iCloud extortion racket nowhere near as epic as we thought it might be

A threat to wipe millions of supposedly compromised iCloud accounts and iPhones has yet to materialise. A security expert who has analysed samples of compromised data has concluded that the threat – such as it is – only exposes a small number of accounts to potential credential-stuffing attacks.

The self-styled Turkish Crime Family – the group behind the supposed pwnage – have withdrawn into silence save for a enigmatic tweet from an affiliated account threatening something might go down at 2030 BST tonight. Requests by El Reg to coax a hint of what that might be have been met with silence so far.

The group emerged last month claiming to have gained access to 300 million iCloud and Apple email accounts, threatening to delete account contents and remotely wipe Apple devices unless Apple paid a ransom. Little by way of proof was disclosed publicly to substantiate these claims. The hackers later put it about that they were planning to offer a IMEI and appleid lookup service based on the compromised data, charging $10 a pop.

Troy Hunt – the Microsoft security researcher behind haveibeenpwned.com (HIBP) – has analysed a sample of 69,000 compromised records via security reporter Zack Whittaker. Eliminating duplicates brings the list down to 53,000.

More than 98 per cent of the email addresses had featured in earlier data breaches loaded into HIBP, implying that the data set had come from existing breaches.

77 per cent of the unique email addresses in the Apple data came from the Evony breach. A further 3,243 email addresses not already found in the Evony data matched perfectly to accounts in the Last.FM breach. The chances of this happening from a random sample taken from hundreds of millions of breached records is minute, allowing Hunt to infer that the supposed multi-million record compromise is nothing of the sort.

"The list of Apple accounts is not hundreds of millions, it is instead less than 53k and it's compromised predominantly of accounts from the Evony data breach and a small handful of others," Hunt concludes in a blog post.

Rather than hundreds of millions of Apple accounts being reset and iPhones wiped today, it's those from a sample of 53,000 records who have reused previously compromised passwords with their iCloud account who are at risk, and even then only if they haven't changed their Apple login credentials recently.

"Now, that's not to say there's no risk at hand here, but rather that the risk is no different to the one we're faced after every data breach: a bunch of people have reused their passwords and they're now going to have other accounts pwned as a result," Hunt explained. ®