Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Report verifies some iCloud credentials held by hacker group as valid

Last updated

A hacker group attempting to hold Apple ransom with claims it has hundreds of millions of iCloud credentials in its possession recently sent a batch of 54 UK-based accounts for testing, all of which were deemed legitimate.

The self-proclaimed "Turkish Crime Family" provided ZDNet with the iCloud credential sample set in an apparent bid to bolster its extortion efforts. The publication used Apple's online password reset tool to verify the 54 accounts belonging to iCloud customers based in the UK.

According to Thursday's report, the credentials tested date back to 2000, with some user accounts bearing Apple's legacy "mac.com" domain. Other Apple IDs in the package were identified as "me.com" and "icloud.com" accounts, the latter being Apple's current cloud product offering handed out alongside new device purchases.

While the 54 accounts were valid according to Apple's database, ZDNet was only able to verify the passwords of ten individuals. As part of its verification protocol, the publication reached out to each potential victim through iMessage, and presumably email, though most were no longer tied to Apple's messaging service.

At least one person noted their confirmed password was changed about two years ago, suggesting the hacker group's data originates from a breach dating back to 2011 to 2015, the report said.

Of the ten people who confirmed the passwords provided were correct, most said they have used the same login credentials since opening their iCloud account. At least two people noted someone attempted to reset their iCloud account in the past day, while another received an unknown login notification on Twitter, the report said.

Backing up Apple's claims that its systems were not breached and any loose data can be tracked back to third-party services, most of the people whose passwords were verified said they used the same login credentials on other sites. Interestingly, three people noted the passwords confirmed by ZDNet were specific to iCloud, a fact potentially incongruous with Apple's official stance.

The Turkish Crime Family claims to have anywhere from 250 million to 599 million iCloud credentials — at least two different figures were given to media outlets by two separate members — at its disposal, and is threatening to use them to remotely wipe connected iPhones and iPads unless Apple pays up. The group is seeking $75,000 in cryptocurrencies or $100,000 in iTunes gift cards by April 7.

Apple in its response yesterday denied media reports that its servers were breached, claims later backed up by the hacker group. Some have floated the idea that some of the data stems from a 2012 LinkedIn hack, though the theory has yet to be proven.

While the source of the alleged iCloud data remains unknown, Apple is keen on quelling customer concerns. In its statement, the company said it is "actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved."

Apple went on to urge customers to use strong, unique passwords and recommended against recycling credentials across services. In addition, the company encourages users to enable two-factor authentication whenever possible.



37 Comments

foggyhill 10 Years · 4767 comments

What does that prove... Seriously, this is all a big joke and tech journalism is close to dead.

shapetables 10 Years · 201 comments

Turn on NatGeoWILD and morn for the zebra that didn't make it across the river full of alegators with the rest of its hurd as it wasn't smart enough to use unique passwords between different business entities (and likely also shared their most intimate financial and personal info with anyone who ever asked them to confirm it), maybe even while hyena-laughing at those that don't.  In the future, app/services will be subject to monitoring for compliance with a whole suite of laws that seek to protect consumers, but those kinds of mandates are always 10-15 years behind reality, during which time there's plenty of prey to be exterminated while positioning for the future. Worst case they can marry ugly and travel the globe trying oh so hard to do as the one whose made up for the Homestead Strike.

Rayz2016 8 Years · 6957 comments

Backing up Apple's claims that its systems were not breached and any loose data can be tracked back to third-party services, most of the people whose passwords were verified said they used the same login credentials on other sites. Interestingly, three people noted the passwords confirmed by ZDNet were specific to iCloud, a fact potentially incongruous with Apple's official stance.

Three people said that their passwords were specific to iCloud. It is also not known if they were tricked into giving their passwords away. 

So stating it as a "fact" might be stretching it. 

simply258 20 Years · 133 comments

Why doesn't Apple just send an email / push notification to users reminding them to regularly change their passwords, use strong and unique ones? I say reminder and not ask people to change it so as not to cause panic or make it look like there was a breach.

JanNL 9 Years · 328 comments

Rayz2016 said:
Three people said that their passwords were specific to iCloud. It is also not known if they were tricked into giving their passwords away. 

So stating it as a "fact" might be stretching it. 

True. And maybe too far-fetched to have some (those 3) accomplices in the sample set who are trying to put pressure on Apple?