While the available evidence suggests that hackers have not gained direct access to more than 600 million iCloud accounts, some of the sample login credentials supplied by the group have been found to be valid. ZDNet, for example, used Apple’s password reset function to test 54 logins supplied by the hackers, and found that all of them worked.
Apple has said that there have been no breaches of its own systems, and that the credentials likely came from ‘previously compromised third-party services.’ Most of the account owners contacted by ZDNet lent weight to this claim …
We also asked if their accounts were used on other services, to potentially verify if another site had been compromised. Most of the people we spoke to confirmed that they used their iCloud email address and password on other sites, such as Facebook and Twitter.
Three of those contacted did claim their credentials had not been used on any other site, but there is of course no way to know whether this was something they didn’t want to admit or had forgotten other uses of the same password.
The incident does, however, underline the five steps all iCloud users should take to protect their accounts.
Change your password
If you have even the slightest suspicion that you may have used the same password on any other website, change it. This is especially likely if you have used the same iCloud login for many years, when the risks of reusing the same credentials on multiple sites were not as widely understood.
Ensure two-factor authentication is active
If you don’t already have two-factor authentication active on your iCloud account, this should be a priority. This means that nobody will be able to access your account from an unknown device even if they have your login.
When you or anyone else tries to access iCloud from a new device for the first time, Apple will send a verification code to one of your existing devices, and you need to enter this code to enable access.
Follow Apple’s instructions for setting this up – and read on before you log out.
If you think you already have 2FA active, double-check it isn’t two-step verification
You may think you already have two-factor authentication enabled when you are in fact using the older, and less secure, two-step verification system.
You can check this by signing in to your Apple ID and checking what it says in the Security section. If it says ‘Two-step verification,’ follow Apple’s instructions to switch this off and turn on two-factor authentication. If it says ‘Two-factor authentication,’ you’re good.
Check your logged-in devices
While you’re logged into the Apple ID site, scroll down to Devices to see which devices are currently signed-in to your account. Make sure you recognize all of these.
Use a password manager
Using a strong, unique password for every website you use just isn’t feasible if you need to remember those passwords yourself. The only realistic way to do this is to use a password manager.
Safari has a built-in password management feature, which is good enough to do the job if you use Safari on all of your devices, but standalone ones do offer additional features. We can recommend 1Password and LastPass. Check out our recent guide on password managers.
Of course, while we’re discussing iCloud specifically here, the same general advice applies to other accounts and websites: ensure you are using a strong, unique password on each. If you re-use passwords, it is a question of when – not if – you fall victim to a hack.