Apple apologizes to Chinese users after iCloud phishing spree
Apple is "deeply apologetic" that some users in China had been pilfered by assailants — but at the same time noted that the attacks would have been prevented had the victims been using security measures that Apple enables to protect accounts from such thefts.
In a statement, Apple noted that a small number of user accounts had been recently accessed by phishing attacks. "We are deeply apologetic about the inconvenience caused to our customers by these phishing scams." Apple said in an english-language statement. At the same time, Apple reiterated the advice it had given the Chinese market when the thefts came to light, that two-factor authentication would have prevented these attacks from taking place at all.
The attack impacted users with Alipay accounts linked to the iCloud account. The funds were drained through fraudulent app store purchases and subscriptions. Social media posts from affected customers noted that the notifications arrive at unusual times of day, and for some users had led to losses worth hundreds of dollars.
The Alibaba-owned Alipay and Tencent-owned WeChat Pay confirmed a number of their customers were been the subject of fraudulent App Store purchases. Alipay has posted a warning online advising iPhone users of the thefts, and to secure their accounts where possible.
Alibaba's payments firm claims it had contacted Apple "multiple times" over the fraud, requesting the company to find out how they are taking place. Apple advised at the time that it was investigating the issue.
The notice by Alipay advised the affected customers included those who owned iPhones and had connected their accounts to other payment systems. Customers are "exposed to the risk of financial loss," until Apple deals with the issue, the notice warned, while also advising the losses could be minimized by lowering how much could be transferred in a transaction without requiring a password to be entered.
According to the Wall Street Journal on Tuesday, Apple has not given any details about how many users were impacted, nor how much money was taken.