Apple's Beats brand in April unveiled the Powerbeats Pro, a redesigned wire-free version of its popular fitness-oriented Powerbeats earbuds.
Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments
Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone.
With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here.
Apple allows users to access Find My iPhone without requiring two-factor authentication in case a person's only trusted device has gone missing.
2-factor authentication not required to access Find My iPhone and a user's list of devices.
Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device.
The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers.
Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.
It's easy to lock a Mac with a passcode in Find My iPhone if you have someone's Apple ID and password.
To prevent an issue like this, Apple users should change their Apple ID passwords, enable two-factor authentication, and never use the same password twice. Products like 1Password, LastPass, and even Apple's own iCloud Keychain are ideal ways to generate and store new passwords for each and every website.
Users who have had their Macs locked will need to get in contact with Apple Support for assistance with removing the Find My iPhone lock.
(Thanks, Eli!)
With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here.
Apple allows users to access Find My iPhone without requiring two-factor authentication in case a person's only trusted device has gone missing.
Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device.
Y'all my MacBook been locked and hacked. Someone help me @apple @AppleSupport pic.twitter.com/BE110TMgSv
— Jovan (@bunandsomesauce) September 16, 2017
The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers.
Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.
To prevent an issue like this, Apple users should change their Apple ID passwords, enable two-factor authentication, and never use the same password twice. Products like 1Password, LastPass, and even Apple's own iCloud Keychain are ideal ways to generate and store new passwords for each and every website.
So a hacker gained access to my iCloud account (despite two-factor authorization) while I was asleep this morning.
— Jason Caffoe (@jcaffoe) September 20, 2017
Users who have had their Macs locked will need to get in contact with Apple Support for assistance with removing the Find My iPhone lock.
(Thanks, Eli!)
Tags: hack, Find My iPhone
[ 211 comments ]
Top Rated Comments
(View all)
23 months ago
Meh, this is why things live on external drives. If I lost or had my laptop stolen, I'd wipe it and be back up and running in 25 minutes without the hassle.
23 months ago
Nice job MR. I only emailed them about this 4 weeks ago and asked that they run a story to inform people that this was going on.
I also emailed Apple about the issue with a simple suggestion. What they need to do is to require the device password when you try to lock a device from Find My iPhone on the web. When you go to remote lock a device you enter a lock passcode and the device's password or passcode. When that is sent to the Mac, iPhone, whatever, if the device password doesn't match, it won't lock the device. That way, even if a hacker guesses your Apple ID and password using hacked credentials, they still can't lock the device without the Mac's login.
I also emailed Apple about the issue with a simple suggestion. What they need to do is to require the device password when you try to lock a device from Find My iPhone on the web. When you go to remote lock a device you enter a lock passcode and the device's password or passcode. When that is sent to the Mac, iPhone, whatever, if the device password doesn't match, it won't lock the device. That way, even if a hacker guesses your Apple ID and password using hacked credentials, they still can't lock the device without the Mac's login.
23 months ago
Yup, this happened to me back in June when I installed beta 1 of MacOS High Sierra. Frustrating and embarrassing when your an IT engineer and your own device gets hacked! Had to bring it to Apple and provide proof of ownership before they would remove the lock.
I had 2 factor enabled, saw that someone was trying to access my account, denied them, and still had my account locked.
And always use 2Factor. I don’t buy the second tweet about someone getting hacked with having 2FA enabled. Even if they could guess your password and the security code, your trusted device would still get a notification and you could block access.
I had 2 factor enabled, saw that someone was trying to access my account, denied them, and still had my account locked.
23 months ago
MacRumors, why are you recommending two-factor authentication if you then go onto say you can access Find My iPhone without needing 2FA??
Here's a better recommendation: turn off Find My Mac until Apple correct course and Find My iPhone requires 2FA.
Here's a better recommendation: turn off Find My Mac until Apple correct course and Find My iPhone requires 2FA.
23 months ago
Macurmors quote:
"Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details."
And this is exactly why I reconfigure all my passwords for my accounts on a regular basis. Stagnancy can be part of the problem.
"Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details."
And this is exactly why I reconfigure all my passwords for my accounts on a regular basis. Stagnancy can be part of the problem.
23 months ago
And always use 2Factor. I don’t buy the second tweet about someone getting hacked with having 2FA enabled. Even if they could guess your password and the security code, your trusted device would still get a notification and you could block access.
You can access Find my iPhone without needing 2FA authorization. Try it, go to iCloud.com, deny the 2FA request after entering username/password, then click on Find my iPhone at the bottom. This is what happened to these folks.
An easy solution would be if your account has multiple trusted devices, to require 2FA even when accessing FMI, since it would be highly unlikely you would lose access to all of your trusted devices at once.
To edit, you can actually access a good bit of things even without the 2FA authorization. You can remove Apple Pay cards and other devices from your iCloud account. I really think Apple needs to reconsider this ability.
23 months ago
This isn't fun, but could have been avoided if the password wasn't simple or had two factor authentication (preferably both).
Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on
.....
23 months ago
I liked how he said "y'all"
"y'all come back now ! yah hear?!"
Probably from Texas, where my son & his family live. Used a lot there, even in urbane Houston and Austin. Don't make fun.
23 months ago
I wouldn’t not use 2FA because of this. I would simply update my password to something MEGA complex, that isn’t used with another service you use or have access to. While I doubt mine was part of any leak, I took the precaution to update my Password when I saw this article.
Then..
Wait for Apple to produce a fix for this (quite bad) loophole.
Hopefully they will enable people to shut off the web portal, especially for those of us with multiple trusted devices.
Then..
Wait for Apple to produce a fix for this (quite bad) loophole.
Hopefully they will enable people to shut off the web portal, especially for those of us with multiple trusted devices.
[ Read All Comments ]
Apple released a public beta of iPadOS for compatible iPad models, enabling users who aren't signed up for the Apple Developer Program to test the software update ahead of its official release in...
Apple today updated its line of iWork apps for iOS and macOS, bringing new features to Pages, Keynote, and Numbers on both iOS devices and Macs.
All of the apps have a new feature designed to...
In a new support document, Apple has indicated that the first public beta release of macOS Catalina does not support switching between multiple iTunes libraries. This also applies to the first two...
Twelve South today announced its latest HiRise accessory, called the "HiRise Wireless," and it's available to purchase now on Twelve South's website. The new accessory is a...
OWC, a well-known maker of storage solutions for Macs and PCs, today debuted what it says is "the fastest USB-C SSD ever."
The new OWC Envoy Pro EX with USB-C is a bus-powered NVMe...
Apple accessory maker Mophie today debuted a three-in-one portable battery pack, wall charger, and wireless charging pad.
The new Powerstation Hub is equipped with a 6,100mAh battery, one 5W...
Encrypted messaging platform Telegram has pushed out an update that introduces a number of new location-based features, including the ability to Add People Nearby.
Users of the chat app can open...
Apple has released the first public beta of macOS Catalina, the next major version of its Mac operating system due to launch in the fall. The availability of the public beta means Mac users don't...
