You probably remember the massive iCloud breach in 2014 that resulted in compromised celebrity photos spreading through the internet like wildfire. That egregious invasion of privacy caused great embarrassment and damage to the reputations of nearly 100 A-list stars.
Fortunately, these bad deeds did not go unpunished. In 2016, two men were brought to justice for running the phishing scam used to obtain the celebrities’ iCloud usernames and passwords. However, these isolated arrests don’t mean everyone is now safe from iCloud hacks. On the contrary, even if you aren’t a celebrity, the dangers of cybercrime via iCloud are real no matter who you are or where you live.
In fact, in July 2016, CSO reported that up to 40 million iCloud accounts were targeted by Russian hackers as part of a ransom scheme that shut down Apple devices if payment was not delivered. That’s a sky-high and somewhat abstract number, and by their own admission, CSO doesn’t know how many accounts were actually breached. However, in my own firsthand experience, two people I know recently had their iCloud accounts compromised in the same week.
Anatomy of an iCloud hack
You’ve heard the cybersecurity ransom story before. A victim receives a mysterious message threatening to lock or wipe their device if they don’t pay up as soon as possible, and the hackers typically aren’t bluffing. In the case of an iCloud hack, malicious actors can lock you out of your device and remotely wipe all of your data via the “Find My iPhone” app once they’ve compromised your account.
Even if you don’t have “Find My iPhone” enabled, with access to an iCloud account, hackers can also read your mail, view your contacts, check your calendar, read your notes, and yes… download any pictures you’ve backed up to iCloud. In some cases, they might even be able to make purchases using your credit card if you’ve set up Apple Pay.
While it’s true you can sometimes recover from an attack like this by contacting Apple, the bad guys still have other tricks up their sleeves. For example, someone could reset your security questions, making it hard for you to reset your password. And if you haven’t enabled two-factor authentication, a hacker could link your iCloud account to a phone number you don’t control as the second factor. That action could lock you out of your account forever and by then, not even Apple can do anything to remedy the situation.
My personal iCloud hacking story
A friend of mine recently got the typical lock screen demanding payment of $150, which he ignored and then called me. He also told me of an email alert sent earlier with the subject line: “You have enabled two-factor authentication for your Apple ID.” Thankfully, when he read it closely, he saw that Apple provides a link that lets you undo two-factor authentication within two weeks of it being set up.
After undoing the change and resetting his iCloud password (which was thankfully still the same), he was in the clear… this time. But if he had waited longer to move on the two-factor authentication hijack attempt, he could have lost control of the account permanently.
Lessons learned: Tips on how to avoid iCloud hacks
- An obvious, but important first step: make sure you use a strong password and tough security questions that hackers can’t easily guess.
- Set up two-factor authentication in advance, so you are the only one that can access your account (and so someone else doesn’t hijack this feature).
- Don’t reuse passwords across sites because if one site is compromised, they all are. (Check if your other accounts have been hacked using haveibeenpwned.com).
- Make sure you have good backups, so that in case your device is wiped or you get locked out of your account, you’ll still have your data.
It doesn’t matter if you’re a celebrity or an Average Joe… if you don’t follow security best practices, you are an easy target for hackers. The good news is that you can easily avoid financial loss, personal embarrassment, and the pain of having to deal with an iCloud fiasco by taking a few simple steps to make your phone and personal data more secure.
About the Author: Peter Tsai is an IT analyst at Spiceworks. Formerly a systems administrator, programmer, and server engineer who has lived IT from the inside and out, Peter now works to serve up IT articles, reports, infographics, and livecasts that inform and entertain millions of IT pros in the Spiceworks network worldwide. You can follow him on Twitter and LinkedIn, and you can read more about him on Spiceworks.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.