When the Turkish Crime Family first broke into the news last week, they sounded like a crisis in the making. The group claimed to have stolen a massive trove of iCloud credentials — the first over 300 million, then as many as 559 million — and unless they got $75,000 from the company before April 7th, they would start remotely wiping phones. Apple responded with a limited denial, stating that company servers hadn’t been breached, but allowing for the possibility that the credentials had been obtained some other way. As journalists began to confirm smaller sets of profiles released by the group, it gave Apple users plenty of reason to be nervous. Were we headed toward some kind of mass iCloud hack?
Now, those threats are starting to unravel. Today, ZDNet examined the largest account drop yet — just under 70,000 login / password pairs — and found that 99.9 percent of the pairs matched accounts already included in a database of previous leaks. In short, the Turkish Crime Family was working from recycled public data. At the same time, Motherboard obtained documents showing the group using the data for a quick cash out, asking for $3,000 from the breach notification site Leakbase in exchange for bringing good publicity to the service.
Got a tip for us? Use SecureDrop or Signal to securely send messages and files to The Verge without revealing your identity.
It’s a confusing turn in an already confusing story, but the upshot should be reassuring to Apple users. If the database really is built from public credentials, it’s likely to be far smaller and far less damaging than the group initially promised. You should still change your iCloud password and set up two-factor verification — both of which are worthwhile regardless — but it’s looking less and less likely that you’ll need to. So far, the group seems to be more interested in securing a quick payout than causing havoc, which makes it far more likely that the April 7th deadline will come and go uneventfully.
To understand why the Turkish Crime Family threat isn’t so frightening, we’ll need to get a little more technical. The group seems to have pulled off a credential-stuffing attack, taking login / password pairs from a public leak and testing them against separate services. Out of the 117 million logins in the 2012 LinkedIn breach, for instance, one might find tens of thousands of logins that also worked for iCloud, simply because users kept the same password for both services.