When the Turkish Crime Family first broke into the news last week, they sounded like a crisis in the making. The group claimed to have stolen a massive trove of iCloud credentials — the first over 300 million, then as many as 559 million — and unless they got $75,000 from the company before April 7th, they would start remotely wiping phones. Apple responded with a limited denial, stating that company servers hadn’t been breached, but allowing for the possibility that the credentials had been obtained some other way. As journalists began to confirm smaller sets of profiles released by the group, it gave Apple users plenty of reason to be nervous. Were we headed toward some kind of mass iCloud hack?
Now, those threats are starting to unravel. Today, ZDNet examined the largest account drop yet — just under 70,000 login / password pairs — and found that 99.9 percent of the pairs matched accounts already included in a database of previous leaks. In short, the Turkish Crime Family was working from recycled public data. At the same time, Motherboard obtained documents showing the group using the data for a quick cash out, asking for $3,000 from the breach notification site Leakbase in exchange for bringing good publicity to the service.
It’s a confusing turn in an already confusing story, but the upshot should be reassuring to Apple users. If the database really is built from public credentials, it’s likely to be far smaller and far less damaging than the group initially promised. You should still change your iCloud password and set up two-factor verification — both of which are worthwhile regardless — but it’s looking less and less likely that you’ll need to. So far, the group seems to be more interested in securing a quick payout than causing havoc, which makes it far more likely that the April 7th deadline will come and go uneventfully.
To understand why the Turkish Crime Family threat isn’t so frightening, we’ll need to get a little more technical. The group seems to have pulled off a credential-stuffing attack, taking login / password pairs from a public leak and testing them against separate services. Out of the 117 million logins in the 2012 LinkedIn breach, for instance, one might find tens of thousands of logins that also worked for iCloud, simply because users kept the same password for both services.
Credential-stuffing attacks are a real and persistent threat, and one of the main reasons security writers tell you not to use the same passwords across multiple accounts. But it’s the kind of attack Apple and other companies deal with every day, either quietly forcing password resets or blocking suspicious logins. As a result, it rarely rises to the level of a crisis.
Apple did not respond to a request for comment, but Shape Security CTO Shuman Ghosemajumder, who previously worked on click-fraud protections at Google, says iCloud is likely expecting the attack. “Apple is certainly watching for an attack like this, particularly because of the announced threat,” says Ghosemajumder. “They definitely see credential stuffing attacks on iCloud accounts every single day, just like all major online account systems do.”
The Turkish Crime Family’s trick was making that credential-stuffing attack seem like something larger and more threatening. By claiming hundreds of millions of accounts and threatening attacks on a specific zero-hour, the old credentials suddenly seemed like an imminent threat — worth paying attention to, and maybe even worth paying for. But as more details came out, that case got weaker and weaker. It’s still hard to say for sure what will happen on April 7th — and again, entirely worth resetting your passwords — but the chances of a hacking apocalypse are looking slimmer by the day.