Apple ID hacked

[eladnova]

Hey all

wife had an email today from Apple saying her security questions had been updated.

Knowing that she hadn't actually done this, we assumed her Apple ID was hacked.I quickly changed the password but logging into her iTunes and purchases, the hacker had already run through 40$ buying some Chinese sheep game and a load of in-app purchases for that App.

I had a few questions on this one.

Question 1:
My wife is careful with her passwords and never writes them down or uses them on unsecured networks.
How likely is this that her account was compromised from the other side of the planet by some guessing or brute-forcing her account?

Question 2:
Logging into her iTunes account, I only see her 3 Apple devices she uses. If someone had her credentials, wouldn't another foreign device show up there?

Question 3:
If someone has hacked her Apple ID then presumably they can associate it with a device and download all her Apps, Email, Photos etc
If she HASN"T recieved notice that there's a new device associated with her account - is it safe to say the hacker only bought an app and hasn't actually widespread account access?

Thanks guys

 

[tjwilliams25]

What I would suggest you should do is turn on two-factor verification. That way, even if they know your password, they can't log in without one of your safe devices in front of them. This same thing happened to me a couple of years ago, however I didn't have them buy anything luckily. I've had two-factor verification on my account ever since and haven't had any issues to speak of. It is an extra step when logging into any devices, but I think it's definitely worth it.

 

[glenthompson]

Does she use the same password on other locations or some small variant? All passwords should be unique. If not that's an easy way to get hacked when some other site gets breached. That's why a good password manager like 1Password is important.

 

[Markoth]

Does she use the same password on other locations or some small variant? All passwords should be unique. If not that's an easy way to get hacked when some other site gets breached. That's why a good password manager like 1Password is important.

Except that doing so puts all your passwords behind a single password, hence the name. Seems foolish to trust it. Eventually, someone's going to hack it.

 

[Floris]

Except that doing so puts all your passwords behind a single password, hence the name. Seems foolish to trust it. Eventually, someone's going to hack it.

You keep storing your 500 unique strong 32 to 50 character long passwords in plain text files then

 

[ApfelKuchen]

Hey all

wife had an email today from Apple saying her security questions had been updated.

Knowing that she hadn't actually done this, we assumed her Apple ID was hacked.I quickly changed the password but logging into her iTunes and purchases, the hacker had already run through 40$ buying some Chinese sheep game and a load of in-app purchases for that App.

I had a few questions on this one.

Question 1:
My wife is careful with her passwords and never writes them down or uses them on unsecured networks.
How likely is this that her account was compromised from the other side of the planet by some guessing or brute-forcing her account?

Question 2:
Logging into her iTunes account, I only see her 3 Apple devices she uses. If someone had her credentials, wouldn't another foreign device show up there?

Question 3:
If someone has hacked her Apple ID then presumably they can associate it with a device and download all her Apps, Email, Photos etc
If she HASN"T recieved notice that there's a new device associated with her account - is it safe to say the hacker only bought an app and hasn't actually widespread account access?

Thanks guys

First, make sure that mail about security questions isn't a phishing attempt.

"Hacked" probably isn't the right term. There's almost always going to be a human factor. Brute-force attempts at passwords don't work well, as the password gets locked after about 5 unsuccessful tries. It seems more likely that they managed to obtain the password in a phishing attempt or other kind of human engineering, then needed to reset the security questions so they could make purchases on a new device.

The weakest link, when you have "standard" security can turn out to be the email address associated with the Apple ID. That can be the key to resetting either password or security questions. If you have any doubts, change that email password, too.

Questions 2 & 3: Device could have been removed from the account after the purchases were made. Of the other data in the account, the thing I'd worry most about Contacts - they can be grabbed in very short order and the account immediately signed out. Damage done, no need for prolonged/repeat access. Contacts provide the info necessary to make subsequent, convincing fraud attempts ("Hi, Grandma Sally, this is Jane. I just got arrested for speeding and need $1000 for bail..."). Sure, photos can also be valuable, but the less celebrity you have, the less value they're likely to have. They take longer to download, longer to analyze for potential value... maybe not worth the effort for a low-profile target.
[doublepost=1490257482][/doublepost]

Except that doing so puts all your passwords behind a single password, hence the name. Seems foolish to trust it. Eventually, someone's going to hack it.

Overall, the benefits outweigh the risk. It's not so much a matter of putting all those eggs into a single basket as it is putting them into a single vault. It makes it easier to use strong, random passwords for the other accounts. Memorizing one ultra-strong password (that is intentionally very different in form from any other password you use) is easier than memorizing dozens of other passwords - all too often, people end up using a system where most passwords are derived from an easy-to-memorize pattern. And in the end, if passwords are to be strong, memorization alone is inadequate. Somewhere, somehow they need to be documented, and that documentation needs to be password protected (and preferably, encrypted).

The question is, how does someone hack a password keeper? In my case, they'd need physical possession of one of my devices - they'd need to get past my device's passcode or login password, then get past the app password. I don't use cloud for syncing the devices (in part because I'm too cheap to pay for the cloud subscription, in part because it does reduce the vectors of attack).

 

[Fishrrman]

Macintouch.com has reported some phishing attempts lately regarding Apple ID, etc.

 

[Markoth]

You keep storing your 500 unique strong 32 to 50 character long passwords in plain text files then

Storing it in an encrypted database locally is far safer, if you know what you're doing. I suppose 1Password is fine for most people though.

 

[Floris]

Storing it in an encrypted database locally is far safer, if you know what you're doing. I suppose 1Password is fine for most people though.

I use 1Password, it actually does exactly that. Storing it locally in an encrypted database.

The argument was that a single password isn't safe, well .. what's the alternative?
What's the difference between me storing it in 1Password - and you storing it in an encrypted database?

 

[Markoth]

I use 1Password, it actually does exactly that. Storing it locally in an encrypted database.

The argument was that a single password isn't safe, well .. what's the alternative?
What's the difference between me storing it in 1Password - and you storing it in an encrypted database?

It also stores it in the cloud, where anyone could potentially access it, and probably will some day. Hence, my point.

 

[Floris]

It also stores it in the cloud, where anyone could potentially access it, and probably will some day. Hence, my point.

1Password used to be stand alone. And still is. The 'use their .com' subscription model is different, and optional.