Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

eladnova

macrumors regular
Original poster
Aug 31, 2012
124
9
Hey all

wife had an email today from Apple saying her security questions had been updated.

Knowing that she hadn't actually done this, we assumed her Apple ID was hacked.I quickly changed the password but logging into her iTunes and purchases, the hacker had already run through 40$ buying some Chinese sheep game and a load of in-app purchases for that App.

I had a few questions on this one.

Question 1:
My wife is careful with her passwords and never writes them down or uses them on unsecured networks.
How likely is this that her account was compromised from the other side of the planet by some guessing or brute-forcing her account?

Question 2:
Logging into her iTunes account, I only see her 3 Apple devices she uses. If someone had her credentials, wouldn't another foreign device show up there?

Question 3:
If someone has hacked her Apple ID then presumably they can associate it with a device and download all her Apps, Email, Photos etc
If she HASN"T recieved notice that there's a new device associated with her account - is it safe to say the hacker only bought an app and hasn't actually widespread account access?

Thanks guys
 

tjwilliams25

macrumors 6502
Aug 10, 2014
316
60
Montana
What I would suggest you should do is turn on two-factor verification. That way, even if they know your password, they can't log in without one of your safe devices in front of them. This same thing happened to me a couple of years ago, however I didn't have them buy anything luckily. I've had two-factor verification on my account ever since and haven't had any issues to speak of. It is an extra step when logging into any devices, but I think it's definitely worth it.
 
  • Like
Reactions: superscape

glenthompson

macrumors demi-god
Apr 27, 2011
2,983
844
Virginia
Does she use the same password on other locations or some small variant? All passwords should be unique. If not that's an easy way to get hacked when some other site gets breached. That's why a good password manager like 1Password is important.
 

Markoth

macrumors 6502
Oct 1, 2015
490
1,400
Behind You
Does she use the same password on other locations or some small variant? All passwords should be unique. If not that's an easy way to get hacked when some other site gets breached. That's why a good password manager like 1Password is important.
Except that doing so puts all your passwords behind a single password, hence the name. Seems foolish to trust it. Eventually, someone's going to hack it.
 

ApfelKuchen

macrumors 601
Aug 28, 2012
4,335
3,012
Between the coasts
Hey all

wife had an email today from Apple saying her security questions had been updated.

Knowing that she hadn't actually done this, we assumed her Apple ID was hacked.I quickly changed the password but logging into her iTunes and purchases, the hacker had already run through 40$ buying some Chinese sheep game and a load of in-app purchases for that App.

I had a few questions on this one.

Question 1:
My wife is careful with her passwords and never writes them down or uses them on unsecured networks.
How likely is this that her account was compromised from the other side of the planet by some guessing or brute-forcing her account?

Question 2:
Logging into her iTunes account, I only see her 3 Apple devices she uses. If someone had her credentials, wouldn't another foreign device show up there?

Question 3:
If someone has hacked her Apple ID then presumably they can associate it with a device and download all her Apps, Email, Photos etc
If she HASN"T recieved notice that there's a new device associated with her account - is it safe to say the hacker only bought an app and hasn't actually widespread account access?

Thanks guys

First, make sure that mail about security questions isn't a phishing attempt.

"Hacked" probably isn't the right term. There's almost always going to be a human factor. Brute-force attempts at passwords don't work well, as the password gets locked after about 5 unsuccessful tries. It seems more likely that they managed to obtain the password in a phishing attempt or other kind of human engineering, then needed to reset the security questions so they could make purchases on a new device.

The weakest link, when you have "standard" security can turn out to be the email address associated with the Apple ID. That can be the key to resetting either password or security questions. If you have any doubts, change that email password, too.

Questions 2 & 3: Device could have been removed from the account after the purchases were made. Of the other data in the account, the thing I'd worry most about Contacts - they can be grabbed in very short order and the account immediately signed out. Damage done, no need for prolonged/repeat access. Contacts provide the info necessary to make subsequent, convincing fraud attempts ("Hi, Grandma Sally, this is Jane. I just got arrested for speeding and need $1000 for bail..."). Sure, photos can also be valuable, but the less celebrity you have, the less value they're likely to have. They take longer to download, longer to analyze for potential value... maybe not worth the effort for a low-profile target.
[doublepost=1490257482][/doublepost]
Except that doing so puts all your passwords behind a single password, hence the name. Seems foolish to trust it. Eventually, someone's going to hack it.

Overall, the benefits outweigh the risk. It's not so much a matter of putting all those eggs into a single basket as it is putting them into a single vault. It makes it easier to use strong, random passwords for the other accounts. Memorizing one ultra-strong password (that is intentionally very different in form from any other password you use) is easier than memorizing dozens of other passwords - all too often, people end up using a system where most passwords are derived from an easy-to-memorize pattern. And in the end, if passwords are to be strong, memorization alone is inadequate. Somewhere, somehow they need to be documented, and that documentation needs to be password protected (and preferably, encrypted).

The question is, how does someone hack a password keeper? In my case, they'd need physical possession of one of my devices - they'd need to get past my device's passcode or login password, then get past the app password. I don't use cloud for syncing the devices (in part because I'm too cheap to pay for the cloud subscription, in part because it does reduce the vectors of attack).
 
Last edited:

Fishrrman

macrumors Penryn
Feb 20, 2009
29,175
13,223
Macintouch.com has reported some phishing attempts lately regarding Apple ID, etc.
 

Markoth

macrumors 6502
Oct 1, 2015
490
1,400
Behind You
You keep storing your 500 unique strong 32 to 50 character long passwords in plain text files then :)
Storing it in an encrypted database locally is far safer, if you know what you're doing. I suppose 1Password is fine for most people though.
 

Floris

macrumors 68020
Sep 7, 2007
2,381
1,476
Netherlands
Storing it in an encrypted database locally is far safer, if you know what you're doing. I suppose 1Password is fine for most people though.

I use 1Password, it actually does exactly that. Storing it locally in an encrypted database.

The argument was that a single password isn't safe, well .. what's the alternative?
What's the difference between me storing it in 1Password - and you storing it in an encrypted database?
 

Markoth

macrumors 6502
Oct 1, 2015
490
1,400
Behind You
I use 1Password, it actually does exactly that. Storing it locally in an encrypted database.

The argument was that a single password isn't safe, well .. what's the alternative?
What's the difference between me storing it in 1Password - and you storing it in an encrypted database?
It also stores it in the cloud, where anyone could potentially access it, and probably will some day. Hence, my point.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.