Apple has poured water on claims by a hacker group that it has gained access to hundreds of millions of iCloud accounts. In a statement provided to Fortune, an Apple spokesperson said that none of the company’s systems — including iCloud and Apple ID — had been breached, and that the alleged list of email addresses and passwords “appears to have been obtained from previously compromised third-party services."
Motherboard first reported that a group calling itself the Turkish Crime Family was claiming to have stolen details for upwards of 300 million iCloud accounts in a bid to extort money from Apple. The group reportedly demanded $75,000 in either Bitcoin or fellow cryptocurrency Ethereum, or $100,000 of iTunes gift cards by April 7th, or else it would reset iCloud accounts and remotely wipe Apple devices.
The information appears to come from hacked third parties
"I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing," a self-described member of the group told Motherboard. The Turkish Crime Family said it had gained access to hundreds of millions of accounts, but wasn’t consistent with the details — one member of the group said 300 million, while another quoted 559 million.
According to Fortune, one of the compromised third-party services Apple mentions in its statement is likely to be LinkedIn, with many of the addresses and passwords in the Turkish Crime Family’s list corresponding with ones stolen during a massive security breach of the business networking site in 2012. The group wouldn’t be the first to repurpose LinkedIn’s data to target other companies: hackers have continued to use the data for nefarious purposes, either directly testing passwords to gain access to other services, or by presenting the logins as newly stolen information.
In communications with Motherboard, the hacker group allegedly showed a YouTube video in which one of its members accessing a woman’s iCloud account, giving them access to her photos, as well as the chance to remotely wipe the device. But it’s not clear whether this procedure was staged, and if it wasn’t, whether the group could replicate the process across its entire data set.
Even if the information is new and legitimate, Apple says it’s watching iCloud closely, “actively monitoring to prevent unauthorized access to user accounts,” while also working with law enforcement to work out who was behind the threats. “To protect against these type of attacks,” the company says, “we always recommend that users always use strong passwords, not use those same passwords across sites, and turn on two-factor authentication."