At least some of the iCloud account credentials that a group of hackers are holding for ransom appear to be legitimate, according to an investigation by ZDNet. A London-based group of hackers calling themselves the “Turkish Crime Family” claimed earlier this week to have gained access to millions of iCloud accounts, threatening to remotely wipe victims’ devices unless Apple paid a large ransom. While Apple later indicated that there had been no breach of its systems, analysts have suggested that the hacker group likely has data acquired from one or more breaches that occurred years ago at sites such as LinkedIn. Due to the obvious naming of iCloud accounts and the number of users who may reuse passwords, a dump of passwords stolen from another site could easily be exploited to hack at least some iCloud accounts.
ZDNet was able to obtain a sample set of 54 credentials from the hacker group, which they then tested for verification purposes, finding all 54 accounts to be currently valid based on Apple’s password reset function. The data set included “icloud.com” accounts dating back to 2011, as well as legacy “me.com” and “mac.com” accounts going back as far as 2000. The list that ZDNet obtained included only email addresses and plain-text passwords, suggesting that it could have been aggregated from multiple sources. ZDNet reached out to contact each person on the list to ask them to confirm their passwords, noting in the process that most of the accounts were no longer registered with iMessage (if they ever had been), and therefore couldn’t be immediately reached.
According to the report, 10 people confirmed that their passwords were accurate (and have since changed them); they also confirmed that they had used the same password since they opened their iCloud accounts, although one specifically mentioned that the password he confirmed had not been used in at least two years, narrowing down the possible date of the breaches to somewhere between 2011 and 2015. Three people who responded to ZDNet’s inquiries claimed their passwords were unique to iCloud and were not used on any other site. Notably, all of these people were based in the U.K., and the hackers refused to hand over a U.S.-based sample of accounts.