My devices have been hacked. What do I do?

kkneufeld wrote:

Andrew J wrote:

Tigerlily75 wrote:

Oh wait ----- the password was the same as eBay!! I didn't even click as I hardly ever use eBay, (but it was one I changed last night!).

Ok, that makes sense. Ebay was hacked into just last week. This is the source. If you haven't already, change your Apple ID and add secondary security precautions.

Doesn't make sense. There were global breaches to eBay. The Apple thing is localised to Australia and New Zealand. Also people have said they don't have eBay and were still affected today.

Apple servers communicate with Apple devices using encrypted data. The same goes for iTunes and the AppStore. It's highly unlikely someone after a few hundred bucks would be able to hack into Apple services. If he did, he wouldn't be harassing users for $100. They'd go after Apple for a few hundred million. This is a clear hijacking of email and passwords, gained from a third party server. eBay may just be ground zero, but I'm happy for you to prove me wrong.

kkneufeld wrote:

Doesn't make sense. There were global breaches to eBay. The Apple thing is localised to Australia and New Zealand. Also people have said they don't have eBay and were still affected today.

I haven't read where people who have been hacked, haven't used the same email and passwords on eBay. Many family members use the same Apple ID btw. Could be a family member has used it elsewhere too.

This explains why my iPad froze when I tried to open from the passcode screen. I ended up just turning it off and restarting using a hard reset.

Got my email tone when it logged back on to my network but there was no mail. hasn't missed a beat since.

My daughter has my old i4 at the moment as I upgraded to an S4 but hasn't mentioned any problems.

Quite frankly, hackers are gutless little ***** who need to hide behind anonimity. They may think its "fun" to jerk common everyday people around but its no where near as much fun as what I'll have when I find one of them.

Andrew J wrote:

You misunderstand what I meant. A hacker has obviously hacked into a server that contains user emails and passwords. If these people use the same email and password for their iCloud account, this is where the hacker has gained access. I never mention phishing scams at all. Lets try and be specific here so we can get to the root of the problem. Thanks.

I was replying to two people but only quoted yours. I do understand your point and am a programmer specialising in security.

My friend claims to have never used the password anywhere else, and I believe her.

I do not think this has anything to do with eBay or any other compromised database.

abhibeckert wrote:

Andrew J wrote:

You misunderstand what I meant. A hacker has obviously hacked into a server that contains user emails and passwords. If these people use the same email and password for their iCloud account, this is where the hacker has gained access. I never mention phishing scams at all. Lets try and be specific here so we can get to the root of the problem. Thanks.

I was replying to two people but only quoted yours. I do understand your point.

My friend claims to have never used the password anywhere else.

Seeing as data between Apple servers and devices are encrypted, it's far more likely your friend has either used the same email and password elsewhere, or has shared their Apple ID with a family member who may have. Apple servers are highly protected with many levels of security encryption. A punk kid asking for $100 from hacked users, wouldn't have the brain power to hack Apples severs. Think about it.

Werewabbit wrote:

I live in the UK and this has also happened to me yesterday. Very worrying. And not a peep from Apple yet. I have managed to change all my account details and passwords, but just feels worrying.

Do you use the email and password you use for your previous Apple ID on other services? If so, could you list the services you have used them on, so we can pinpoint the source. Thanks

huh?? Been trying to take one of my ipads out of lost mode all day ... won't do it for some reason. Now I've just tried to log into icloud again and its saying my Apple ID has been disabled for security reasons?? I've already changed my passwords/security questions/rescue email ... sigh ... will this never end

Sel_L wrote:

Now I've just tried to log into icloud again and its saying my Apple ID has been disabled for security reasons?? I've already changed my passwords/security questions/rescue email ...

This just happened to me as well. Confusing.

Same. I'm signed in right now (with reset password, obvs) on one of my devices (in order to message this), but another has just said my AppleID is disabled. My kid's iPod wasn't affected - it wasn't hooked into our AppleID. But I have 2 x iPhones, 2 x iPads, and 1 Powerbook - all on the same AppleID - affected.

I haven't been hacked thankfully but wonder if this has something to do with the exploit.

I received the following email on May 26th. It was the 3rd or 4th such email I received and went like this:

It looked very legit with appropriate graphics and clean Applesque formatting but I deleted it...my usual response to communications I've not initiated.

This email was in the trash so I looked at the raw source to compare with legit saved emails I've received from Apple. Below is the raw source from the fake. Notable that the body is all in html without CSS. Much different to a legit Apple email. Also note the fake return path and the envelope from address. And the final and most obvious 'to me' tell is that they addressed this to me on an email that was not registered with Apple.

This is the raw source: I've deleted my details a used XXX where they appeared. Also bolded the fake link.

----------------------------------------------

Return-path: <do_no_reply@iclouds.co.nz>

Envelope-to: XXXXXXX@XXXX.co.nz

Delivery-date: Mon, 26 May 2014 14:16:13 +1200

Received: from postie1.hosting365.ie ([82.195.157.180]:54319)

by kiwiwebhost.actin.net.nz with esmtp (Exim 4.80.1)

(envelope-from <do_no_reply@iclouds.co.nz>)

id 1WokSS-0003Vr-Ts

for XXXXXXX@XXXX.co.nz; Mon, 26 May 2014 14:16:13 +1200

Received: from iclouds.co.nz (unknown [62.90.94.40])

by postie1.hosting365.ie (Postfix) with ESMTP id 4E402A852F28A

for <XXXXXXX@XXXX.co.nz>; Mon, 26 May 2014 03:16:10 +0100 (IST)

From: Apple <do_no_reply@iclouds.co.nz>

To: XXXXXXX@XXXX.co.nz

Subject: Apple ID Disabled for Security Reasons.

Date: 26 May 2014 05:16:09 +0300

Message-ID: <20140526051609.7C8FA3422DE61EB8@iclouds.co.nz>

MIME-Version: 1.0

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

<html>

<tr>

<td style=3D"padding&#58;20px 11px 40px 11px;background-color&#58;#ffffff;"=

>

<table width=3D700 border=3D0 cellspacing=3D0 cellpadding=3D0 align=3Dcente=

r style=3D"background-color&#58;#ffffff;" bgcolor=3D"#ffffff">

<tr>

<td width=3D700 valign=3Dtop>

<table width=3D648 border=3D0 cellspacing=3D0 cellpadding=3D0 align=

=3Dcenter style=3D"background-color&#58;#ffffff;" bgcolor=3D"#ffffff">

<tr><td><img src=3D"http://iforce.co.nz/i/y4doyckl.f2u.gif" alt=3D"" w=

idth=3D648 height=3D122 border=3D0 style=3D"display&#58;block;"></td></tr>

</table>

<table width=3D630 border=3D0 cellspacing=3D0 cellpadding=3D0 align=

=3Dcenter style=3D"background-color&#58;#f1f1f1;">

<tr>

<td>

<table width=3D490 border=3D0 cellspacing=3D0 cellpadding=3D0 align=3Dce=

nter style=3D"background-color&#58;#f1f1f1;">

<tr>

<td width=3D490 align=3Dleft style=3D"padding&#58;0 0 22px 0;">

<div style=3D"font-family&#58;Lucida Grande, Lucida Sans, Lucida Sans=

Unicode, Arial, Helvetica, Verdana, sans-serif;color&#58;#333333;font-size&=

#58;12px;line-height&#58;1.25em;"><span style=3D"font-weight&#58;bold;">Dear=

Apple Customer,</span><br>

<br>

Your Apple ID has been Disabled for Security Reasons!<br>

<br>Someone just tried to sign in into your Apple account from othe=

r IP Address.<br>Please confirm your identity today or your account will be =

Disabled due to concerns we have for the safety and integrity of the Apple=

Community.<br><br>To confirm your identity, we recommend that you go to <a =

href=3D"yAppleIdwoa/wa/appId-4191.returnURL-DaHR0cDovL3N0b3JlLmFwcGxlLmNvbS91c3wxYW9=

zZmU4OGZjNWIyNThhYWVhOTM5MzVjZjI2NTk1OGE3MWUwY2Y0MmI2OA26r3DSDHCD9JUYKX777H9=

KT/index.php" target=3D_blank>Verify Now &gt;</a><br>

<br>Regards,<br>Apple</div>

</td>

</tr>

</table>

</td>

</tr>

<tr><td style=3D"padding-top&#58;101px;"><img src=3D"nz/i/yowyomf2.4fe.gif" alt=3D"" width=3D630 height=3D21 border=3D0 style=3D"=

display&#58;block;"></td></tr>

</table>

<table width=3D490 border=3D0 cellspacing=3D0 cellpadding=3D0 align=

=3Dcenter id=3Decxaapl-footer style=3D"">

<tr><td style=3D"padding&#58;10px 20px 10px 0;">

<div style=3D"font-family&#58;Geneva, Verdana, Arial, Helvetica, sans-s=

erif;font-size&#58;9px;line-height&#58;1.34em;color&#58;#999999;">TM and Cop=

yright =A9 2014 Apple Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95014, U=

SA.</div>

<div style=3D"font-family&#58;Geneva, Verdana, Arial, Helvetica, sans-s=

erif;font-size&#58;9px;line-height&#58;1.34em;color&#58;#999999;"><a target=

=3D_blank style=3D"color&#58;#999999;text-decoration&#58;underline;" href=3D=

"http://www.apple.com/nz/legal/">All rights reserved</a> / <a target=3D_blan=

k style=3D"font-family&#58;Geneva, Verdana, Arial, Helvetica, sans-serif;fon=

t-size&#58;9px;line-height&#58;1.34em;color&#58;#999999;text-decoration&#58;=

underline;"=3D"http://www.apple.com/nz/enews/subscribe/">Keep Informed<=

/a> / <a target=3D_blank style=3D"font-family&#58;Geneva, Verdana, Arial, He=

lvetica, sans-serif;font-size&#58;9px;line-height&#58;1.34em;color&#58;#9999=

99;text-decoration&#58;underline;" href=3D"http://www.apple.com/nz/privacy/"=

>Privacy Policy</a> / <a target=3D_blank style=3D"font-family&#58;Geneva, Ve=

rdana, Arial, Helvetica, sans-serif;font-size&#58;9px;line-height&#58;1.34em=

;color&#58;#999999;text-decoration&#58;underline;" href=3D"https://appleid.a=

pple.com/cgi-bin/WebObjects/MyInfo">My Apple ID</a></div>

</td></tr>

</table>

</td>

</tr>

</table>

</td>

</tr>

</table>

<img src=3D"http://iforce.co.nz/i/m1gq1iu5.j3c.gif">

</div></div>

</div>

</div></div></div></div><input id=3D"atirp" type=3D"hidden" value=3D""/></di=

v>

</div></div>

</div>

=20=20=20=20

</body>

</html>

Message was edited by: toninoapa Forgot to mention that I'm located in NZ not Aus. ** I have just disabled the links...I think, by deleting the href tags. Wouldn't want anyone clicking the links! **If any of the links look active please do not click them.

analogue cheese wrote:

so anyway, the story's now hit the MSM.

LOL, funny how that article makes many of the same points I did... and with all the same links I provided, even down to the Mat Honan story.

It's not real reporting when all the advice has been stolen from a forum. 😝

if it helps in identfying the cause, her AppleID password was weak

I don't think that password strength is an issue, as I had originally stated. At this point, everyone affected seems to be from Australia. If it were an issue of weak passwords failing under a botnet attack, that would affect all Apple IDs with weak passwords, not just Australian Apple IDs.

Someone mentioned Telstra earlier too - Bigpond is our ISP.

Thus far, the only folks who have said what ISP they are using are using that one. (Though I haven't yet gotten to several pages of this topic that were posted overnight.) That may be the common denominator.

Andrew J wrote:

I haven't read where people who have been hacked, haven't used the same email and passwords on eBay.

Someone earlier in this very topic said they don't even have an eBay account. This isn't related to eBay.

Nor is it an e-mail account breach. Too many different global e-mail providers are involved. That's not the common denominator.

thomas_r. wrote:

Andrew J wrote:

I haven't read where people who have been hacked, haven't used the same email and passwords on eBay.

Someone earlier in this very topic said they don't even have an eBay account. This isn't related to eBay.

Nor is it an e-mail account breach. Too many different global e-mail providers are involved. That's not the common denominator.

If you had read my posts correctly, you would have noticed I haven't said anything about email accounts being breached, but feel free to point me to where I did say that.

My suspicions are people who use their Apple ID email and passwords on other web services, are the ones who have been hacked. So lets be logical shall we.

1) It's localised to Australia and New Zealand, which may point to a localised server breach.

2) Each user has had their iCloud account accessed and their devices locked in request of cash.

3) Someone has gotten those email addresses and passwords from somewhere other than Apple.

4) It can't be Apple servers, otherwise there would be far more people affected, and any hacker worth their salt, wouldn't be asking for $50 for the efforts. Apple servers are highly protected with multiple encryption levels

5) So far, most people have admitted using their Apple ID email and passwords on other web accounts.

6) Heartbleed hasn't been patched on all servers. eBay had a breach just last week, thus my connection to eBay.

7) If you have any better hypothesis, I would be happy to share the load.

Not a valid theory as there are numerous victims who are not Telstra customers. My family uses Optus & Telstra and we had three devices compromised on both networks. The most likely - according to our work IT guys who are working on other employees hacked phones - is that so far all of those affected have used a VPN anonymising service. Most in order to either access the US iTunes store, play games, or to stream movies that are Geo-Blocked in Australia.