iCloud wasn't breached but you should still reset your password and set up 2-factor authentication

iPhone Lock Screen on an iPhone with Touch ID
iPhone Lock Screen on an iPhone with Touch ID (Image credit: iMore)

A group of hackers who claim to have access to a large amount of iCloud (Apple ID) logins are threatening to wipe the accounts if Apple doesn't pay a ransom by April 7. The hackers didn't breach iCloud to get the data but collected it from a variety of other sources, including breaches of LinkedIn and Last.fm where identical passwords were used for accounts.

From Vice:

The hackers, who identified themselves as 'Turkish Crime Family', demanded $75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data.

If you have any concerns whatsoever about the security of your iCloud account, you're going to want to change your Apple ID password immediately and, if you haven't already, turn on two-factor authentication.

You're sure iCloud hasn't been hacked?

Pretty sure. Even the hackers say they didn't breach iCloud to get this data.

Has Apple said anything?

Yes, in a statement to CNET, Apple said:

"The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services," Apple said in a statement. The company went on to say it is working with law enforcement officials to identify the hackers.We're actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication.

Then how did the hackers get the passwords?

Looks like they were aggregated from a variety of other sources. ZDNET has done some digging:

We provided the new batch of records to Troy Hunt, owner of breach notification site Have I Been Pwned, to analyze.Hunt's analysis showed over 99.9 percent of the records matched to an account in his database. Most of the accounts matched with the Evony data breach from June 2016, while data from the 2012 breaches of Last.fm and LinkedIn social networking site were also likely used to construct the hackers' iCloud data set.A list of databases allegedly collected by the hacker group appears to contain hundreds of entries.

How can hacking one system get you data for another?

At the risk of making a bad analogy: If your cottage has the exact same front door key as your house, and someone steals your cottage key, you need to change your house key as well or the thief can get into both.

If your cottage and your home have different front-door keys, if someone steals your cottage key, they can't also use it to get into your house.

In other words, if you used the same password for iCloud that you used for LinkedIn, Last.fm, or any other system that has even potentially been exposed over the last several years — and Yahoo! alone has had hundreds of millions of accounts exposed —by getting the LinkedIn or Last.fm password, they also got your Apple ID password.

So, you need to change your iCloud password?

If you used the same password for another account that you used for your Apple ID password, you need to change your password. If you don't remember whether or not you re-used a password, you're going to want to change your password. If you've done anything other than use long, strong, unique pseudo-random passwords generated by a password manager app like 1Password or Lastpass, you're going to want to change your password.

How to change your iCloud Apple ID password

And turn on two-factor authentication (2FA), right?

Yes! With two-factor authentication, even if someone, somehow, does get your iCloud password, they still won't be able to access your account, change it, delete it, or attack it or you in any way. Because they won't have the two-factor code in addition to the password, and that keeps them locked out.

It's like having a key and a combination lock on your house, but the combination lock is changing all the time and only you know how to get the current one. Nothing's perfect, but 2FA makes you significantly safer than a password alone.

How to set up iCloud Apple ID two-factor authentication

Why does this keep happening?

Data is valuable. Data is power. Data is money.

It's why Google and Facebook want it. It's why banks and health organizations need to protect it. It's your personal, private pictures, your financial accounts, your medical records, your intimate communications — it's more about you than you likely remember at any given times.

Stealing it is a way to extort, blackmail, defraud, and otherwise profit from your data. Long, strong, unique passwords and two-factor authentication is a way to protect yourself.

Any iCloud, Apple ID, or password questions?

If you have any questions about iCloud, your Apple ID, or passwords in general, drop them in the comments below!

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.