear how the hackers were able to get access to the Find My iPhone settings of a large number of users, but Apple says their services aren't to blame.
Apple was unavailable for comment at this writing, but the company released a statement to ZDNet earlier:
Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.
Although the company didn't explicitly say so, Apple seems to be implying that these attacks were the result of reusing the same username and password across multiple online accounts. Troy Hunt, a developer and web security specialist based in Sydney, Australia, has also suggested this as the most likely scenario.
If password reuse was the culprit, that means the hackers probably gained access to the users' accounts by sifting through usernames and passwords from previous password database breaches.
And there certainly have been enough of those.
Password problems, password solutions
Adobe, AOL, Avast, Canonical, eBay, LaCie, and Ubisoft have all suffered major database breaches in the past year. EBay, the most recent company to lose control of its password database, had 128 million active users affected alone.
With so much password and username hacking going on, reusing the same passwords across multiple sites is just plain not a good idea. The best way to protect yourself from password breaches is to use strong, unique passwords for each website you frequent, never using the same password twice. To do otherwise is to risk a visit from Oleg Pliss.
It isn't as hard as it sounds. You can create unique passwords using either a password manager's random password generator or by coming up with a memorable system for managing passwords site-to-site. You'll definitely want to do it especially sensitive online accounts such as email, social networking, banking, shopping sites like Amazon, and Apple's Find my iPhone or Google's Android Device Manager. Enabling two-factor authentication on any service that supports it is another smart security precaution.
Finally, make sure you know how to protect yourself against all kinds of PC-based scams out there such as phishing, fake emails, and phony update warnings.
It may be a pain to have different passwords for all your sensitive online accounts, but the alternative is exposing yourself to losing control of your devices or, as Wired writer Mat Honan discovered in 2012, losing your personal data completely.