What to do if your Apple ID has been hacked

Please review our terms of service to complete your newsletter subscription.

Apple iCloud 'hacked' in China
The 'shock post' site that hosted the private Jennifer Lawrence photos". Although the iOS Keychain file is encrypted but there are tools that can help crack that , the actual files themselves, including your camera roll, call history, messages and other data are not. Make two-factor verification easier to set-up. How-To , Newsstand , Top stories Tagged: This is not only because Apple devices have become so popular, but also because Apple IDs typically provide purchasing power. Retrieved September 7, However, if the hacker has taken over your e-mail account or has changed your security questions, or if you have made the error of forgetting the answers to your security questions, you will need to seek help from Apple:.

How to undo the hack

This is how easy it is to hack someone’s iCloud with their security questions

With Family Sharing, you can share a calendar, photos, reminders, and more without sharing your Apple ID. You shared your password with someone else intentionally or unintentionally. For example, someone else selected your password for you, you told someone your password, or you might have entered your password on a "phishing" site. Your password is weak or has been compromised. How do I know if my Apple ID was compromised? You see charges or notices for purchases that you didn't make.

Your password no longer works, or it might have been changed or locked. How can I gain control of my Apple ID?

Sign in to your Apple ID account page. Review all the personal and security information in your account. Your primary Apple ID email address. All alternate email addresses, rescue email addresses, and phone numbers.

Security questions and answers. If you think they might be easy to guess, you should change your security questions. EPPB is a program that makes it possible for a user to download iCloud backups from Apple's iCloud servers onto a computer. Once there, the backups can be scoured for information including camera rolls, messages, email attachments and more. In essence, the app reverse-engineers Apple's "restore iOS backup" functionality, only instead of downloading the backed up data to a physical device, it downloads it to the cloud.

Perusing through various image boards on 4Chan and AnonIB, it's clear that EPPB is the tool of choice for most individuals involved in the types of iCloud "rips" as they are known, that are believed to be at the center of the celebrity photo thefts.

EPPB even promises to let users access iCloud backups without a password. Yes, there are caveats, but that promise was intriguing. Curious and a bit concerned , I decided to figure out how this software works and try to theorize just how easy it would be for anyone to do their part to break into an iCloud account. My initial target was myself, though I soon found that it would be remarkably easy to use this type of software to access the iCloud backups of my colleagues, my spouse and many of my family members.

Even after reading through various image boards and seeing boasts of how easy it was to "rip" iCloud backups, I held out hope that the process of actually downloading my own iCloud data would be slightly difficult. Sure, many of the boasters sounded unintelligent and not tech savvy in a way that most good cracker types usually are and sure the website for EPPB had disarmingly simple-looking screenshots, but surely the process for breaking into my own iCloud account would be difficult.

All you need is someone's iCloud password and then, two-factor authentication or not, you can download the content of their iCloud backups in minutes. OK, so how does someone obtain an iCloud password? Well, again, this was easier than I thought it might be. As Nik Cubrilovic outlines in his excellent post on the data theft, there are a few common vectors that is, attack holes for obtaining an iCloud password.

Cubrilovic lists them in order of popularity and effectiveness:. The first possibility, using a password reset, can be remarkably effective. As Cubrilovic notes, "Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account.

While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email — so verification or brute force attempts are simple. The second step is verifying the date of birth and it will pass or fail based on that data alone so can be guessed, while the last step are the two security questions.

In other words, it's very easy to figure out if an email account is connected to an Apple ID. Step 2 is as simple as knowing the account creator's birthday. This information is often widely available, thanks to Facebook, credit reports and other information across the web. For celebrities, that information might even be in Wikipedia. The next step, which requires answering two security questions. This comes down to simple social engineering. I entered in her iCloud username and her birthdate, and then came across two security questions.

It turns out, I only knew the answer to one of the question. Simply hitting "refresh" on the question page, however, led me to a new combination of questions. Eventually, I managed to get a pair of questions I could answer. Until Monday, the process could have been even easier, thanks to a brute-force tool that took advantage of Find My iPhone's lack of rate-limiting.

Apple has since closed that hole, but with a particularly bad password and some time as to not trip-up the rate-limiting , this is an option too. In fact, I was able to use an iBrute-like tool to crack my own password which, to be clear, was chosen to be extremely easy to crack.

Like, it was Passw0rd1. Apple wouldn't let me use Passw0rd, but Passw0rd1 was just fine. Well, this is where EPPB comes into place. The program, which runs on Windows, simply asks for the username and password of the iCloud account in question. Simply login and you'll be greeted with the available device backups from that particular user.

Now, this will download everything from my latest iCloud backup. It's basically the same as an iTunes backup you would do normally on your computer, but with a major exception: With iTunes, you can opt to encrypt your phone backups, which would require another passcode or security code to access. With iCloud backups, that isn't the case. Although the iOS Keychain file is encrypted but there are tools that can help crack that , the actual files themselves, including your camera roll, call history, messages and other data are not.

EPPB even lets users select what data they want to get. So if you're just interested in the camera roll, which includes all photos and videos stored on the phone, you can do that. From here, it's as simple as downloading the backup to a designated folder. Many iCloud rippers tend to use Google Drive and Dropbox as the destination folder for these rips, because it makes it easier to share the stuff with others.

Then, any number of iPhone backup viewer utilities can be used to access the data in an easy to use manner. The cost of this exercise? It also shouldn't be surprising that cracked copies of Elcomsoft's tools are available all over the web, though I imagine the success rate with those copies has probably declined as the software has gained more public attention.

Even though my iCloud password was purposefully chosen to be easy to crack, I want to make one thing clear: I had two-factor verification turned on on this account. As we've mentioned before, Apple's two-factor implementation does not protect your data, it only protects your payment information. Yes, if you have two-factor authentication enabled, the password reset process for an account can be greatly impeded you need to provide a special one-off key before you can reset a password , but assuming someone can get your password anyway using any number of phishing or remote-access methods, two-factor verification is absolutely not required for accessing an iCloud backup.

To me, this is an insanely huge hole in Apple's security systems. And this isn't a new revelation. The Elcomsoft team has even given security presentations on this flaw. What makes this even worse is that Apple is encouraging users to use "strong passwords and two-step verification.

If someone can get physical or remote access to a computer that uses iCloud or successfully convince a user to click on a phishing email for iTunes and get a password, an iCloud backup can be downloaded remotely, two-factor verification or not.

Navigation menu