Apple: iCloud Wasn’t Compromised in iPhone Ransom Attack

| News

Following news that some iPhone owners in Australia were locked out of their smartphone and presented with a demand for a ransom, Apple has said its iCloud servers weren't hacked. The ransom attack, called Oleg Pliss, demanded US$100 from victims and raised questions about how the attackers gained the necessary passwords to lock users out of their iPhones and iPads.

Apple: iCloud servers weren't hacked in Oleg Pliss ransom attackApple: iCloud servers weren't hacked in Oleg Pliss ransom attack

In a statement to ZDNet, Apple said,

Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.

The assumption earlier this week was that victims used the same password for more than one website, and their personal information was taken in a data breach on a different server -- possibly when eBay was hacked several weeks ago.

Details that could help uravel the mystery haven't been found yet. Apple's own users is hoping to change that quickly and have taken to the company's online forums to share information that could eventually uncover common elements that lead back to the attackers.

For now, changing your iCloud password is a prudent move in case the people behind the ransom threats have a larger database with more potential victims to exploit.

The Mac Observer Spin The Mac Observer Spin is how we show you what our authors think about a news story at quick glance. Read More →

It's good to know Apple's own servers weren't compromised, and it's a great reminder as to why reusing passwords is a bad idea.

Popular TMO Stories



It is VERY interesting that the breach seems to be confined to Australia.

As others have said, and Apple has now confirmed, that rules out a breach of Apple’s servers. So, if not that, then what ??


“So, if not that, then what ??”

Apple/Mobile dealers/stores in Australia who set up the phones in the first place?


It was not confined to Australia - it was just first noticed by Australian users.

It has been mentioned in several places what the problem was…

- A hacker broke into some server and got access to account info and passwords.
- Noticed there were accounts with email addresses.
- Went to, used the iCloud email address as the account name and then used the same password they found on the server.
- If he was able to log in, he then attempted to lock the device using the “Find my iPhone” feature.

If that iCloud user also failed to have a passcode already set on the device, then the hacker was able to set the passcode, thus locking the user out of their own device.

This is completely out of Apple’s reach to control this type of abuse. In this scenario the user decided not to use iOs’s built-in security model AND they used their iCloud credentials for another less secure account somewhere else on the internet.


The possibility of a breach being at an Apple Store or dealer store is interesting. Apple does provide open WiFi in its stores and maybe the eavesdropping occurred there? OTOH, people in very different parts of Australia were affected and the likelihood is low that they all visited a single store.

mjtomlin’s suggestion of reuse of credentials taken in a different breach explains what happened, but only if the breach was in Australia (all the reports I’ve seen say that affected users were either in Australia, or were Australians overseas).

Still unexplained, however, are one (or maybe two) instances where an iDevice was locked a second time, after the iCloud account password had been changed to a new, strong one.

Lee Dronick

Our local TV news is reporting the story as if a lot of iPhones in Australia have been affected, we do not yet know the true number. Furthermore they are reporting that it happended after iCloud accounts had been hacked.


Has anyone followed the money? What method of payment is demanded?


>Has anyone followed the money?
>What method of payment is demanded?

Reports I read in the Apple boards said that it was for $100 / €100 via one of the anonymous payment mechanisms. And details were to be handled through a gmail email address. So, no real way to track (no surprise).


No real way to track a Gmail address? Maybe not for the average Joe, but have you heard of PRISM? (Assuming this were the sort of problem the NSA actually cared about.) If this becomes a big enough problem, some above-average Joe will follow the money.

Lee Dronick

  No real way to track a Gmail address? Maybe not for the average Joe, but have you heard of PRISM? (Assuming this were the sort of problem the NSA actually cared about.) If this becomes a big enough problem, some above-average Joe will follow the money.

Or the sort of problem that Apple, and other businesses, care about.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account