Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Users raise questions about Apple's security after iCloud hacks

A small number of iCloud accounts reportedly protected by secure, randomly generated passwords have been compromised, prompting speculation by users that a security breach may have occurred on Apple's servers.

The details come from a thread on the Apple Support Communities forum, where users of Apple's iCloud service have voiced concern that their accounts were compromised. One of the affected people, with the username "solargaze," said their Me.com e-mail address was hacked into and began sending out spam on Wednesday.

"I never use my @me email for anything, and I guarantee someone didn't break into the account by guessing my password (or brute force methods) — it's a pseudoly randomly generated string of 15 numbers, letters (upper and lower case) and symbols (I worked in IT for many years and am perhaps overly zealous about password security, which makes memorization a real pain)," they wrote.

"I'm worried that Apple's iCloud servers themselves got hacked, as I see there are a few other people on the forums who are reporting that their account was used for spam in the last few hours."

A second thread was also started this week by another user experiencing similar issues. The threads have a relatively small number of replies and reader views, suggesting any possible coordinated hacking of iCloud accounts was not widespread.

Users affected by the apparent string of hacks say they found a series of spam e-mails in the "Sent" folder of their iCloud e-mail account. The advertisements were sent to users' contacts that were synced with iCloud, and were related to "making money on your home computer."

"I'm an IT professional with 10 years experience, and wouldn't fall for a phishing scam even on my drunkest of days," user "tsnow20" wrote in the same thread. "No, my password wasn't guessed either. Trust me."

That person said the spam messages were sent out to contacts that were only synced with iCloud. Contacts stored with Microsoft Outlook and Mozilla Thunderbird did not receive any spam from their account.

Most of the users on the thread said they do not use their iCloud or MobileMe e-mail addresses. They discovered their account had been compromised after they received text messages and e-mails from friends notifying them that their accounts were sending out spam e-mails.

One user, with the handle "øivindfromoslo," said they spoke with an Apple support representative who assisted them in removing all of their contacts from iCloud. They said they hadn't logged on to the iCloud.com website in six months and never used their Me.com e-mail address.

"I suspect that the entire issue is caused by some weakness on (Apple's) end," they wrote, "either in the icloud.com logon part or in the iOS software (one might be able to extract iCloud logon info with a specifically crafted website or something, who knows)."



45 Comments

solipsismx 13 Years · 19562 comments

While it's still possible that even complex passwords were discovered through alternate methods It's hard to say that is more likely than Apple's iCloud servers being compromised. I'd expect Apple to have used the same security methods that have kept iTunes servers secure over the years and I wonder why it seems to be limited to so few users if it's an account server hack which should open up millions of potential user accounts. A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.

gustav 22 Years · 828 comments

Quote:
"I'm an IT professional with 10 years experience, and wouldn't fall for a phishing scam even on my drunkest of days," user "tsnow20" wrote in the same thread. "No, my password wasn't guessed either. Trust me."

The fact that this person is an IT professional with 10 years experience does not add validity to his statement. I've known plenty of IT professionals - some smart, some not as smart. Why should we just "trust him?" Maybe a coworker watched him type his password. Or someone was looking over his shoulder while he typed on his iOS device (where the last character is shown as you type it) Maybe someone put a key logger on his computer at his job.

 

macbook pro 13 Years · 1605 comments

Very curious circumstances ("I never use my iCloud account") with a complete denial of mea culpa by all posters.  Several of the posters are convinced their passwords are nigh impenetrable (randomly generated, alphanumeric and special characters with caps and lower case letters) and they are not "n00bs" who call tech support.

 

I believe if iCloud were hacked we would see wide spread instances of spam rather than ten posters.  While there are likely ten or one hundred times more people who aren't posting about the spam that is still a drop in the bucket of iCloud users.

solipsismx 13 Years · 19562 comments

[quote name="Gustav" url="/t/150147/users-raise-questions-about-apples-security-after-icloud-hacks#post_2111703"]Maybe someone put a key logger on his computer at his job.[/quote] Or he logged into a machine that was compromised.

charlituna 16 Years · 7217 comments

This guy being a Pro means that he knows that it's still possible to brute force a random password. That was something like less than 100 out of millions of users actually shows that Apple's security is tight and someone did just get lucky with the randomizers. 

 

I know a white hat that tried this kind of stunt just to prove to a client that it was possible. He had his script drop all passwords that had words, was less than 12 characters, didn't have at least one number and one symbol. He also checked all number sequences against the zip code listings in the country and removed any password with that sequence. Took something like 5 days but the clients 'totally impossible to break' password was broken. 

 

This particular white hat actually said that most of the time when he hacks a password for a client to show security issues it's not the password that gets him in, it's the security question. As the WH put it, the best password in the world doesn't mean jack if your question is "who is Sir Fluffy Barks A Lot" and he can go to Facebook, search the same email and there is your dog in bold living color all over the page. And he's seen it. A lot. Even with corporate clients. They have where they work on their page so even though the emails are different he can still match it up and 99% of the time the answer to the question is there 

 

It's also possible that these folks are just lying about how good their passwords were or that they got phished and are too embarrassed to admit it so they are blaming Apple. Even IT Pros can be fooled because their arrogance makes them sloppy