Icloud account just got hacked

This happened to me very early this morning or late May 18th (EDT) and also on May 16th where my icloud/Apple ID pw abruptly stopped working. I had to change my pw via my security questions each time. I don't have an @me email address so no spam has been sent, as far as I know.

I'd really like some answers - hopefully we hear something soon. It's somewhat of a relief that this has been happening to others, at least.

My account also got hacked. A friend of mine asked me if I sent a dubious email with a link to a website. I told him that I did not and asked what the email address was. He mentioned it was my @me.com email.

I never use the @me.com email address, so I went and logged on my account.

To my surprise, there it was on the inbox several emails failed to be received from several of my contacts that are store in my icloud account including my lawyer and my investment contact.

I am writing to all of them now to apologize for this issue and I went and change my password but I would like to know what the heck happen apple?

ta2215 wrote:

I never use the @me.com email address, so I went and logged on my account.

To my surprise, there it was on the inbox several emails failed to be received from several of my contacts that are store in my icloud account including my lawyer and my investment contact.

Check to see if those messages appear in your Sent mailbox. If so, then your account was used to send them out and you are in the same boat as several others in this thread. If they aren't there then somebody forged your address as "From:" and sent them out. Since you say you never use that address, it should rule out anything on your Mac as responsible.

Let's see if I've go the story right.

iCloud, with over 20 million users, has been hacked for three days causing up to 50 people to have unauthorized access to their accounts.

Spam has a miserable click-through rate. It takes many thousands of spam message to get a single click through. It is only through massive volume that they can make any money at all. I don't see why anyonw would start spamming via a web interface. It just doesn't add up.

Even the normally Apple-obsessed blogs don't seem to be biting on this story. People are always getting their passwords cracked by either brute force or web pop-ups. That seems far more likely in this case than anything else.

Reset your AppleID passwords and move on.

I dont see anything in my sent folder. So you may be right but how did they get my contact list?

Apple had a "small problem" a few weeks back with what they said was an outage of around 2% of users. I believe Apple caught the problem early and were the cause of the outage themselves' to stem the problem from spreading any further. They either caught it early enough to say "we don't care about the collateral damage", cause it's not enough to make news. Or most iphone and ipad users that created and forgot about their icloud account don't know they were compromised and it's more wide spread then thought.

There is no way that random users had the EXACT same spam sent out from their actual mail box of ONLY their icloud account with a key logger. It seems like in my case, after being frustrated with the outage and deleting and reinstalling every account on my iphone, I ended up syncing all contacts to icloud and shortly after doing that it was compromised.

Is there a keylogger that attacks Ubuntu?

beaver822 wrote:

Is there a keylogger that attacks Ubuntu?

I'm sure there is, but you've lost me. How does that tie into this issue?

I've been using Linux for a while and wonder if keyloggers are more or less prevalent in Linux (I've not heard of it in Linux).

My account was hacked as well. It started to send e-mails yesterday to people in my address book in pairs of 3. I've change my password but it is highly unlikely that they have cracked my password or guessed any of my security questions. Also when I logged in, Apple warned me that my account had been locked. This is a serious problem. I think more people have been hit than we think at the moment. This might get out of hand.

Exactly as here, groups of 3, as if they attempted to prevent getting into some spam detection system they knew of.

Brute force guessing my pw is basically impossible, even if you ride on a bot network to get several dozen ghz of core i7 Gen3 power, it would take hours and I had to reset my pw twice within only a handfull of hours, not enough time to crack mine a second time without focusing on only that one.

Relax everyone, etresoft has it all figured out:

Any security breach of any kind would have to involve all 20 million users of the service.

The issue clearly doesn't involve too many people, because only 30+ have posted on it. Therefore, it can't be any kind of breach. You were just phished. Change your password and move on.

It doesn't add up, therefore the sent messages in your iCloud folder are simply a figment of your imagination. They don't exist. The headers, too, don't exist. Spamming via a webmail interface doesn't make sense, after all.

Blogs aren't talking about it, ergo, it didn't happen.

tl;dr: Your indifferent attitude gets us nowhere etresoft, I hope you enjoyed my sarcastic one.

This is a very big deal. Turn off your WiFi or ethernet RIGHT NOW and Print this out or write it down if you can. I had this happen to me this past Wednesday afternoon, it's now Saturday night. You can read all of my horror story by searching google for these keywords without quotes: "sophos Lion, iCloud hijacked, network poisoned, nightmare".

Basically this:

Wednesday afternoon between 1:02 and 1:03 PM, 10 emails were sent from my me.com email address. I caught that quickly, and changed my Apple ID's password and security questions. Two days later, I opened my MacBook and it wouldn't get any mail and asked for my Apple password again because someone else had changed it to lock me out. When MacBook is open, PS3 can't sign on to home network. When MacBook is closed/off, PS3 can sign on as normal. We are infected, folks.

What you can do to get a clean mac in a few hours:

ON THE MAC, TURN OFF YOUR INTERNET CONNECTION RIGHT NOW. Copy every subdirectory of your home folder somewhere else, like an external hard drive but DO NOT use time machine or any time machine drives or drives with anything important on them. Click your desktop, hold CMD and SHIFT and hit G. Type in ~/Library/LaunchAgents. This is where you will see some infected crap with keywords like FolderSync and if you inspect you will find out your files are being copied from your computer, somewhere else, using launchd system priveleges. Little Snitch isn't going to catch it either. If you have nothing there yet, or the folder doesn't even exist, mine didn't show up until 2 days after the spam emails went out!!! So WATCH YOUR LAUNCHAGENTS FOLDERS!!! Your Lion recovery partition may also be infected. I was UNABLE to restore to Lion from the boot loader. I was also unable to boot into anything using the U shortcut, i.e. any USB drives. You have to again login to Apple from the boot loader and give up your password there again! And even if you do that, which I tried already, so don't waste your time, the download will hang indefinitely. Lion will never download. Dig your Leopard DVD out of the closet and either stick it in the MacBook, or stick it in an external DVD drive and hook that into your MacBook Air. HOLD DOWN YOUR POWER BUTTON AND KILL THE MACBOOK'S POWER. Hold down the C button on your keyboard and then hit the power button to turn your macbook back on. For some reason, the U button i.e. for USB drives doesn't work for this, only the C button for CD does, even if you're using an external USB DVD drive. Follow the instructions to load Leopard onto the system and ERASE EVERYTHING on your infected hard drive. Finish installing Leopard. Configure Leopard, log in to Leopard, click the spyglass in the top-right corner and type in the word - terminal - and hit return. When the prompts come up, type in this, then hit return to run each command, line by line, MY NOTES WILL BE ***STARRED***:

diskutil list

***You're looking for the one that says "Recovery" something or other. You want to take note of the /disk0s2 looking part. Continue with the command below***

diskutil eraseVolume HFS+ Macintosh HD /dev/disk0s2

***IN THE ABOVE COMMAND, THE /dev/disk0s2 PART IS GOING TO HAVE TO BE WHAT YOUR SYSTEM REPORTED FROM THE diskutil list COMMAND!!! IT MAY BE THAT YOUR "Recovery" PARTITION IS ON /dev/disk0s3 OR EVEN /dev/disk0s1 SO YOU MUST MAKE SURE YOU'RE ERASING THE RECOVERY PARTITION. Complete the command above and then close the terminal.***

Now click the spyglass again in the top-right corner. Type in the words - disk utility - and hit return on the keyboard. Now in the column on the left, click the disk that is the parent to the Macintosh HD, also may be noted as your main partition, the one you're in now. Bring your mouse a couple inches to the right where it says "Partition" and then click on the bottom-right-corner of the big, blue box and drag the pyramid-looking shape all the way downward until it can't go any further. This is recovering the space from the infected partition so we can put it back later if we want Lion again in the future. Restart your Mac again and log back in. Now turn on your WiFi or Ethernet connection on your Mac and IMMEDIATELY click the apple in the top-left corner of the screen, click "Software Update..." after that and install every single update on there. It will ask to restart. When you are back again and ready to log in, immediately click the apple and "Software Update..." again. You will need to update again, one more time, making it three times you will need to run Software Update before you're safe to start googling stuff and checking your credit/debit accounts. I would recommend googling Sophos Mac because it's free antivirus software. People say it's good. I don't know because I just found out about it and I'm installing it on Leopard right now. Good luck out there.

Some friendly advice: Change your important passwords on the first of the month, don't keep ANYTHING secret or sensitive on your computers at all because it's never safe. Once it's mounted, it's accessible, even if it requires a seriously good password to open, once it's open it's accessible to possibly anybody. Print things out. Write them down. My macbook was sending some of my health records over to somewhere I have no idea where they went because they were being triggered by launchd to be synced on the mount of a specific drive I had my stuff on. Someone is watching, someone has our passwords and didn't hack them, someone has direct access to your Lion system. I don't know how, I don't know why. Just get off Lion if you've had the spam thing happen to you because two days later my personal records were bein sent over my network to somewhere I have no idea. Or just don't use that computer until this becomes more widespread and a fix is found. I need my laptop by Monday so I had to go back safely to Leopard because my recovery partition was infected with a very low level virus of some kind. It got between me and the boot loader & system recovery, between that and the apple servers and prevented me from restoring to a safe copy of Lion, and it has the ability to reset my apple id's passwords and perhaps see my security questions, billing info, cell phone and address. It also stole all of my contacts and emailed them spam, and reset my password two more times after I changed it from a secure, outside system. It jumped, I believe from my Macbook air to my wife's Macbook pro and when either or both of those laptops were on the network wifi at home, nothing that wasn't a Mac or PC could get onto the network, i.e. our PS3 had a network error and was unable to connect until we powered down the Macs, then immediately the PS3 connected. Best of luck. I also have a feeling if you try to keep your system files, not your user files, from this infection, you may be reinfecting yourself and so that's why I erased the Lion recovery partition. When I did that, Snow Leopard was finally mounting, even under Leopard I couldn't get it to mount until I deleted the Lion recovery partition and rebooted. Goodnight. Hopefully my password won't be changed on me by the morning. LO effing L

Hi Kungfumonkey,

I'm glad to see someone taking this seriously, although most of what you write means little to me - I'm not very tech savvy I'm afraid.

But I do feel that something more serious is happening than some of the above people realize.

I also had multiple passwords changed, including my Apple ID, and my security question, and my birthdate info!!

I am wondering how many of us who have experienced this have iPhones? I have a feeling it's something to do with the iPhone.

kungfumonkey wrote:

Click your desktop, hold CMD and SHIFT and hit G. Type in ~/Library/LaunchAgents. This is where you will see some infected crap with keywords like FolderSync and if you inspect you will find out your files are being copied from your computer, somewhere else, using launchd system priveleges. Little Snitch isn't going to catch it either.

Can you please give us more information about this? I've had that folder ever since I can remember and it's got almost a dozen items in it, all of which I can positively identify as legit. Can you please give us a list of exactly what the file names are.

How were you able to determine that files are being copied from your computer?

Why are you so sure that Little Snitch isn't going to catch them?

@tsnow20,

It is unfortunate when anyone gets their online identity compromised. Unfortunately, there is nothing that "we" can do about it. The is a user-to-user technical support forum. The best we can do is advise people on what steps to take when that happens. This thread has now descended into the realm of hysteria. What little utility it had is long gone - and I had nothing to do with that.

Signing off....