An unknown hacking group is attempting to extract a $75,000 ransom from Apple, threatening to remotely wipe millions of devices using stolen account credentials unless the technology giant pays up by April 7. But there are doubts over the claims.
The Turkish Crime Family, which apparently created a Twitter account in the past few days, claims it holds more than 627 million credentials for iCloud accounts. iCloud is Apple's backup and device management service, which can remotely delete data from a lost iPhone.
It's possible that the group has obtained some valid iCloud credentials. But discrepancies in Turkish Crime Family's claims and the ham-fisted way it has promoted its claims has led to suspicions.
Apple did not have an immediate comment. The company tends to be reserved about commenting on security issues unless a verified risk emerges. Attempts to reach the Turkish Crime Family were not immediately successful.
Several red flags suggest the Turkish Crime Family's claims are more puffery than threat. Group members communicated with Vice's Motherboard, saying initially it held 300 million iCloud credentials, then revised the figure to 559 million accounts. Later, it claimed to have 627 million accounts.
On Wednesday, the Turkish Crime Family tweeted: "200 Million iCloud accounts will be factory reset on April 7, 2017."
"The inconsistency in the numbers claims isn't doing them any favors," says Troy Hunt, an Australian data breach expert. "It sheds doubt on their accuracy."
It's not uncommon for underground data traders to claim they've compromised a large number of accounts for major services. But many of the claims turn out to be repackaged leaks of credentials from different services. Due to the shady way data is traded, it often takes diligent investigation to determine whether a claim breach is real or merely recycled information.
PC World reported a video was published on YouTube showing access to some iCloud accounts. Usernames and passwords were in plain text, and the passwords were weak ones.
"Looks like they've demonstrated access to a very small number of accounts, which isn't surprising; but it's a world away from owning a couple of hundred million," Hunt says.
The group is demanding $75,000 in bitcoin or ethereum, both virtual currencies. It told Motherboard it would alternatively accepted $100,000 worth of iTunes gift cards.
If the Turkish Crime Family does possess what it claims to have, Hunt says it has vastly undervalued the data.
"Hundreds of millions of accounts would be worth way more than $75k," he says. "They're effectively holding them for ransom, and when we're talking about one of the most valuable companies in the world, $75k is almost pointless money."
Paul Calatayud, CTO of the security vendor Firemon, notes that if the credentials could unlock the accounts of celebrities - as what happened in 2014 - there's potential for more lucrative extortion.
"The data in those credentials alone would be worth more value to them," Calatayud says. "There could be better extortion value out of that data than to disclose a vulnerability. That doesn't seem like it's worth the bounty."
Apple bolstered the security around iCloud accounts following a high-profile hacking escapade in 2014 that stole nude photos from several celebrities, including Jennifer Lawrence and Kirsten Dunst.
Although Apple was not directly at fault, the incidents caused a public relations crisis that prompted worries over data security. iCloud account credentials were captured through very targeted attacks, either via phishing or guessing usernames and passwords. Accounts may have also been accessed by using the account recovery feature and guessing the answers to security questions.
Soon after, Apple implemented two-factor verification for iCloud accounts. After a username and password is entered, a four-digit numerical passcode is sent via SMS. The code is required for changes to Apple ID account information, signing into iCloud or purchasing goods from the company's store.
It later implemented two-factor authentication for log-ins from new devices. A six-digit code is sent to other registered devices or to a person's mobile phone. The feature is available to those running at least iOS 9 or El Capitan on the desktop.