Anatomy of an iCloud hackYou’ve heard the cybersecurity ransom story before. A victim receives a mysterious message threatening to lock or wipe their device if they don’t pay up as soon as possible, and the hackers typically aren’t bluffing. In the case of an iCloud hack, malicious actors can lock you out of your device and remotely wipe all of your data via the “Find My iPhone” app once they’ve compromised your account. Even if you don’t have “Find My iPhone” enabled, with access to an iCloud account, hackers can also read your mail, view your contacts, check your calendar, read your notes, and yes… download any pictures you’ve backed up to iCloud. In some cases, they might even be able to make purchases using your credit card if you’ve set up Apple Pay. While it’s true you can sometimes recover from an attack like this by contacting Apple, the bad guys still have other tricks up their sleeves. For example, someone could reset your security questions, making it hard for you to reset your password. And if you haven’t enabled two-factor authentication, a hacker could link your iCloud account to a phone number you don’t control as the second factor. That action could lock you out of your account forever and by then, not even Apple can do anything to remedy the situation.
My personal iCloud hacking storyA friend of mine recently got the typical lock screen demanding payment of $150, which he ignored and then called me. He also told me of an email alert sent earlier with the subject line: “You have enabled two-factor authentication for your Apple ID.” Thankfully, when he read it closely, he saw that Apple provides a link that lets you undo two-factor authentication within two weeks of it being set up. After undoing the change and resetting his iCloud password (which was thankfully still the same), he was in the clear… this time. But if he had waited longer to move on the two-factor authentication hijack attempt, he could have lost control of the account permanently.
Lessons learned: Tips on how to avoid iCloud hacks
- An obvious, but important first step: make sure you use a strong password and tough security questions that hackers can’t easily guess.
- Set up two-factor authentication in advance, so you are the only one that can access your account (and so someone else doesn’t hijack this feature).
- Don’t reuse passwords across sites because if one site is compromised, they all are. (Check if your other accounts have been hacked using haveibeenpwned.com).
- Make sure you have good backups, so that in case your device is wiped or you get locked out of your account, you’ll still have your data.