Icloud account just got hacked

I woke up this morning to find my account password had been changed / locked, even after I reset the password myself minutes after discovering the sent e-mail. The new password was more random than the first, so there should be no issues there (And I'm not using password managers, like some comments on other forums suggest.) Additionally, I had not signed into my account on any device other than my iphone. So far, no new sent mail in my icloud account.

Still, the number of users saying that they hardly use icloud suggests to me that this might have been a compromise on IOS devices. I had taken the additional step of wiping my phone afterwards also, and haven't used it for web browsing since. I'm wondering if the next IOS update we see will have some sort of critical security fix for Safari.

I was also hacked this morning 5/18 around 08:45 eastern (US). My wife rcv'd a work at home spam on her work address. Google & found this discussion. I happen to use my .mac / .me account as my main account so this is a pain. Went thru & deleted all contact in iCloud address book & changed password as well per advice in the thread. Apple does lock/reset my password fairly often but not during this instance. Hopefully this will be cleared up soon. 1st Time I've ever had any issues w/ my account & 1st time being hacked. most embarrassing after having given my PC friends a hard time in the past..........

I got hit too at 1pm this afternoon, bummer...

I wonder if passwords are being stolen from Macs infected with the Flashback trojan.

Has anyone posting here run any of the utilties that check for a Flashback infection?

I did. I'm clean. Yet still got hacked.

Kappy's analysis describes many similar hacks, but clearly not this one. Someone spoofing a "from" address wouldn't cause the sent messages to end up in the victims "Sent" mailbox.

That can only happen if the bad guy actually had the password of the victim.

Either iCloud has been hacked (which I doubt), or the users here are the victims of some kind of malware, like the Flashback trojan, that can be used to install 'keyloggers' to record usernames and passwords.

So far, my account hasn't been hacked. But I'm following this thread because I'm a Mac consultant, and I need to be aware of issues like this.

You're assuming, of course, that all those compromised have a Mac.

Additionally, since the e-mails in the sent folder have "Apple webmail" or "MobileMe Webmail", this implies that the sent mail passed through the webmail service.

If an attacker had your username / password combo, and could pull your contacts, it would make more sense to send through SMTP directly. Since SMTP doesn't place a copy of the message in the "Sent mail" folder (Your mail client does this with IMAP), the spammer would leave essentially no trace.

The fact that header suggests the messages were pushed through webmail is what concerns me.

dtorshin wrote:

I have been hacked twice today too (after password change that happened again). Have no messages in my SENT folder, only replays from servers which cannot deliver messages. Apple phone support in Russia can't do anything even check logs of SMTP server, they rejected to help me, just said I have to change password or DELETE ACCOUNT (not e-mail at me.com).

You haven't been hacked. That is just regular old spam.

I run Sophos Anti-Virus on my Mac 24/7, and do scheduled weekly full system scans. I have also specifically checked for Flashback several times during the height of its spread as well as since dealing with this problem and have never been infected with it. Indeed, no malware has been detected at all. Since this has all begun, I have also tried running a different anti-malware program just in case, Kaspersky, and it found nothing. There are also no unexplained processes running in Activity Monitor. I own and administrate my own computer, am the only person who uses my computer, and have never used a different computer not under my administration and full control to access my accounts. The password I use for iCloud is unique, it is not stored in a password manager, and I don't ever share passwords with anyone for any reason. Thus, while it is possible that there is malware that has evaded me, that seems very unlikely. I doubt iCloud in general has been compromised as this issue would likely be more widespread if that were true. Once again, I'm not blaming Apple, I just want people who have this issue to let Apple know so they can track it in case it is something nefarious. While it is possible I am wrong, I am not convinced that "user error" is a reasonable explanation for what's going on here.

Kappy should find another line of work immediately.

FWIW I don't have a MAC nor do I use my @me account. Clearly Apple's servers have been compromised in some form or fashion to allow the hacker to push emails through the users account. These are not spoofed spam messages. They have some level of access to the @me account by directly sending the spam email through the users account as evidenced by the email showing up in the sent items folder.

They may not have all of the actual account details but they are controlling the event via a hole Apple's servers IMO.

yourmacexpert wrote:

Kappy's analysis describes many similar hacks, but clearly not this one. Someone spoofing a "from" address wouldn't cause the sent messages to end up in the victims "Sent" mailbox.

That can only happen if the bad guy actually had the password of the victim.

Either iCloud has been hacked (which I doubt), or the users here are the victims of some kind of malware, like the Flashback trojan, that can be used to install 'keyloggers' to record usernames and passwords.

So far, my account hasn't been hacked. But I'm following this thread because I'm a Mac consultant, and I need to be aware of issues like this.

Agreed, Kappy's response has only served to confuse the issue, and lead some users (and bloggers) to believe that this was just a case of spoofed e-mail, which it clearly wasn't. I'd like to see what Kappy thinks of the evidence that has since been posted, but he has been suspiciously quiet.

If the e-mail is in your sent box in iCloud, it came from YOUR account and CANNOT be a spoofed message.

I don't know how we can make this any clearer, other than having massive font sizes in neon colors.

There is absolutely no cause to go trashing Kappy here. Given the information provided by the original poster, Kappy's advice was 100% correct.

Those few people who are seeing outgoing spam in their sent mail need to investigate further. However, not all posters in this thread have seen that. Even those that have seen sent spam have no proof to claim any kind of server compromise. There are still only a handful of postings there that even appear curious. Given the enormous size of iCloud, all of these posts are still well within the normal range of random unauthorized access that iCloud experiences every day.

If you think you have a "curious" situation, change your password and contact Apple. Don't delete the spam until Apple gets a chance to look at it. There is no need to remove your contacts from iCloud. The bottom line is that everybody gets spam. A little more won't hurt. If you are sure that something really fishy is going on, tell Apple. That is the only way it will get fixed.

etresoft wrote:

There is absolutely no cause to go trashing Kappy here. Given the information provided by the original poster, Kappy's advice was 100% correct.

From the original post:

What the heck is going on here? Nothing else was messed with on my account, just a bunch of random spam emails in my sent box.

Kappy's advice was to ignore mail that was in the user's sent folder, because it was spoofed mail. This is not "100% correct" advice as you claim. While Kappy probably made an honest mistake, even an edit to advise the user to look into the matter further would be more helpful.

tsnow20 wrote:

From the original post:

What the heck is going on here? Nothing else was messed with on my account, just a bunch of random spam emails in my sent box.

Kappy's advice was to ignore mail that was in the user's sent folder, because it was spoofed mail. This is not "100% correct" advice as you claim. While Kappy probably made an honest mistake, even an edit to advise the user to look into the matter further would be more helpful.

Well, yes. You have a good point there. It was an honest mistake that I even repeated.

<sigh>

Bottom line is, I'm not interested in busting anyone's chops here. It's a frustrating issue, and I think we'd all be a lot happier with some solid answers. But I think the issue has been confused by a few (albeit well intentioned) users who haven't fully comprehended the problem.

Also, since Apple clearly knows something is up (else my account password wouldn't have required a second changing this morning despite no new spam mail), it'd be nice to hear anything from Apple. Even a "We are currently investigating this issue" mail would've been nice.

Message was edited by: tsnow20