My devices have been hacked. What do I do?

Oleg Pliss is a well known software engineer and technology scientist. He would not go about asking for money to unlock iDevices.

Is it possible someone has had access to your Apple ID and password? Through iCloud they would be able to lock your devices with a passcode and send a message like the one you have received. Using your computer go to iCloud.com and log in with your Apple ID and password and see if you can see your devices and their status.

I had the same problem originally. This is what I was told to do (and did) over the phone with applecare support.

Turn off your phone.

Plug your cable into the computer and have itunes up (do not plug into the phone yet)

Press and hold the home key on your off phone (I did mine for about 10 seconds). If nothing happens, plug in the cable into your phone (keep holding the home key)

What you want to see come up is the picture of itunes and cable on the front of the phone

Your itunes should then recognise the phone as an unidentified phone

Select restore factory settings (it should down load some software) ~15 mins and automatically install

The phone should go through some of the standard reset screens (usually black screen with apple icon and loading bar)

You will be prompted to restore the phone.... do this from itunes not the phone

Throughout this process you must not let the phone or computer go into sleep mode.... and don't disconnect.

I had the same issue with the lock screen but it was related to sim card once I did the restore.

I had to set the erase from icloud website, but that didn't originally work as it requires connection to the internet for it to apply, hence plugging it into the computer.

I accidentally started setting up my phone via the phone and got stuck on the sim card lock screen so had to do it from scratch again and this time via itunes and all good. Hope that helps

I'm also reluctant to restore to factory. I still don't know how this happened, so I'm not sure if it can happen again.

So I just found this: http://support.apple.com/kb/PH2700

Specifically:

Note: If you forget the passcode, or if you set an EFI firmware password on your Mac before it was lost, then lock it and later find it, you may need to take it to an authorized repair center to unlock it.

This topic has grown very quickly, and there are many people saying a lot of different things. Rather than try to address everyone, I'm just going to stick to some general information about this kind of hack.

What has undoubtedly happened in all these cases is that your Apple ID has been hacked. How that may have happened, I don't know. It could be weak passwords falling to brute force attacks by a botnet. It could be that people "logged in" to a malicious fake Apple server in response to a phishing e-mail. It could be something else entirely.

Once the hackers have access to your Apple ID, they can remotely lock all your iOS devices with a message. They can also see any data stored in iCloud (calendars, contacts, e-mail, notes, etc). If you have a Mac with Back to My Mac enabled, they could potentially get remote access to that. They could also make purchases on your Apple ID.

The solution to the problem is to regain access to your Apple ID. (Erasing the device is not a solution in many cases.) Reset the password, and make sure to change it to something very secure. As an additional security measure, I strongly suggest that you enable two-factor authentication on your Apple ID. Doing so provides additional security, and should prevent the hacker from ever being able to take control of your Apple ID entirely away from you.

A couple things that it's important to understand:

1) It is entirely possible for a hacker to lock you out of your Apple ID permanently by changing your security questions or even enabling two-factor authentication, which would prevent you from resetting the password. If the hacker enables two-factor authentication, Apple will not intercede to give you access! This is a security measure for people who choose to enable this feature, since you wouldn't want a hacker to talk an Apple support rep into giving up access to your Apple ID.

2) If you have iOS 7 installed, and have chosen to turn on Find My iPhone/iPad/iWhatever, a hacker in control of your Apple ID can lock you out of your device permanently. You will not even be able to erase the device without providing the Apple ID password. If they manage to take control of your Apple ID permanently, then you obviously will not be able to do that any longer. Apple will not give you access to a device locked in such a way, as this is an anti-theft feature.

You should not be afraid of turning on Find My iPhone, which is an important anti-theft feature. Instead, simply enable two-factor authentication to make sure your Apple ID is secured, so nobody can manage to use this feature against you.

Note that enabling two-factor authentication does not guarantee that your Apple ID won't be hacked, so you still need to use a strong password. What it does protect against is changes to your Apple ID that would give the hacker permanent access. With two-factor authentication enabled, you will always be able to reset the password on your Apple ID and regain access to it, as long as you follow the directions and are careful to save the recovery key.

poppyp_z wrote:

I understand having to reset your Apple ID etc but I've done all that and there is still a pass code on my iPhone which I don't have! How do we get past that??

See the following instructions from Apple:

http://support.apple.com/kb/ht1212

to clarify, in my case the iPad still 'spoke' to itunes. Backed the iPad up, then put it into restore mode:

http://support.apple.com/kb/ht1414

Restored from the backup, and the iPad seems now to be working fine. Made sure, of course, that a passcode has been installed!

It would be nice to think that Apple has not been hacked but there are a number of sites reporting that iTunes was susceptible to Man-in-the-Middle until 16May2014 (Not sure of date but this date is in some sources)

Apple blocked the exploit with a release of iTunes.

http://support.apple.com/kb/HT5030

There are a lot of links to the story - although there is a good chance that they all quote a couple of original stories.

http://gadgets.ndtv.com/mobiles/news/icloud-activation-lock-allegedly-bypassed-b y-doulci-hacker-team-528915

http://appleinsider.com/articles/14/05/21/hackers-claim-to-have-exploit-for-iclo ud-use-vulnerability-to-disable-activation-lock

The advice from TallPete is good - DO NOT use passwords in more than one place.

The paranoia in me suggests that, if an earlier version of iTunes is being used, then it should be updated BEFORE changing the Apple ID password.

Message was edited by: TheRealMoriarty

Okay, this topic has grown quite a bit overnight (well, overnight in the US anyway).

There's a lot of fairly random speculation going on, and even some completely unfounded and false claims (like that everyone affected has a stolen phone... that's nonsense). So let's try to summarize.

There has been no commonality found as to e-mail accounts used, so a hacked e-mail account is out. That would not fit with the affected users all being in Australia/New Zealand. Weak passwords being hacked by a botnet would also be insufficient to explain the locality.

Some users have mentioned receiving phishing e-mails, but I don't believe those are the issue either. With so many people reporting that they are using global e-mail providers (me.com, Hotmail, GMail, etc), there's simply no way that such phishing e-mails could have targeted only Australians. Further, people who mentioned the phishing e-mails also said they didn't fall for them. So that's out.

It's looking so far like everyone affected is using Telstra as their internet service provider (ISP). This could provide the common link, and the explanation as to why only people in one part of the world are being affected. My theory is that Telstra's domain name servers (DNS) have been "poisoned."

A domain name server (DNS) is a server used to convert a human-readable address (www.apple.com) into a numeric IP address (17.172.224.47). If a DNS gets "poisoned," it can contain entries that map the human-readable address to a malicious IP address.

If this happened with Telstra, affected users who provided a username and password on what they thought was Apple's site may actually have provided it to hackers. It may be a good idea to use an alternate DNS for the next few days, just in case, until the cause is determined. Try theOpenDNS servers or Google DNS servers.

For more information, and some info on fixing the problem, see my earlier responses:

Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

thomas_r. wrote:

Okay, this topic has grown quite a bit overnight (well, overnight in the US anyway).

There's a lot of fairly random speculation going on, and even some completely unfounded and false claims (like that everyone affected has a stolen phone... that's nonsense). So let's try to summarize.

There has been no commonality found as to e-mail accounts used, so a hacked e-mail account is out. That would not fit with the affected users all being in Australia/New Zealand. Weak passwords being hacked by a botnet would also be insufficient to explain the locality.

Some users have mentioned receiving phishing e-mails, but I don't believe those are the issue either. With so many people reporting that they are using global e-mail providers (me.com, Hotmail, GMail, etc), there's simply no way that such phishing e-mails could have targeted only Australians. Further, people who mentioned the phishing e-mails also said they didn't fall for them. So that's out.

It's looking so far like everyone affected is using Telstra as their internet service provider (ISP). This could provide the common link, and the explanation as to why only people in one part of the world are being affected. My theory is that Telstra's domain name servers (DNS) have been "poisoned."

A domain name server (DNS) is a server used to convert a human-readable address (www.apple.com) into a numeric IP address (17.172.224.47). If a DNS gets "poisoned," it can contain entries that map the human-readable address to a malicious IP address.

If this happened with Telstra, affected users who provided a username and password on what they thought was Apple's site may actually have provided it to hackers. It may be a good idea to use an alternate DNS for the next few days, just in case, until the cause is determined. Try theOpenDNS servers or Google DNS servers.

For more information, and some info on fixing the problem, see my earlier responses:

Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

Again, nowhere have I even hinted that peoples email accounts have been hacked, so where are you getting that from?

It's obvious that user accounts have been hacked.

There isn't enough evidence to suggest that Telstra is the problem, as proved by the number who aren't with Telstra. Coming from Australia, I can tell you, they are the biggest Internet service provider in the country.

Considering the small numbers of affected users (we're not talking about tens of thousands), it points more to smaller connection.

Stefarn wrote:

I have read a lot of these messages but unless I am missing something there is no answer to unlock my IPad. I have connected via PC but it won't let me factory restore as it says - "Find my Ipad" must be turned off before Ipad can be restored"

The Ipad is not connecting to the internet so cannot turn off remotely and as I can't get past the Passcode I can't turn on internet access or turn off "Find my Ipad" on the device itself.

Any useful advise would be great.

Try the advice from the bottom of this KB article.

http://support.apple.com/kb/ht1212

There's no point getting huffy at Apple, they didn't hack your account. Focus on getting it working and change all your passwords. If you use the same email address and password you use for your Apple ID, with other services, then change them immediately.

Try the advice from the bottom of this KB article.

http://support.apple.com/kb/ht1212

At the top of the page/thread I'm seeing

Branched to a new discussion.

with a link to a different thread, but when I try to click on that link/thread, I get a page saying "Unauthorized" and (in pinkish red)

It appears you're not allowed to view what you requested. You might contact your administrator if you think this is a mistake.

Anyone else seeing this?

(Also wondering why this thread is dying down - no other US people affected?)

Greg Earle wrote:

At the top of the page/thread I'm seeing

Branched to a new discussion.

with a link to a different thread, but when I try to click on that link/thread, I get a page saying "Unauthorized" and (in pinkish red)

It appears you're not allowed to view what you requested. You might contact your administrator if you think this is a mistake.

Anyone else seeing this?

(Also wondering why this thread is dying down - no other US people affected?)

It seems to have been closed off. That does happen, why, is anyone's guess.

Its past midnight in Oz now, so people have gone to bed. The US have just woken up, so we'll have to wait and see if this thing has spread. I'm done for today.

Hi veritylikestea,

This is an issue that has now spread though most of Australian citizens.

Here is a letter from the Australian Government:

Ransom attack targeting Apple products - change your Apple IDpassword: SSO Alert Priority High