A small number of iCloud accounts reportedly protected by secure, randomly generated passwords have been compromised, prompting speculation by users that a security breach may have occurred on Apple's servers.
The details come from a thread on the Apple Support Communities forum, where users of Apple's iCloud service have voiced concern that their accounts were compromised. One of the affected people, with the username "solargaze," said their Me.com e-mail address was hacked into and began sending out spam on Wednesday.
"I never use my @me email for anything, and I guarantee someone didn't break into the account by guessing my password (or brute force methods) â it's a pseudoly randomly generated string of 15 numbers, letters (upper and lower case) and symbols (I worked in IT for many years and am perhaps overly zealous about password security, which makes memorization a real pain)," they wrote.
"I'm worried that Apple's iCloud servers themselves got hacked, as I see there are a few other people on the forums who are reporting that their account was used for spam in the last few hours."
A second thread was also started this week by another user experiencing similar issues. The threads have a relatively small number of replies and reader views, suggesting any possible coordinated hacking of iCloud accounts was not widespread.
Users affected by the apparent string of hacks say they found a series of spam e-mails in the "Sent" folder of their iCloud e-mail account. The advertisements were sent to users' contacts that were synced with iCloud, and were related to "making money on your home computer."
"I'm an IT professional with 10 years experience, and wouldn't fall for a phishing scam even on my drunkest of days," user "tsnow20" wrote in the same thread. "No, my password wasn't guessed either. Trust me."
That person said the spam messages were sent out to contacts that were only synced with iCloud. Contacts stored with Microsoft Outlook and Mozilla Thunderbird did not receive any spam from their account.
Most of the users on the thread said they do not use their iCloud or MobileMe e-mail addresses. They discovered their account had been compromised after they received text messages and e-mails from friends notifying them that their accounts were sending out spam e-mails.
One user, with the handle "øivindfromoslo," said they spoke with an Apple support representative who assisted them in removing all of their contacts from iCloud. They said they hadn't logged on to the iCloud.com website in six months and never used their Me.com e-mail address.
"I suspect that the entire issue is caused by some weakness on (Apple's) end," they wrote, "either in the icloud.com logon part or in the iOS software (one might be able to extract iCloud logon info with a specifically crafted website or something, who knows)."