Never miss an update Follow AppleInsider
Thursday, May 17, 2012, 09:16 am
Users raise questions about Apple's security after iCloud hacks
A small number of iCloud accounts reportedly protected by secure, randomly generated passwords have been compromised, prompting speculation by users that a security breach may have occurred on Apple's servers.The details come from a thread on the Apple Support Communities forum, where users of Apple's iCloud service have voiced concern that their accounts were compromised. One of the affected people, with the username "solargaze," said their Me.com e-mail address was hacked into and began sending out spam on Wednesday.
"I never use my @me email for anything, and I guarantee someone didn't break into the account by guessing my password (or brute force methods) — it's a pseudoly randomly generated string of 15 numbers, letters (upper and lower case) and symbols (I worked in IT for many years and am perhaps overly zealous about password security, which makes memorization a real pain)," they wrote.
"I'm worried that Apple's iCloud servers themselves got hacked, as I see there are a few other people on the forums who are reporting that their account was used for spam in the last few hours."
A second thread was also started this week by another user experiencing similar issues. The threads have a relatively small number of replies and reader views, suggesting any possible coordinated hacking of iCloud accounts was not widespread.
Users affected by the apparent string of hacks say they found a series of spam e-mails in the "Sent" folder of their iCloud e-mail account. The advertisements were sent to users' contacts that were synced with iCloud, and were related to "making money on your home computer."
"I'm an IT professional with 10 years experience, and wouldn't fall for a phishing scam even on my drunkest of days," user "tsnow20" wrote in the same thread. "No, my password wasn't guessed either. Trust me."
That person said the spam messages were sent out to contacts that were only synced with iCloud. Contacts stored with Microsoft Outlook and Mozilla Thunderbird did not receive any spam from their account.
Most of the users on the thread said they do not use their iCloud or MobileMe e-mail addresses. They discovered their account had been compromised after they received text messages and e-mails from friends notifying them that their accounts were sending out spam e-mails.
One user, with the handle "øivindfromoslo," said they spoke with an Apple support representative who assisted them in removing all of their contacts from iCloud. They said they hadn't logged on to the iCloud.com website in six months and never used their Me.com e-mail address.
"I suspect that the entire issue is caused by some weakness on (Apple's) end," they wrote, "either in the icloud.com logon part or in the iOS software (one might be able to extract iCloud logon info with a specifically crafted website or something, who knows)."
On Topic: General
- Inside Apple's push for comprehensive corporate tax reform
- Apple details 'extraordinary amount' of taxes it pays in testimony to US Senate
- Apple's retail stores now earn record $58 per visitor
- Yahoo to acquire Tumblr for $1.1B, 'promises not to screw it up'
- Google engineers talk fragmentation, how to make Android work for emerging markets
Previous Comments View All
The fact that this person is an IT professional with 10 years experience does not add validity to his statement. I've known plenty of IT professionals - some smart, some not as smart. Why should we just "trust him?" Maybe a coworker watched him type his password. Or someone was looking over his shoulder while he typed on his iOS device (where the last character is shown as you type it) Maybe someone put a key logger on his computer at his job.
Very curious circumstances ("I never use my iCloud account") with a complete denial of mea culpa by all posters. Several of the posters are convinced their passwords are nigh impenetrable (randomly generated, alphanumeric and special characters with caps and lower case letters) and they are not "n00bs" who call tech support.
I believe if iCloud were hacked we would see wide spread instances of spam rather than ten posters. While there are likely ten or one hundred times more people who aren't posting about the spam that is still a drop in the bucket of iCloud users.
Maybe someone put a key logger on his computer at his job.
Or he logged into a machine that was compromised.
This guy being a Pro means that he knows that it's still possible to brute force a random password. That was something like less than 100 out of millions of users actually shows that Apple's security is tight and someone did just get lucky with the randomizers.
I know a white hat that tried this kind of stunt just to prove to a client that it was possible. He had his script drop all passwords that had words, was less than 12 characters, didn't have at least one number and one symbol. He also checked all number sequences against the zip code listings in the country and removed any password with that sequence. Took something like 5 days but the clients 'totally impossible to break' password was broken.
This particular white hat actually said that most of the time when he hacks a password for a client to show security issues it's not the password that gets him in, it's the security question. As the WH put it, the best password in the world doesn't mean jack if your question is "who is Sir Fluffy Barks A Lot" and he can go to Facebook, search the same email and there is your dog in bold living color all over the page. And he's seen it. A lot. Even with corporate clients. They have where they work on their page so even though the emails are different he can still match it up and 99% of the time the answer to the question is there
It's also possible that these folks are just lying about how good their passwords were or that they got phished and are too embarrassed to admit it so they are blaming Apple. Even IT Pros can be fooled because their arrogance makes them sloppy
A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.
I don't consider that "off topic" and I agree entirely. In fact, everyone please submit a feature request here. You can just copy and paste SolipsismX's text.
If you would like to make my day, you can copy and paste the following text into another feature request for iTunes Security Info here:
Greetings,
The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.
Bad examples:
What is your driver's license number? (I haven't memorized mine, have you?)
Car registration number (this may be easy for others to find on the web anyway)
But don't use questions that go back to childhood, or for that matter last year for someone like me.
Bad examples:
What was the name of your first pet?
What was your first car, favorite elementary school teacher, first kiss, etc.
Please add questions that the average person over 40 can actually remember, more imporantly see the website listed above for security question best practices:
In which city, county and state were you born?
What is your maternal grandmother's maiden name?
Thank you very much for your time and consideration,
"MacBook Pro"
Interesting that most of hacked people claim to be IT. Why I am not feeling better about IT people now?!
A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.
It was possible to see your devices with MobileMe. I don't know why you can't with iCloud. I think this is a basic feature that needs to be added. If you write a feature request for this we can then copy and paste it into Apple feedback form.
The fact that this person is an IT professional with 10 years experience does not add validity to his statement. I've known plenty of IT professionals - some smart, some not as smart. Why should we just "trust him?" Maybe a coworker watched him type his password. Or someone was looking over his shoulder while he typed on his iOS device (where the last character is shown as you type it) Maybe someone put a key logger on his computer at his job.
Or he logged into a machine that was compromised.
Or someone is capturing his wireless network traffic.
Or someone hacked the random password generator (and those 10 posters all using the same application).
Or someone really did use a brute force attack on their password.
It took me about 30 seconds to figure out a "crack" for iCloud if I have someone's Apple ID and considering the ubiquity of iCloud you can probably just try any name at iCloud.com with some small chance of success. Unfortunately, iCloud is very vulnerable to social hacks apparently (based on the 30 second "crack"). I should add that I am no Charlie Miller either so this is something any computer savvy person could discover (disclaimer: I do have formal education in network administration).
It was possible to see your devices with MobileMe. I don't know why you can't with iCloud. I think this is a basic feature that needs to be added. If you write a feature request for this we can then copy and paste it into Apple feedback form.
Haha. See the post immediately preceding yours. I just copied and pasted his text verbatim.
As for security questions, I always answer them with nonsensical answers.
What was your mother's maiden name?
Traffic light is green.
What is your pet's name?
Do you like yellow?
Where were you born?
I ate a pear.
And answer them differently for each site. Store them in an encrypted file or write them down and store the paper securely and you're good.
Latest Apple Headlines
-
AT&T to bring FaceTime over cellular to all customers by end of year
~24 minutes ago -
Inside Apple's push for comprehensive corporate tax reform
~50 minutes ago -
Apple details 'extraordinary amount' of taxes it pays in testimony to US Senate
~1 hour ago -
Apple debuts new iPhone discounts, subsidies to gain ground in India
~2 hours ago -
Domestic Mac sales flat in April, viewed as slight positive for Apple
~2 hours ago - more...
Lowest Prices Anywhere!
| Model | Price | You Save |
|---|---|---|
| Core i5 MacBook Pros w/ Retina | ||
| 13" 2.5GHz/8GB/128GB | $1,406.48 | $292.52 |
| 13" 2.5GHz/8GB/256GB | $1,479.99 | $519.01 |
| 13" 2.5GHz/8GB/512GB | $1,699.99 | $799.01 |
| Core i7 MacBook Pros w/ Retina | ||
| 13" 2.9GHz/8GB/256GB | $1,599.99 | $599.01 |
| 13" 2.9GHz/8GB/512GB | $1,799.99 | $899.01 |
| 15" 2.3GHz/8GB/256GB | $1,899.99 | $299.01 |
| 15" 2.6GHz/8GB/512GB | $2,299.99 | $568.01 |
| 15" 2.7GHz/16GB/768GB | $2,699.99 | $499.01 |
| Model | White | Black | |
|---|---|---|---|
| iPad mini (WiFi only) | |||
| 16GB WiFi |  |
$329.99 | $329.99 |
| 32GB WiFi | |
$429.99 | $429.99 |
| 64GB WiFi | |
$529.99 | $529.99 |
| iPad mini (WiFi + 4G) | |||
 |
 |
 |
|
| 16GB 4G White | $459.99 | $459.99 | $459.99 |
| 32GB 4G White | $559.99 | $559.99 | $559.99 |
| 64GB 4G White | $659.99 | $659.99 | $659.99 |
| 16GB 4G Black | $459.99 | $459.99 | $459.99 |
| 32GB 4G Black | $559.99 | $559.99 | $559.99 |
| 64GB 4G Black | $659.99 | $659.99 | $659.99 |
While it's still possible that even complex passwords were discovered through alternate methods It's hard to say that is more likely than Apple's iCloud servers being compromised. I'd expect Apple to have used the same security methods that have kept iTunes servers secure over the years and I wonder why it seems to be limited to so few users if it's an account server hack which should open up millions of potential user accounts.
A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.