Apple owners with iCloud accounts are being urged to change their passwords by both Apple and Australian authorities, after several iPhone accounts were hijacked earlier this week.
In the wake of last week’s eBay hacking, the importance of not reusing passwords for different accounts is again being stressed to individuals and businesses.
On Monday, several Australian iPhone users reported their devices had been “hijacked” and “held for ransom” after their phones were remotely locked and received a message demanding a PayPal payment to unlock the device.
Speaking to SmartCompany, AVG security advisor Michael McKinnon says it was initially thought the hijacking was an Apple password or ID scam and the result of ransomware or malware software.
“What in fact what has happened is Apple IDs or passwords have become known, presumably because people are not using a unique password for each account,” says McKinnon.
McKinnon says the ‘hijackers’ had found the username and passwords of a third party account and then tried the same username and password against the iCloud service.
“Attackers then jump onto iCloud, turn on security features people use when their phone is stolen, such as the ‘find my phone’ feature, and then mark the device as stolen, publish a message on the phone for a ransom and lock phone remotely,” says McKinnon.
The Australian government released a statement on Tuesday on its ‘Stay Smart Online’ website, which urged Apple users to change their IDs and passwords, while Apple also reiterated the message in a statement.
“Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services,” said the company.
“Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.”
The statement also said Apple takes security very seriously and iCloud was not compromised during the incident.
McKinnon says Apple has a good track record with security and he is inclined to believe iCloud was not compromised.
“All Apple is saying is, as far as we concerned, no one has stolen Apple IDs or passwords,” says McKinnon.
“It’s just a malicious usage of Apple’s own security feature, ironically.”
McKinnon recommends users who want to ensure the best security should visit id.apple.com and click on the ‘Manage Apple ID’ link.
“Login and then activate the ‘two step verification’, which causes Apple to send a message to all your registered devices with a special number,” says McKinnon.
“This means that when you try and access iCloud online, even if someone has your password, they can’t get into your account,” he says.
McKinnon says as technology continues to grow more complex, there has been an expansion of hacking opportunities.
He says hacks like this could have much more dire consequences than the demand for ransom.
“People have photos and documents stored in their iCloud, and these ‘find my phone’ features have the ability to delete and completely wipe devices,” he says.
He says hackers haven’t been interested in wiping accounts so far because ultimately they are just after quick cash and know they’ll be caught if they commit the much more serious crime of wiping devices.
“Apple and others are far more likely to act if there is a breach like that,” he says.