Industry News Mobile & Gadgets

Apple: If hackers have our customers passwords, they didn’t steal them from us

If you were worried that hackers might wipe millions of iPhones, Macs and iCloud accounts there’s some good news today.

If you remember, a group calling itself the “Turkish Crime Family” was claiming to have a stolen database of millions of Apple customer credentials, and threatening to wipe them remotely unless Apple agreed to pay a ransom demand by April 7th.

As news of the Turkish Crime Family’s threats began to make headlines there was a worrying silence from Apple, which can’t have done much to reassure its customers.

But now, in a statement issued to Fortune, Apple has declared that its systems had not been hacked:

“There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.”

All of which, of course, does not necessarily mean that hackers don’t have their sweaty paws on Apple customers’ usernames and passwords. After all, they may have grabbed them courtesy of one of the other high profile megabreaches (LinkedIn and Yahoo spring instantly to mind)

But don’t worry, if the extortionists do still follow through with their threats Apple isn’t leaving its users high and dry:

“Apple is actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication.”

Frankly, this is great advice.

Yes, you should always have strong, hard-to-crack passwords. And you should always ensure that your password is unique, and not being used on any other sites.

But more than that, enable two-factor authentication (2FA) on your Apple-related accounts. 2FA is the arch enemy of account hackers, because it means that they’ll need more than just your password to gain access.

In all likelihood, anyone attempting to break into your 2FA-protected account will simply find it too difficult – and attempt to find someone else who has been less diligent about defending their online lives.

There is little reason for you to feel nervous if you have been following the advice we have been offering here on the Hot for Security blog for years: make your passwords strong, make them impossible to guess, make them unique, and enable two-factor authentication to harden your account security.

If you adopt best password practices you will have dramatically reduced the chances of having your account compromised and – if it ever does happen – reduced the impact that it will have on the rest of your online existence.

Meanwhile, it remains to be seen if the Turkish Crime Family follow through with their threats. Until we see evidence to the contrary, I think it might be wise to be a little skeptical – whilst still ensuring that our accounts are properly secured.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • Graham. I'm pretty good with my password practices and use 2FA on sites that require it. But what options do I have if my wife and I access accounts using the same user info from different locations? Or if an app needs to automatically access an account to gather information? 2FA makes that impossible doesn't it? Thanks. Tom

  • Jimmy Kimmel did somethig with that talking doll device a couple of nights ago. This one was in a black column, not a doll. He had it order boxes of some kind of noodles @ $50/ each. Then he ordered it to play "Who Let the Dogs Out?' at top volume. He de-moed this thing can't hear command prompts to shutdown when it's playing full blast!

  • I've had someone hacking my mobile phone for months now i've changed devices,carriers,phone number but yet they keep finding ways this is pure torture i've seen my phone do things you'd see in a movie luckily I was raised around guns an always have one the only reason I feel safe so many people lack knowledge of this people start believing your crazy. When your camera turns into a static screen looking like a tv it kinda freaks you out but who do go to when even the techs look at you like you've lost it? Guess a lot of people have to be stalked an killed to get more recognition. Thank you for the work you guys put into helping people like me although my hacker is still there at least now I can cover my phone when I don't want to be seen. Be safe and pay attention people!