Trying to extort money out of Apple by threatening to wipe out iCloud accounts and reset iPhones is a business model the Turkish Crime Family hacker team will likely learn is flawed at best, but there it is a great reminder to change your online passwords regularly. The list of iCloud logins the group has looks to be at least two years old, so if you haven’t changed your password more recently than that, it’s time right now.
The hacker group gave several email addresses and passwords from their list to ZDNet who then sent iMessages to ask if those passwords were still valid. Almost all replied they were, and they hadn’t changed them in at least five years. Of course, they promptly changed their passwords after being contacted by the publication.
One person said the password ZDNet had was changed about two years ago, so that narrows down the window for when the logins were stolen. Based on that, if your iCloud password is at least two years old, it’s time for a change. To be safe, if your password is more than a year old, go ahead and change it—ands enable two-factor authentication.
The hackers are saying they’ll wipe out the accounts on April 7th if Apple hasn’t paid the ransom. Considering that’s not a game Apple is willing to play, updating your password before then is a pretty smart move.
This report (and the earlier one referenced in the article) are disingenuous.
The list of passwords they have were obtained from breaches in other 3rd party services. Since many people use the same or similar passwords on a lot of Web services, it’s no wonder that the key that fit some other compromised lock (LinkedIn, for example) would also fit Apple’s.
Apple has stated categorically (and I believe them) that there have been NO breaches in their service that could have caused password leakage.
So if your iCloud password is the same as your LinkedIn password from several years ago, then, yes, go change it. Otherwise, stop worrying that the ‘sky is falling’ and get on with your life.
I also disagree very strongly with the “change your password frequently” mantra. All that does, especially in ordinary (and especially elderly) users is create tons of confusion, causing them to have to maintain long lists of passwords for services, often on paper, sometimes in documents on their computer. And yes, they could use 3rd party password-management programs, but those have their own quirks, are hard for the non-computer-literate to learn, and exhibit confusing behaviors that can flummox non-computer-literate users. [I see this regularly amongst the elderly Mac users I support.]
Apple’s own password manager is an exception — it works reasonably seamlessly. Unless you use apps that don’t support it, like Chrome or Firefox.
Somebody please clarify. If you have 2-factor authorization activated, will they still be able to wipe your account?
I love how this Aprill 7 Deadline is considered so concrete. Are we supposed to trust extorting hackers as being faithful to their word???