You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

My devices have been hacked. What do I do?

i was using my ipad a short while ago when suddenly it locked itself, and was askiwhich I'd never previously set up. I went to check my phone and there was a message on the screen (it's still there) saying that my device(s) had been hacked by 'Oleg Pliss' and he/she/they demanded $100 USD/EUR (sent by paypal to ****) to return them to me.


I have no idea how this has happened. I am not aware of having been exposed to malware or anything else, although i did recently purchase some new apps - perhaps one of these has something to do with it? I don't know. I am not sure what avenue has been used to reach my devices - I'm about to use my husband's laptop to check through some of my accounts (gmail, etc) and see if there is any clue there.


Has this happened to anyone else? What can or should I do? Many thanks

<Email Edited by Host>

iPhone 5

Posted on May 26, 2014 4:57 AM

Reply
Question marked as Top-ranking reply

Posted on May 26, 2014 5:48 AM

hi Rojmer, thank you for your reply. I was pretty sure that whoever Oleg Pliss is, it's not really the name of the person who hacked my iDevices 🙂


I think that what you described is what happened - I have gone into iCloud and when i used the 'find my iphone' feature i did indeed see the message and that both the devices were locked.After a bit of research my husband suggested that i turn off 'lost mode' to see if that would restore functionality but this isnt working - each device says 'pending: stop lost mode' but are both still 'lost' despite being turned off before i tried to stop lost mode (if that makes sense).


I'm going to see about changing my icloud password now, as well...

456 replies
Question marked as Top-ranking reply

May 26, 2014 5:48 AM in response to Rojmer

hi Rojmer, thank you for your reply. I was pretty sure that whoever Oleg Pliss is, it's not really the name of the person who hacked my iDevices 🙂


I think that what you described is what happened - I have gone into iCloud and when i used the 'find my iphone' feature i did indeed see the message and that both the devices were locked.After a bit of research my husband suggested that i turn off 'lost mode' to see if that would restore functionality but this isnt working - each device says 'pending: stop lost mode' but are both still 'lost' despite being turned off before i tried to stop lost mode (if that makes sense).


I'm going to see about changing my icloud password now, as well...

May 26, 2014 5:25 AM in response to veritylikestea

Oleg Pliss is a well known software engineer and technology scientist. He would not go about asking for money to unlock iDevices.


Is it possible someone has had access to your Apple ID and password? Through iCloud they would be able to lock your devices with a passcode and send a message like the one you have received. Using your computer go to iCloud.com and log in with your Apple ID and password and see if you can see your devices and their status.

May 26, 2014 6:37 PM in response to davefromtas

I had the same problem originally. This is what I was told to do (and did) over the phone with applecare support.


Turn off your phone.

Plug your cable into the computer and have itunes up (do not plug into the phone yet)

Press and hold the home key on your off phone (I did mine for about 10 seconds). If nothing happens, plug in the cable into your phone (keep holding the home key)

What you want to see come up is the picture of itunes and cable on the front of the phone

Your itunes should then recognise the phone as an unidentified phone

Select restore factory settings (it should down load some software) ~15 mins and automatically install

The phone should go through some of the standard reset screens (usually black screen with apple icon and loading bar)

You will be prompted to restore the phone.... do this from itunes not the phone


Throughout this process you must not let the phone or computer go into sleep mode.... and don't disconnect.


I had the same issue with the lock screen but it was related to sim card once I did the restore.


I had to set the erase from icloud website, but that didn't originally work as it requires connection to the internet for it to apply, hence plugging it into the computer.


I accidentally started setting up my phone via the phone and got stuck on the sim card lock screen so had to do it from scratch again and this time via itunes and all good. Hope that helps

May 26, 2014 7:02 AM in response to veritylikestea

I'm also reluctant to restore to factory. I still don't know how this happened, so I'm not sure if it can happen again.


So I just found this: http://support.apple.com/kb/PH2700


Specifically:

Note: If you forget the passcode, or if you set an EFI firmware password on your Mac before it was lost, then lock it and later find it, you may need to take it to an authorized repair center to unlock it.

May 26, 2014 12:10 PM in response to veritylikestea

This topic has grown very quickly, and there are many people saying a lot of different things. Rather than try to address everyone, I'm just going to stick to some general information about this kind of hack.


What has undoubtedly happened in all these cases is that your Apple ID has been hacked. How that may have happened, I don't know. It could be weak passwords falling to brute force attacks by a botnet. It could be that people "logged in" to a malicious fake Apple server in response to a phishing e-mail. It could be something else entirely.


Once the hackers have access to your Apple ID, they can remotely lock all your iOS devices with a message. They can also see any data stored in iCloud (calendars, contacts, e-mail, notes, etc). If you have a Mac with Back to My Mac enabled, they could potentially get remote access to that. They could also make purchases on your Apple ID.


The solution to the problem is to regain access to your Apple ID. (Erasing the device is not a solution in many cases.) Reset the password, and make sure to change it to something very secure. As an additional security measure, I strongly suggest that you enable two-factor authentication on your Apple ID. Doing so provides additional security, and should prevent the hacker from ever being able to take control of your Apple ID entirely away from you.


A couple things that it's important to understand:


1) It is entirely possible for a hacker to lock you out of your Apple ID permanently by changing your security questions or even enabling two-factor authentication, which would prevent you from resetting the password. If the hacker enables two-factor authentication, Apple will not intercede to give you access! This is a security measure for people who choose to enable this feature, since you wouldn't want a hacker to talk an Apple support rep into giving up access to your Apple ID.


2) If you have iOS 7 installed, and have chosen to turn on Find My iPhone/iPad/iWhatever, a hacker in control of your Apple ID can lock you out of your device permanently. You will not even be able to erase the device without providing the Apple ID password. If they manage to take control of your Apple ID permanently, then you obviously will not be able to do that any longer. Apple will not give you access to a device locked in such a way, as this is an anti-theft feature.


You should not be afraid of turning on Find My iPhone, which is an important anti-theft feature. Instead, simply enable two-factor authentication to make sure your Apple ID is secured, so nobody can manage to use this feature against you.


Note that enabling two-factor authentication does not guarantee that your Apple ID won't be hacked, so you still need to use a strong password. What it does protect against is changes to your Apple ID that would give the hacker permanent access. With two-factor authentication enabled, you will always be able to reset the password on your Apple ID and regain access to it, as long as you follow the directions and are careful to save the recovery key.

May 26, 2014 7:03 PM in response to tallPete

It would be nice to think that Apple has not been hacked but there are a number of sites reporting that iTunes was susceptible to Man-in-the-Middle until 16May2014 (Not sure of date but this date is in some sources)


Apple blocked the exploit with a release of iTunes.

http://support.apple.com/kb/HT5030



There are a lot of links to the story - although there is a good chance that they all quote a couple of original stories.

http://gadgets.ndtv.com/mobiles/news/icloud-activation-lock-allegedly-bypassed-b y-doulci-hacker-team-528915

http://appleinsider.com/articles/14/05/21/hackers-claim-to-have-exploit-for-iclo ud-use-vulnerability-to-disable-activation-lock


The advice from TallPete is good - DO NOT use passwords in more than one place.


The paranoia in me suggests that, if an earlier version of iTunes is being used, then it should be updated BEFORE changing the Apple ID password.


Message was edited by: TheRealMoriarty

May 27, 2014 3:39 AM in response to veritylikestea

Okay, this topic has grown quite a bit overnight (well, overnight in the US anyway).


There's a lot of fairly random speculation going on, and even some completely unfounded and false claims (like that everyone affected has a stolen phone... that's nonsense). So let's try to summarize.


There has been no commonality found as to e-mail accounts used, so a hacked e-mail account is out. That would not fit with the affected users all being in Australia/New Zealand. Weak passwords being hacked by a botnet would also be insufficient to explain the locality.


Some users have mentioned receiving phishing e-mails, but I don't believe those are the issue either. With so many people reporting that they are using global e-mail providers (me.com, Hotmail, GMail, etc), there's simply no way that such phishing e-mails could have targeted only Australians. Further, people who mentioned the phishing e-mails also said they didn't fall for them. So that's out.


It's looking so far like everyone affected is using Telstra as their internet service provider (ISP). This could provide the common link, and the explanation as to why only people in one part of the world are being affected. My theory is that Telstra's domain name servers (DNS) have been "poisoned."


A domain name server (DNS) is a server used to convert a human-readable address (www.apple.com) into a numeric IP address (17.172.224.47). If a DNS gets "poisoned," it can contain entries that map the human-readable address to a malicious IP address.


If this happened with Telstra, affected users who provided a username and password on what they thought was Apple's site may actually have provided it to hackers. It may be a good idea to use an alternate DNS for the next few days, just in case, until the cause is determined. Try theOpenDNS servers or Google DNS servers.


For more information, and some info on fixing the problem, see my earlier responses:


Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

May 27, 2014 3:56 AM in response to thomas_r.

thomas_r. wrote:


Okay, this topic has grown quite a bit overnight (well, overnight in the US anyway).


There's a lot of fairly random speculation going on, and even some completely unfounded and false claims (like that everyone affected has a stolen phone... that's nonsense). So let's try to summarize.


There has been no commonality found as to e-mail accounts used, so a hacked e-mail account is out. That would not fit with the affected users all being in Australia/New Zealand. Weak passwords being hacked by a botnet would also be insufficient to explain the locality.


Some users have mentioned receiving phishing e-mails, but I don't believe those are the issue either. With so many people reporting that they are using global e-mail providers (me.com, Hotmail, GMail, etc), there's simply no way that such phishing e-mails could have targeted only Australians. Further, people who mentioned the phishing e-mails also said they didn't fall for them. So that's out.


It's looking so far like everyone affected is using Telstra as their internet service provider (ISP). This could provide the common link, and the explanation as to why only people in one part of the world are being affected. My theory is that Telstra's domain name servers (DNS) have been "poisoned."


A domain name server (DNS) is a server used to convert a human-readable address (www.apple.com) into a numeric IP address (17.172.224.47). If a DNS gets "poisoned," it can contain entries that map the human-readable address to a malicious IP address.


If this happened with Telstra, affected users who provided a username and password on what they thought was Apple's site may actually have provided it to hackers. It may be a good idea to use an alternate DNS for the next few days, just in case, until the cause is determined. Try theOpenDNS servers or Google DNS servers.


For more information, and some info on fixing the problem, see my earlier responses:


Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

Re: My devices have been hacked. What do I do?

Again, nowhere have I even hinted that peoples email accounts have been hacked, so where are you getting that from?


It's obvious that user accounts have been hacked.


There isn't enough evidence to suggest that Telstra is the problem, as proved by the number who aren't with Telstra. Coming from Australia, I can tell you, they are the biggest Internet service provider in the country.


Considering the small numbers of affected users (we're not talking about tens of thousands), it points more to smaller connection.

May 27, 2014 4:00 AM in response to Stefarn

Stefarn wrote:


I have read a lot of these messages but unless I am missing something there is no answer to unlock my IPad. I have connected via PC but it won't let me factory restore as it says - "Find my Ipad" must be turned off before Ipad can be restored"

The Ipad is not connecting to the internet so cannot turn off remotely and as I can't get past the Passcode I can't turn on internet access or turn off "Find my Ipad" on the device itself.


Any useful advise would be great.

Try the advice from the bottom of this KB article.

http://support.apple.com/kb/ht1212

May 27, 2014 7:22 AM in response to veritylikestea

At the top of the page/thread I'm seeing


Branched to a new discussion.


with a link to a different thread, but when I try to click on that link/thread, I get a page saying "Unauthorized" and (in pinkish red)


It appears you're not allowed to view what you requested. You might contact your administrator if you think this is a mistake.


Anyone else seeing this?


(Also wondering why this thread is dying down - no other US people affected?)

May 27, 2014 7:26 AM in response to Greg Earle

Greg Earle wrote:


At the top of the page/thread I'm seeing


Branched to a new discussion.


with a link to a different thread, but when I try to click on that link/thread, I get a page saying "Unauthorized" and (in pinkish red)


It appears you're not allowed to view what you requested. You might contact your administrator if you think this is a mistake.


Anyone else seeing this?


(Also wondering why this thread is dying down - no other US people affected?)

It seems to have been closed off. That does happen, why, is anyone's guess.


Its past midnight in Oz now, so people have gone to bed. The US have just woken up, so we'll have to wait and see if this thing has spread. I'm done for today.

May 27, 2014 7:18 PM in response to veritylikestea

Hi veritylikestea,

This is an issue that has now spread though most of Australian citizens.

Here is a letter from the Australian Government:

Ransom attack targeting Apple products - change your Apple IDpassword: SSO Alert Priority High



27 May 2014

Apple device and Mac users should be aware that they may be targeted by hackers who lock you out of your device before demanding payment of a ransom.

In recent hours, a number of Australian Apple users have reported the ransom attack targeting their devices.

The information available is limited and may be updated as more information emerges.

With the possibility that this attack is linked to your ‘Apple ID’, affected users are advised to change your Apple ID password as soon as possible.

Users not affected may also consider changing their Apple ID password as a precaution.

Your Apple ID is your username for everything you do with Apple. It is used for identifying you as a user for most Apple products including iTunes, all your Apple devices, iCloud, the Apple Store and others.

At present many users are reporting that their phones or systems lock unexpectedly, they receive an email from ‘Find My iPhone’ and a message on their screen stating that their device has been, ‘Hacked by Oleg Pliss’. The message said that to unlock their device they should pay a ransom via PayPal, emailing the payment code to lock404[a]hotmail.com.

Currently there is only speculation about how the attacks have been carried out. Apple has not yet responded officially.

Reports by affected users suggest that this attack is possibly the result of hackers compromising the device owner’s Apple ID and using this to access their iCloud account. From their iCloud account a hacker canactivate the device’s ‘Lost Mode’, and possibly reset the phone’s access code.

It is not confirmed if or how these Apple IDs and passwords were accessed, but suggestions include that hackers may be simply reusing information they may have discovered during a breach of other online services. Unfortunately, many people still commonly reuse the same password for many of their online accounts.

A hacker with access to your Apple ID can potentially lock any device associated with it remotely, they can see data you have stored in iCloud, access your Apple Store purchases and potentially set up two-step verification (also known as two-factor authentication) on your device, locking you out of your phone completely, and even remotely erase your device.

It is reported that affected users did not previously have two-step verification enabled on their devices.

Initial information also suggests that users who already have a passcode set on their device are still able to unlock it, but any users who do not have a passcode set may now encounter a lock code set by the hacker.

What can you do?

Do not pay the ransom.

Change your password for your Apple ID. You can use your Apple ID to recover your device(s) if it has been locked by the hacker.

You can switch off Lost Mode via iCloud.

If the hacker has set a new passcode lock on your device, you may be able to bypass this by using one of themethods suggested by Apple, however you should note these involve either erasing, resetting, or restoring your device from back up (if you have one).

Set up two-step verification for your Apple ID. Turning on two-step verification reduces the possibility of someone accessing or making unauthorised changes to your account information. Two-step verification requires both your password and a separate verification code sent to your phone (or other trusted device) in order to log in.

Affected users should contact Apple directly for more information. Apple has been able to help affected users recover their devices.

More specific advice may be provided by Apple shortly.

My devices have been hacked. What do I do?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.