Hackers Are Threatening To Wipe Hundreds Of Millions Of iPhones: How To Protect Yourself
A group of hackers calling themselves “Turkish Crime Family” is claiming they can access up to 559 million Apple email accounts on the icloud.com and me.com domains.
They’re demanding Apply pay $75,000 in bitcoin or ether, another cryptocurrency, or $100,000 in iTunes gift cards by April 7 in exchange for deleting the data, Vice’s Motherboard blog reported Tuesday. Otherwise, they’ll use the passwords to reset the phones and delete the photos, videos, text messages and other personal data on them.
Fortune reports that Apple states that its systems have not been breached and other sources assert the data may have come from pilfered LinkedIn accounts.
Whether or not the hackers are indeed in possession of these passwords, you can protect the contents of your phone in case. Just make sure to follow these steps before April 7.
1. Change your password to a “high-entropy” one.
A high-entropy password consists of random numbers, upper and lower case letters and special characters. You can use a password manager, such as LastPass to create and manage such passwords for you.
You can also create your own random passwords using simple rules that only you know. For a previous story I wrote on phones being wiped by “phone hijackings” in which an attacker gets a phone company to switch a person’s phone number to their device and then uses it to reset that person’s email, bank and other accounts, I interviewed Brett McDowell, executive director of the FIDO (Fast Identity Online) Alliance, an industry organization of 250 companies working on standards for stronger authentication. He recommended creating a core password of random numbers and letters that you memorize, and then tweaking it for each website you use.
An example he gave was that, for United.com, you could remove all vowels and shift the consonants to two letters later in the alphabet. So if your core high-entropy password is 1A@0z# (though, preferably, it’s longer), then you add WPVF (all two letters later in the alphabet than UNTD) to the middle of it to create the password 1A@WPVF0z#.
2. Don’t answer your security questions the same everywhere.
In case the database the hackers breached also contained the answers to security questions, make sure your answers differ slightly from site to site. Use a similar rule to the email one described above to create unique answers for each site.
3. Set up two-factor authentication with a secure phone number.
Set up what’s called two-factor authentication on your account, which requires you to enter a security code texted to your phone when you want to log in. If, for any reason, you think you might be a high-value target and that your phone could be hijacked — moved to your hacker’s phone — to lock you out of your account, choose a number separate from your main phone number, preferably a Google Voice number. (Hijackers can’t take those without your consent, whereas they can easily steal your number if they talk to a lax customer service rep at a regular mobile carrier.) For more information on protecting your accounts from being hacked via a stolen phone number, read this story.