Ransomware Kalunga Russia iCloud Hack

Same happened to me. Received a notification on my iPad that someone from Kaluga, Russia was attempting to access my iCloud and I hit "deny"... A few minutes after that my iMac powered down and came up with a lock screen asking for a 6 digit PIN, and displaying an official-looking but fake email address to contact. I had two-factor authentication enabled, that's how I knew the attempt took place from Kaluga, Russia because the two-factor authentication popup on my iPad showed it to me on a map and I pushed "deny" but they have evidently found a way past it. I created this iCloud account just a couple weeks ago, used a secure password with random letters and numbers, and have not entered my iCloud password anywhere except the official Apple website and in iTunes and on my iPad. I find it very improbable that the hackers "guessed" my password or phished it from me... this has to be either an Apple authentication weakness or they somehow are intercepting login details from iTunes/iCloud or the Apple website.

Same happened to me. Received a notification on my iPad that someone from Kaluga, Russia was attempting to access my iCloud and I hit "deny"... A few minutes after that my iMac powered down and came up with a lock screen asking for a 6 digit PIN, and displaying an official-looking but fake email address to contact. I had two-factor authentication enabled, that's how I knew the attempt took place from Kaluga, Russia because the two-factor authentication popup on my iPad showed it to me on a map and I pushed "deny" but they have evidently found a way past it. I created this iCloud account just a couple weeks ago, used a secure password with random letters and numbers, and have not entered my iCloud password anywhere except the official Apple website and in iTunes and on my iPad. I find it very improbable that the hackers "guessed" my password or phished it from me... this has to be either an Apple authentication weakness or they somehow are intercepting login details from the official Apple sites/server.

I find it very improbable that the hackers "guessed" my password or phished it from me... this has to be either an Apple authentication weakness or they somehow are intercepting login details from the official Apple sites/server.

But yet that is the only way this could have happened to you.

They *had* your Apple ID AND password. Signing in to iCloud.com, as described by be earlier in this conversation, with screenshots, on a 2FA enabled Apple ID allows one to bypass the verification code filed and get to Find My device. There, you can place a firmware lock on a Mac, or enable Lost Mode on an iOS device.

I find it importable that you are the first victim of an Apple account server hack as you suggest. I would think a hack of Apple IDs and passwords, a la Equifax, Yahoo etc. would have been in the papers.

The prevention of this is to not enable Find My Mac if you don't also have a firmware password in place. If there is one present, this "hack" can't be utilized.

asdfasfwefwef wrote:

I find it very improbable that the hackers "guessed" my password or phished it from me...

They wouldn't have to. Do you use the same password on any other online accounts? If so, that account has probably already been breached at some point and your e-mail address and password are in the public domain.

Do you connect to untrusted wifi networks, such as those found in coffee shops, hotels, restaurants, etc? If so, you could have been phished or had a password that was sent insecurely captured and you'd probably never know.

Does someone else - a family member or friend - have your password? If so, you have to ask yourself in what ways they might have lost control of it.

Is your password a strong one, that can't possibly be guessed by anyone who has access to any of your other online accounts? If not, guessing is not an unlikely scenario.

Have you downloaded anything you shouldn't have lately? For example, if you downloaded Handbrake between May 2 and May 6 of this year, you may have gotten a compromised copy of the app that hackers had modified to drop malware on the system. Malware whose primary goal was to steal every piece of password-related data from your system.

As you can see from these examples, there are many ways that your account could have been compromised. And unfortunately, two-factor authorization does not protect against these remote locks via Find My iPhone, as has been pointed out previously on this thread.

If there were an Apple compromise, it would have been going on since at least early last year, when I documented a similar case. But there are no signs of such a compromise, and every indication that these hackers are getting account credentials through other means.

I just experienced the same thing with my husbands iPhone. My daughter was on her iPad which is on the same account as my husbands and it popped up someone in Russia was trying to use it and he pushed not allowed. Then his phone was put into lost mode along with my other daughters iPad with a passcode. It was weird that the iPad my daughter was on wasn't put into lost mode. All 3 devices are on the same account. We couldn't get into his iCloud at first the password was changed then after we finally did and turned off lost mode and had to erase it to get the passcode off. After we did that to the phone the passcode disappeared on the iPad without erasing it. Then we went to restore the phone after we did we noticed everything was gone from his iCloud. They erased it and all the backups were gone and there is nothing on his iTunes. I was not happy when I came home to find out it happened and he emailed the people that did it from my computer. I hope there is nothing on it and he used an my e-mail that I only use for a few specific important things. So I didn't pay attention to who sent the e-mail to me and opened it on my phone.

Something similar happened to me October 2. My iphone alarm to wake me up didn't go off so I checked my iphone and the first display on the screen was that it was put into lost mode. The message said to contact an email, which was made to look like an Apple email but it wasn't, it ended with @post.com. I cancelled that and entered my iphone PIN and then a notification screen appeared requesting access to my Apple ID/icloud account for use in Russia (not where i was). I clicked don't allow. I use two factor authentication for account security. I also had 2 emails from FMiP saying my iphone was put into lost mode and then it was found, both sent at the same time stamp after i was sleeping. I had 1 email saying my Apple ID was used to sign into icloud via a web browser, same time stamp as the 2 FMiP emails.

I contacted Apple today to verify account security and they said my account was not breached and was secure. I'm calling BS on that as my iphone was put into lost mode and email was sent saying my icloud was accessed after i was sleeping.

How was that possible since I had 2 factor authentication enabled?

Well, i didn't see there were 4 pages to this thread and didn't read page 1 until posting. So, you don't need the 2 factor authentication to put your devices into lost mode...just need Apple ID and password. I tried it myself and it worked. As far as locking them out, not sure, I was fortunate not to have that problem.

I tried it myself and it worked.

I wouldn't expect anything else, otherwise, how would you lock your device if you'd lost your only trusted device that used your only trusted number.

Your account is perfectly safe just as Apple said and 2FA has done its job.

Both are right.

There are 2 ways to turn off Lost Mode. One right on the device using the passcode, one at iCloud.com using your account credentials.

Public Service Announcement: Hacked ID's

you can't bypass two factor AFAIK

Nobody has bypassed 2FA, you've been phished. 2FA protects your iCloud account and data in it, that's still intact if I understand you correctly, it's your device that's been locked

When you denied access, did you have to enter your Apple ID and password?

Yes but none of that is because 2FA was compromised. 2FA isn't required to lock a device. Your Mac has been locked because you let someone have your password.