Apple owners with iCloud accounts are being urged to change their passwords by both Apple and Australian authorities, after several iPhone accounts were hijacked earlier this week.
In the wake of last weekโs eBay hacking, the importance of not reusing passwords for different accounts is again being stressed to individuals and businesses.
On Monday, several Australian iPhone users reported their devices had been โhijackedโ and โheld for ransomโ after their phones were remotely locked and received a message demanding a PayPal payment to unlock the device.
Speaking to SmartCompany, AVG security advisor Michael McKinnon says it was initially thought the hijacking was an Apple password or ID scam and the result of ransomware or malware software.
โWhat in fact what has happened is Apple IDs or passwords have become known, presumably because people are not using a unique password for each account,โ says McKinnon.
McKinnon says the โhijackersโ had found the username and passwords of a third party account and then tried the same username and password against the iCloud service.
โAttackers then jump onto iCloud, turn on security features people use when their phone is stolen, such as the โfind my phoneโ feature, and then mark the device as stolen, publish a message on the phone for a ransom and lock phone remotely,โ says McKinnon.
The Australian government released a statement on Tuesday on its โStay Smart Onlineโ website, which urged Apple users to change their IDs and passwords, while Apple also reiterated the message in a statement.
โImpacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services,โ said the company.
โAny users who need additional help can contact AppleCare or visit their local Apple Retail Store.โ
The statement also said Apple takes security very seriously and iCloud was not compromised during the incident.
McKinnon says Apple has a good track record with security and he is inclined to believe iCloud was not compromised.
โAll Apple is saying is, as far as we concerned, no one has stolen Apple IDs or passwords,โ says McKinnon.
โItโs just a malicious usage of Appleโs own security feature, ironically.โ
McKinnon recommends users who want to ensure the best security should visit id.apple.com and click on the โManage Apple IDโ link.
โLogin and then activate the โtwo step verificationโ, which causes Apple to send a message to all your registered devices with a special number,โ says McKinnon.
โThis means that when you try and access iCloud online, even if someone has your password, they canโt get into your account,โ he says.
McKinnon says as technology continues to grow more complex, there has been an expansion of hacking opportunities.
He says hacks like this could have much more dire consequences than the demand for ransom.
โPeople have photos and documents stored in their iCloud, and these โfind my phoneโ features have the ability to delete and completely wipe devices,โ he says.
He says hackers havenโt been interested in wiping accounts so far because ultimately they are just after quick cash and know theyโll be caught if they commit the much more serious crime of wiping devices.
โApple and others are far more likely to act if there is a breach like that,โ he says.
Kirsten Robb is a former journalist at SmartCompany. Previously, she worked at News Corp as a property reporter for Leader Newspapers and the Herald Sun, and holds a Masters of Journalism at Melbourne University.
Comments