Apple says none of its systems have been breached and denies that hackers are holding millions of iPhones and iCloud accounts to ransom.
“There have not been any breaches in any of Apple’s systems including iCloud and Apple ID,” the company said in a statement.
The statement comes after Motherboard reported on 21 March 2017 that a group of hackers calling themselves the Turkish Crime Family was threatening to wipe millions of iPhones and iCloud accounts unless Apple paid a ransom of $75,000 or hand over $100,000 worth of iTunes gift cards by 7 April 2017.
The hackers claimed to have access to up to 559 million Apple email and iCloud accounts, but did not provide any of the supposedly stolen credential to verify this claim apart from a YouTube video they said showed a member of the group using stolen credentials to access an iCloud account and view photos.
The hackers reportedly shared screenshots of emails allegedly exchanged with Apple, including one where a member of Apple’s security team asked the group to share a sample of the stolen data.
According to Apple, the list of email addresses and passwords hackers claim to have appears to be from “previously compromised third-party services”.
A person familiar with the contents of the alleged data set said many of the email accounts and passwords contained in it matched data leaked in a past breach at LinkedIn, reports Fortune.
Apple said it will continue to “actively monitor” the situation and work with law enforcement to ensure that user data remains safe.
“To protect against these type of attacks, we recommend that users always use strong passwords, not use those same passwords across sites, and turn on two-factor authentication,” Apple said.
Independent security advisor Graham Cluley said the claims underline the potential for hackers to steal data and use the media to increase pressure on organisations to pay up to avoid exposure.
Read more about two-factor authentication
- Apple introduces two-factor authentication for iCloud and other services to protect users from hackers trying to access their accounts.
- Swiss researchers propose a two-factor authentication system that does not require user interaction to help speed adoption of strong security.
- The web’s top brands implement two-factor authentication for consumer web authentication.
- It may seem daunting, but two-factor authentication options are manageable for nearly all enterprises.
“I believe that companies should do everything in their power to protect their customers and prevent criminals from profiting from extortion,” he wrote in a blog post.
“I do hope that the media stories will help remind Apple users of the importance of using a strong, unique password to secure their account and enable two-factor authentication to make their accounts harder to break into,” he said.
Paul Calatayud, CTO at security firm FireMon, said anyone who does not use two-factor strong authentication to any account runs the risk of the password being harvested, or guessed.
“For example, if my e-mail account happens to be Yahoo, and if that account is affected by the breach that recently came to light, then there is a chance that the attackers are already able to compromise other accounts I hold, such as my Apple ID,” he said.