iCloud wasn't breached but you should still reset your password and set up 2-factor authentication

iPhone Lock Screen on an iPhone with Touch ID
iPhone Lock Screen on an iPhone with Touch ID (Image credit: iMore)

A group of hackers who claim to have access to a large amount of iCloud (Apple ID) logins are threatening to wipe the accounts if Apple doesn't pay a ransom by April 7. The hackers didn't breach iCloud to get the data but collected it from a variety of other sources, including breaches of LinkedIn and Last.fm where identical passwords were used for accounts.

From Vice:

The hackers, who identified themselves as 'Turkish Crime Family', demanded $75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data.

If you have any concerns whatsoever about the security of your iCloud account, you're going to want to change your Apple ID password immediately and, if you haven't already, turn on two-factor authentication.

You're sure iCloud hasn't been hacked?

Pretty sure. Even the hackers say they didn't breach iCloud to get this data.

Has Apple said anything?

Yes, in a statement to CNET, Apple said:

"The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services," Apple said in a statement. The company went on to say it is working with law enforcement officials to identify the hackers.We're actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication.

Then how did the hackers get the passwords?

Looks like they were aggregated from a variety of other sources. ZDNET has done some digging:

We provided the new batch of records to Troy Hunt, owner of breach notification site Have I Been Pwned, to analyze.Hunt's analysis showed over 99.9 percent of the records matched to an account in his database. Most of the accounts matched with the Evony data breach from June 2016, while data from the 2012 breaches of Last.fm and LinkedIn social networking site were also likely used to construct the hackers' iCloud data set.A list of databases allegedly collected by the hacker group appears to contain hundreds of entries.

How can hacking one system get you data for another?

At the risk of making a bad analogy: If your cottage has the exact same front door key as your house, and someone steals your cottage key, you need to change your house key as well or the thief can get into both.

If your cottage and your home have different front-door keys, if someone steals your cottage key, they can't also use it to get into your house.

In other words, if you used the same password for iCloud that you used for LinkedIn, Last.fm, or any other system that has even potentially been exposed over the last several years — and Yahoo! alone has had hundreds of millions of accounts exposed —by getting the LinkedIn or Last.fm password, they also got your Apple ID password.

So, you need to change your iCloud password?

If you used the same password for another account that you used for your Apple ID password, you need to change your password. If you don't remember whether or not you re-used a password, you're going to want to change your password. If you've done anything other than use long, strong, unique pseudo-random passwords generated by a password manager app like 1Password or Lastpass, you're going to want to change your password.

How to change your iCloud Apple ID password

And turn on two-factor authentication (2FA), right?

Yes! With two-factor authentication, even if someone, somehow, does get your iCloud password, they still won't be able to access your account, change it, delete it, or attack it or you in any way. Because they won't have the two-factor code in addition to the password, and that keeps them locked out.

It's like having a key and a combination lock on your house, but the combination lock is changing all the time and only you know how to get the current one. Nothing's perfect, but 2FA makes you significantly safer than a password alone.

How to set up iCloud Apple ID two-factor authentication

Why does this keep happening?

Data is valuable. Data is power. Data is money.

It's why Google and Facebook want it. It's why banks and health organizations need to protect it. It's your personal, private pictures, your financial accounts, your medical records, your intimate communications — it's more about you than you likely remember at any given times.

Stealing it is a way to extort, blackmail, defraud, and otherwise profit from your data. Long, strong, unique passwords and two-factor authentication is a way to protect yourself.

Any iCloud, Apple ID, or password questions?

If you have any questions about iCloud, your Apple ID, or passwords in general, drop them in the comments below!

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • 2FA gave me massive headaches last night while trying to sign into my Apple TV. I disabled 2FA. I'm not too concerned, honestly. I have no data on my device that anyone will be able to use. 2FA seems like too much of a headache for an increase in security that I don't really need. Email backups, security questions, strong passwords, and account access notifications are just fine for me.
  • Blathering nonsense. Unfathomable pinheadedness. Add to that the requirement of 2FA for an increasing number of Apple services, like using the ATV4 as a Homekit Hub, unlocking your Mac with your Watch. I have 2FA turned on for as many sites that offer it, like Amazon, Social Security. You should too. It will be too late after you get hacked.
  • You know, if Apple were really concerned about this, they could just send a notification dialog - same like when they send you a dialog to your iDevice for 2FA when you access iCloud via a desktop browser - telling (maybe even forcing) users to change their password. Also, this Turkmenistan Cartel or whatever they're called - their ransom demands are pretty puny for the amount of IDs they claim to have. Even Dr. Evil asked for more on his first try. Either way, I change passwords for my most vital accounts every quarter, and changed my AppleID one again three days ago after discovering the ZDnet article, just to be extra safe. Don't have accounts on LinkedIn, Last.FM or whatever the heck Evony is. The only service I use that has a breach history on Have I Been Pwned's lists is Adobe, and am pretty certain I created my Creative Cloud account after their 2013 debacle. Should be good, for now (cue sinister music).....
  • Why reset if it wasn't breached? Posted via the iMore App for Android
  • Because the implication is that these people reuse the same password in multiple places. So their account could be compromised because *another* site was compromised. I think this could be related to something that happened a while back when LinkedIn was hacked. Tldr; Someone hacked in to LinkedIn and got those passwords, and some people use the same password for iCloud.
  • The thing with 2F Authentification is that you always need to have 2 devices with you which is not always the case. If you happen to have an issue with your iPhone while traveling and you don't have any trusted device with you you are out if luck
  • No. No, you do not have to have two devices. That is simply not the case.
  • But if you have to restore a device you have to have a second one to receive your code right?
  • No. You can also use a backup code if you don't have access to the second device. Edit: You do only get a few of these codes, but it is still better than getting your accounts compromised.
  • Oh ok thanks!
  • Added two factor, changed password... lost my music. I was really hoping Apple resolved these 2015 era issues with Apple Music. I walked through all the recommended steps so far. And just a day or so after renewing my annual iTunes Match subscription. Sigh.
  • If*** you are using a third part music app, you may need to generate an app specific password that does not support 2FA. ...Maybe
  • You should update this to mention that it takes 3 days to turn on sometimes. I prefer to have it not Apple exclusive in case I need to access from something else. I think they still require a 3 day wait. If this is supposed to happen April 7th, you should alert people that the last day they can do this to be covered is April 3rd/4th.