You may have read in the news that a hacker group is holding a number of iCloud accounts for ransom, or at least claims to. If Apple doesn’t pay a certain amount of money by April 7, the hackers will reset the accounts and remotely wipe iOS devices. Here’s how to protect yourself.
Update (March 7, 2018): A recent story in the news shows that Apple IDs are being sold on the dark web. Setting up two-factor authentication/two-step verification can help prevent things like that. If you haven’t already secured your Apple ID, now is the perfect time to do so.
Turkish Cybercriminal Family
A group of hackers calling themselves Turkish Crime Family claimed to have compromised a large number of iCloud email accounts. They demand that Apple pay them either $75,000 in cryptocurrency or $100,000 in iTunes gift cards. If Apple doesn’t pay this by April 7 the hackers say they will reset the iCloud accounts and remotely wipe the victims’ iOS devices.
What This Means And What You Can Do
It’s unlikely that Apple’s servers have been breached, although the exact hacking method is unknown. It could be the result of a phishing attack, where the hackers send a crafted email containing a malicious URL. Other possibilities include social engineering or logins from one of many data breaches where people reused their username and passwords on other accounts.
The first step you can take is to change the password you use for your Apple ID. Even if you think you haven’t been hacked, it’s better to be safe anyway.
Enable Two-Factor Authentication
Secondly, enabling two-factor authentication (2FA) is one of the most secure things you can do on any account. Turning on 2FA gives you an extra layer of security. It means that whenever you log into your account from a new device, you will have to provide two pieces of information: your password and a special code.
In this scenario, if Turkish Crime Family has your login credentials, changing your password and enabling 2FA will keep them from accessing your account in the future.
2-Factor Authentication with Apple’s iCloud
When 2FA is set up on Apple’s iCloud, logging in on a new device requires a six-digit verification code sent to one of your other Apple devices. This code can either be texted to you, or be automatically displayed in a pop-up window. Choosing to have Apple display the code is safer than having it texted to you.
After you sign in, you won’t get a code again unless you sign out, erase the device or change your password. Using 2FA requires a device that uses iOS 9 or OS X El Capitan.
Setting Up 2FA on an Apple Device
On your iPhone, iPad, or iPod touch with iOS 9 or later:
- Go to Settings > iCloud > Apple ID.
- Tap Password & Security.
- Tap Turn on Two-Factor Authentication.
On your Mac with OS X El Capitan or later:
- Go to Apple () menu > System Preferences > iCloud > Account Details.
- Click Security.
- Click Turn on Two-Factor Authentication.
Once you’ve turned 2FA on, you can take extra steps to keep your account secure:
- Remember your Apple ID password (use a password manager)
- Use a passcode on all your devices
- Keep your trusted phone number(s) up to date
- Keep your trusted devices physically secure
For more information you can visit Apple’s support page regarding two-factor authentication.
I changed the passwords on our accounts. A bit of a chore when you need to enter it on all of gadgets, but it is a good precaution.