Criminals have reportedly threatened to take over 250 million Apple accounts if Apple does not pay a ransom by April 7, 2017. Beyond the implications for Apple and its customers, this evolving situation highlights the need for good password hygiene, multi-factor authentication, and a plan to respond to extortion attempts.
According to Motherboard, who broke the story, hackers contacted them and and provided details of their scheme and screen shots of alleged emails between the group and members of Apple’s security team. ZDNet also reported communicating with the hackers, who allegedly provided them with a set of 54 credentials. ZDNet was able to contact some of the account owners and verify that the passwords were valid.
Apple has told the media, “There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.” If that is the case, then only customers who used the same password elsewhere should be impacted. However, ZDNet reported, “three people said that their iCloud email address and password were unique to iCloud, and were not used on any other site — a key anomaly that, if accurate, we can’t explain.”
Several scenarios are possible: Criminals could be bluffing based on possession of a small number of credentials and leveraging media exposure. A large number of the passwords could be outdated. They may have the stolen credentials and carry through with the threat or not honour the April 7 deadline as Apple and their customers react to mitigate the risk. It is also possible that Apple servers could be swamped by users changing passwords.
From a customer’s perspective, criminals have allegedly threatened to reset Apple accounts and remotely wipe iPhones, and they have demonstrated possession of some credentials to the media, presumably to place increased pressure on Apple. A remote wipe would render an iPhone unusable, and changing the Apple account password would prevent users from restoring their phones. The same mechanism that prevents thieves from using stolen iPhones would be the turned against owners until they regained access to their Apple account. Criminals could steal or delete data stored in iCloud (including backups) and wreak havoc with other Apple devices, including iPads, Macs, and Apple TVs. Abusing information from services such as Find My iPhone is also a possibility.
While there is some uncertainty as to precisely which accounts may have been compromised, the cost of changing a password is very low compared to the potential risks. Apple customers should therefore change their password immediately and turn on two-factor authentication. Information on two-factor authentication can be found at https://support.apple.com/en-ca/HT204915.
This incident highlights the need for good password hygiene. Using the same password for more than one account increases both the likelihood the potential impact of a compromise. Given advances in password cracking techniques, the best approach is to use a password manager such as 1Password or Lastpass to generate and manage random passwords. Where the use of a random password is not practical, for example when it needs to be typed regularly instead of being automatically inserted by a password manager, choosing a long phrase that contains several words with numbers and symbols in between will make compromise more difficult.
In addition to choosing a different complex password for each account, everyone should take advantage of multi-factor authentication (MFA). Amazon, Apple, Facebook, Google, Microsoft, and Twitter, to name only a few, offer it for free. It is important to remember that MFA augments account security; it is not a replacement for using a unique complex password on each site.
Businesses should learn from this situation and ensure they are prepared to face an extortion attempt. In addition to a clear policy against paying ransoms, employees must be trained to respond, taking into account the need to preserve evidence, and that criminals may provide emails, chat transcripts, and other information to the media in an attempt to pressure or damage the company. The process to notify an incident response team must be clearly documented, along with outside contacts in law enforcement, public relations, and digital forensics.
As with any type of incident, a good public relations plan should be in place. Draft news releases for common scenarios, including advice to customers, may be extremely helpful, especially in organizations without significant experience responding to security incidents.
In addition to an internal error, scenarios outside the organization’s control such as phishing, malware, or third-party breach could lead to the compromise of customer passwords. All businesses that store customer credentials should ensure they have the ability to quickly invalidate all passwords and force customers through a reset process.
Businesses should also take the opportunity to review how their applications manage and protect passwords, including the provision of MFA. A future column will discuss common mistakes and how to architect systems to minimize the likelihood of credential compromise and theft.
So if you haven’t already done so, change your Apple password. Now.