All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
Australian Apple users have received a harsh reminder that computer passwords provide only a thin layer of protection on the internet.
On Tuesday, people across the country awoke to find their iPhones, iPads, and Macintoshes locked behind an ominous message: "Device hacked by Oleg Pliss." The message also told users that if they wanted their devices unlocked, they should send money via PayPal to the hacker's email address, the Sydney Morning Herald reports.
Users who had set PINs as well as passwords were apparently able to unlock the devices, but those without PINs are seeking Apple's help to regain access. Apple didn't respond to our request for comment, but this appears to be an issue with Find My iPhone, a tool included with Apple's iCloud service that lets users who download a special app to lock their devices remotely in the event that they are lost or stolen.
In the Herald story, security expert Troy Hunt speculates that the hacker used passwords leaked by other companies but also used by iCloud customers. Given that the hack seems to affect only a small number of Apple customers, this explanation makes sense, but many users on Apple's support forum claim that they had not reused any passwords so far as they could remember. Few, if any, commonalities between users--apart from being Australian--have been identified.
Earlier this month, anonymous hackers claimed to have found a way to unlock lost or stolen devices by bypassing iCloud, Cult of Mac reported, but it's not clear if the same technique could also be used to remotely lock someone else's device. It's also possible that iCloud passwords were captured by some sort of malware on the victims' computers. The vast majority all of the victims on the support forum are in Australia, but there has been at least one report each from the U.S., the U.K. and New Zealand.
Whatever the case, the incident underscores not only the need for users to be vigilant about using unique passwords, but for the technology industry to move beyond passwords. This has already started to happen at companies like Google and Apple, but clearly, we must go even further.
Password leaks are now a common occurrence. Just last week, eBay revealed that a data breach had compromised over 145 million customer passwords and other information, and many other big-name companies, such as Adobe and Yahoo, have also had passwords exposed by hackers. In short, there are a lot of passwords floating around the web. And if yours is one of them--and you've used that same password for multiple accounts--it would be relatively easy for a criminal to gain access to your accounts.
To make matters worse, hackers can so easily lift passwords by targeting individuals. In 2012, Wired's own Mat Honan had his online life turned upside down after hackers duped Apple into resetting his AppleID password. They were then able to reset his Gmail password via his Apple account. And once they had access to his e-mail account, everything else was up for grabs. They even remotely wiped his iPhone and iPad to make it harder for him to reset his passwords and reclaim his Twitter account.
Although Apple has changed its password reset policy, the event was still was an eye opening experience for Honan, who realized just how frail even the strongest of passwords really are. And don't even get us started on how easy it is to trick people into handing out their password to strangers, a problem so common that the hackers who gather for the annual DefCon security conference actually have a competition dedicated to it.
That doesn't mean that there's nothing you can do to make your accounts harder to hack. In addition to setting a PIN (or fingerprint authentication), Apple users can protect themselves from a similar fate by setting up what's called two-factor authentication for their iCloud accounts. This will make iCloud require, in addition to your username and password, either a four digit PIN sent to one of your devices, or an additional 14 digit recovery key in case you lose the device.
Many other companies also offer similar two-factor schemes, and it's a good idea to enable two-factor authentication wherever you can, including Gmail, Facebook and Twitter. The other thing you can do is use unique passwords for every site you use. That may sound like a pain, but tools like KeePass and LastPass make it easier to manage huge numbers of unique, non-human memorable password. Ultimately, we need security to evolve past passwords. But in the meantime, we'll all to keep working with what we've got.
