By Lily Hay Newman for WIRED.
A hacker group called Turkish Crime Family says that it can access 250 million iCloud accounts, and will do so on April 7 to reset the password, locking people out of their accounts. They’ve even threatened to wipe people’s linked iPhones if Apple doesn’t pay up. And while it’s hard to tell how legitimate the threat is, their assertions make now as good a time to lock down your iCloud as ever.
The group says it has seven members, and has requested $700,000 from Apple to stand down. It also may be planning a demonstration of what they can do prior to the deadline. “We have something planned soon before the attack,” a member of the group tells WIRED.
For its part, Apple says that the group doesn’t pose a threat. “There have not been any breaches in any of Apple’s systems including iCloud and Apple ID,” the company said in a statement. “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services. We’re actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved.”
And yet the claims merit some credence, as the hackers have demonstrated that they can access a small group of accounts. That’s not proof of broad iCloud access, though. It’s a common practice on today’s internet for hackers to comb through username and password combinations from older company data breaches, and find credential sets that still work on other services. If someone reused the same password across numerous sites and then never changed it, all of those accounts become vulnerable as the result of one breach.
“If there was a breach or not, you’ll have to wait and see otherwise it is empty threats and just allegations,” says one of the hackers, which may be the best assessment of the situation yet. Just to be safe, here’s how to protect yourself in case something sinister really is brewing.
First, change your password. Especially if it’s one that you also use on other accounts. A password manager can certainly help with this, but if you’d rather go the manual route there are some can’t-miss best practices you should deploy.
You want to change your password to something that’s at least 12-15 characters, and the longer the better, even if it has fewer random characters in it. Also make it an obscure reference — no pet names, first street you lived on, or mother’s maiden name. The full name of your childhood imaginary friend that you’ve always been too embarrassed to tell anyone about could work. Bonus if that imaginary friend had an imaginary birthday and you can sprinkle the digits throughout. You get the idea.
Now head to your Apple ID page, sign in, and click Change Password.
Seriously, go ahead. I’ll wait here.
Two-Factor Everything In
Beyond changing your password, there’s another robust step you can take to protect your iCloud account from what hacks may come. By setting up Apple’s two-factor authentication you add an extra security protection to your account that will keep intruders out even if they do have your current password. (Legacy Apple devices that can’t facilitate two-factor authentication for Apple ID because they’re too old can still use Apple’s “two-step verification” protection). Turning on some type of second-factor authentication will protect you from whatever is going on in this Turkish Crime Family situation, along with all sorts of other types of potential attacks.
You can turn the feature on in the iCloud Settings/System Preferences tabs of iOS and macOS devices, or you can log into your AppleID account, scroll down to Security, and turn the service on under the Two-Factor Authentication section. From there, set up trusted — your iPhone and MacBook — that can receive the numeric codes that will act as the second authentication factor along with your password whenever you (or anyone) tries to log into your iCloud account from a new device. Without also having physical access to your trusted device, a hacker won’t be able to complete the login.
Once you change your iCloud password to something strong and unique (which you already did, right?) and turn on two-factor authentication you should be good to go. Whether Turkish Crime Family is legit or full of it, you’ll have improved the security on an important and valuable account.
More from WIRED: