Industry insiders told SC Media that Apple doesn’t believe the claims are true and that the cybercriminals have likely culled info from previous leaks.
Industry insiders told SC Media that Apple doesn’t believe the claims are true and that the cybercriminals have likely culled info from previous leaks.

A group of hackers are threatening to lockdown 200 million iCloud accounts if Apple doesn't pay a $75,000 ransom in bitcoin, or $100,000 in iTunes gift cards by April 7, however, some security professionals are calling bluff.

Industry insiders told SC Media that Apple doesn't believe the claims are true and that the cybercriminals have likely culled the info from previous leaks and are cross referencing the information to see if users are using the same credentials across multiple accounts. Furthermore the scammers are likely using the media to hype the situation.

"There have not been any breaches in any of Apple's systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services," an Apple spokesperson told SC Media.

"We're actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication."

Justin Jett, technical marketing manager at security analytics firm Plixer questioned the legitimacy of the breach and told SC Media that it's just another example of a high-profile extortion attempt by hackers.

“The discrepancies of information coming from the hackers and the lengthy advanced notice they provided, place into question the legitimacy of the breach,” Jett said. “Since there is no way to know for sure, iCloud users should take this opportunity to reset their passwords.”

He said the most prudent action that Apple could take would be to reset all iCloud account passwords, effectively preventing the blackmailers from taking any steps, a similar action to what Dropbox did last year when it experienced a data breach.

Jett said users should also bolster their own security by enabling two-factor authentication, requiring that an entity trying to access the account also have physical access to another device, such as a mobile phone

Webroot Senior Threat Research Analyst Tyler Moffitt told SC Media that it's very possible that the threat actors are bluffing and just trying to hype up their abilities.

“While there is a YouTube video of the hackers logging into a victims' account it's still only "proof" of a few accounts,” Moffitt said. “Showing full proof of access to 300M is impossible so it's just on the hackers' word and screenshots at this point.”

He added that cybercriminals have used this tactic in the past, but said it's also worth noting that the reason the extortion attempt has some teeth is that major tech corporations have been breached like this in the past.

Moffitt said just having access to the accounts doesn't give the attackers much leverage and that even the small advantage they currently hold will eventually expire. He said cybercriminals would have to actually start stealing the data in the accounts to gain any credence, which would enable them to increase the price last minute.

“If the hackers are only using the security flaw and don't have any customer data I think the deadline might be too long as it gives Apple ample time to figure this out and patch,” Moffitt said. “However, $75,000 is nothing to Apple and even just for information sake would make sense for them to pay the ransom to remove the deadline and find out how the hackers breached and find the full scope of vulnerabilities -I could easily see a deal where the hackers also disclose how and this is just a "bug bounty" gone very wrong.”

He went on to say that its likely Apple has, or will have, the alleged vulnerability patched long before the cybercriminal's deadline.

Tripwire Director of Security Research and Development Lamar Bailey told SC Media the whole ransom seems odd.

“If this is legit, the hackers would have had to obtain access to the individual user accounts via breaking the passwords of each of the user accounts or have acquired access to the Apple iCloud servers,” Bailey said. “The access to each user account is much more realistic since we have seen numerous reports of all the weak passwords people use for their computers and accounts.”

He added that if the hackers have password access to individual user accounts, they could erase phones remotely and change passwords for the Apple account locking the users out by changing passwords and making it harder for the account owners to access their devices.  

Some security pros do think there could be some truth to the group's claims. VASCO Data Security Chief Marketing Officer John Gunn told SC Media the attack may be the result of previous neglect on Apple's behalf.

“The claims are true to the extent that victims believe them and pay ransom rather than risk having their phone wiped as many undoubtedly will,” Gunn said. “This is current iPhone owners paying for the sins of Apple's past – because Apple previously did not use simple security techniques such as two-factor authentication and protection against brute force attacks, and experienced a major compromise, criminals can now take advantage of owners' fears of another security vulnerability.”

FireMon Chief Technology Officer Paul Calatayud said the fault may not rest with Apple.

“If you do not add two-factor strong authentication to any account, there is a chance that the password has been exposed, harvested, or guessed,” Calatayud said. “For example, if my e-mail account happens to be Yahoo, and if that account is affected by the breach that just occurred, then there is a chance that the attackers are already able to compromise other accounts I hold, such as my Apple ID.

Calatayud said he suspects Apple is well aware of this and that their position will be to quickly assist anyone that may be affected by providing them options to re-protect their account, but since Apple doesn't seem to have contributed to the compromise, he said Apple will not be paying any ransom.