U.S. Markets open in 9 hrs.

Apple Ransom Scam Could Mean 40 Million Leaked Passwords

Marshall Honorof
No One's Hacking Apple Accounts — But Protect Yours Anyway

Today's security SNAFU could be a case study in best case/worst case scenarios — and either way, the scenarios are pretty bad. For several months, a number of Apple users have had their iDevices hit with the same Russian ransom scam after being locked out of their own accounts. This is probably the result of older data breaches and poor password practices, but there's a chance, however slight, that Apple itself suffered a 40-million-strong data breach. Either way, the solution is simple — and the same.

Steve Ragan at CSO magazine's Salted Hash security blog investigated the issue, and what he found, while by no means definitive, is not encouraging. Ever since February, he wrote, some generally tech-savvy iOS users have complained on forums like Reddit about being locked out of their iPhones or iPads, followed by the same ransom demands written in Russian, tracing back to one or two Gmail addresses.

MORE: iPhone 7 Photos Leaked: Here's What It Looks Like

The scam works like this: First, a user's iPhone or iPad starts beeping frantically. Then, a message appears on the lock screen, informing the user to contact a Russian Gmail address. (These are all part of the legitimate Find My iPhone feature, which usually helps users communicate with lost phones.) Communicating with the party at the other end, the user discovers that he or she must pay $30 to $50 within 12 hours, or else suffer a complete factory reset of their devices.

There's no two ways about it: As scams go, this one is fairly lazy. Resetting an iDevice is not much of a threat, especially since most apps and data are stored in the cloud. Furthermore, iOS makes frequent backups of user data by default. If you're a victim of this ruse, you should probably just pre-empt the scammers and factory-reset your phone by yourself. That will lock the crooks out of your device long enough for you to take some proactive steps.

Ragan discovered a bigger issue at play, though: How did the same Russian scammers come across login info for such a disparate group of users? Many of the affected iDevice owners appear to be technologically literate, and presumably haven't fallen for any kind of phishing scheme. Ragan has two theories: one likely and containable, one unlikely and catastrophic.

The more quotidian suggestion is that the scammers were simply taking advantage of old data breaches from unrelated services, and the fact that the average user has the same password for multiple accounts. Given enormous data breaches at services like MySpace, LinkedIn and Adobe, it’s not at all impossible for a group of scammers to rustle up a bunch of usernames and passwords, then plug them into iCloud to see what works.

Ragan, however, said he's heard "rumblings" in the security world about a recent data breach in Apple itself. If it's true, that means up to 40 million user accounts could be compromised with fairly recent login data. Cybercriminals may also have gotten ahold of Mac-Forums login data after a recent breach there, and it’s not so hard to believe that Mac enthusiasts might use the same login info for unofficial Apple forums and official Apple products.

Whatever the case, users have two very simple options at their disposal, which will stop scammers dead in their tracks. First, change your password, especially if you haven’t done so recently.

Second, activate two-factor authentication on your iCloud account. There are two good reasons to do this: It will prevent anyone but you from accessing your Apple account, and it will prevent a scammer from activating it in your stead, making you doubly locked out of your own files. (If you access iCloud Mail or other iCloud services from a non-Apple device, here's how to generate app-specific passwords to work with two-factor authentication.)

At present, there's no hard evidence of a massive Apple data breach, and probably no reason to panic. But just in case something terrible really did happen, it's best to head trouble off at the pass and stay on top of your password security.

Copyright 2016 Toms Guides , a Purch company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.