Hacker Who Tried to Blackmail Apple by Threatening to Delete 319 Million iCloud Accounts Gets Two-Year Sentence

Being one of the most valuable companies in the world makes Apple a popular target for hacking attempts of all forms, which means that the company has to always be diligent against a wide range of hackers with motives ranging from the notoriety of hacking the systems of one of the biggest companies in the world to those attempting identity theft or simply looking to try and extort a big payout.

It was this last motive that led a U.K. man to try and blackmail Apple by threatening to delete and expose hundreds of millions of iCloud accounts if Apple didn’t comply with his demands.

According to Britain’s National Crime Agency (NCA), Kerem Albayrak, a 22-year-old man from North London, demanded that Apple give him either $75,000 in crypto-currency or $100,000 in iTunes gift cards in exchange for deleting what he claimed as a massive database of iCloud accounts.

The report notes that Albayrak contacted Apple Security over two years ago, on March 12, 2017, claiming to have iCloud account details from his “internet buddies” that he was planning to sell online. Shortly after that, Albayrak uploaded a video to YouTube, showing him accessing two seemingly random iCloud accounts. He sent the link to Apple’s security team as well as several media outlets, and threatened to “factory reset every iCloud account in his possession.”

It seems there was one major flaw in Albayrak’s plan, however: the database of 319 million iCloud accounts that he thought he had wasn’t actually valid.

Apple’s Response

Naturally, Apple wasn’t about to give in to Albayrak’s demands, and instead contacted law enforcement officials in the U.K. and the U.S. Britain’s NCA led the U.K. side of the investigation, and it clearly didn’t take long to track down Albayrak — he was arrested at his home address only a week later, on March 28, 2017 by the NCA’s National Cyber Crime Unit, which also seized all of his devices.

It also seems that Apple already knew that Albayrak’s threats had no teeth, since of course it was easily able to identify that there had been no signs of a network compromise in its highly secure systems that would have allowed this data to be stolen. Instead, what the NCA found on Albayrak’s hard drives was a database of accounts from a variety of previously compromised third-party services, most of which were inactive — although some were found to match existing iCloud accounts, most likely due to accounts that use the same passwords across multiple services.

These lists, which frequently circulate on the dark web, are relatively easy to obtain, but the information in them is usually stale, as the compromised services are almost always aware of the data breaches and take steps to notify their users and force password changes. Sites like Have I Been Pwned? also serve to help users discover where their accounts may have been compromised.

While there have been some pretty serious data breaches against well-known companies and services such as Adobe, Disqus, Dropbox, LinkedIn, and Tumblr, Apple itself has never been the victim of a data breach like this — although many hackers have tried, Apple takes its security and user privacy extremely seriously, and as a result its systems are very well-protected.

Unfortunately, Apple can only do so much to protect your iCloud account, and if you use your iCloud password for other services, hackers can easily take the credentials found in a database stolen from one of those companies, like Adobe or Dropbox, and try them against your iCloud account to see if it works. This is most likely what Albayrak was doing in the video that showed him hacking into “random” iCloud accounts.

Earlier this month, however, Albayrak pled guilty to one count of blackmail, and previously admitted to two counts of “unauthorised acts with intent to impair the operation of or prevent/hinder access to a computer.” He was sentenced late last week to a two-year suspended jail term, 300 hours of “unpaid work” and a six-month electronic curfew. Albayrak, who was the spokesperson for a hacking group calling themselves the Turkish Crime Family, also seemed to be something of a Walter Mitty character who imagined himself as a world-class hacker, seeking both fame and fortune for his efforts. As Anna Smith, senior investigator for the NCA said, however, “Cyber-crime doesn’t pay.”

How to Protect Yourself

As we already mentioned, however, it’s worth remembering that even though Apple’s systems weren’t breached, Albayrak was able to successfully access several dozen accounts.

The good news, however, is that since this data definitely didn’t come from Apple, there are some fairly easy steps you can take to ensure that your iCloud account isn’t caught up in a similar incident in the future.

Use a Unique Password for iCloud

Many iPhone users don’t realize how critical their iCloud account and password is. This isn’t just about your App Store purchases or your Apple Music subscription — it can also be used to locate any of your iOS or Mac devices, or even remotely wipe them entirely. Somebody with your iCloud password could virtually destroy your entire digital life.

You should take your iCloud password at least as seriously as you take the passwords for things like your online banking accounts, and in fact probably even more when you consider how many doors it unlocks. So we can’t emphasize enough that you should use a unique, strong password for your Apple ID.

At least this way the only place that a hacker would be able to get your password is by hacking Apple itself — something that hasn’t ever happened.

Enable Two-Factor Authentication

We have recommended this many, many, many times, and we still can’t emphasize it enough. Apple offers a two-factor authentication system that requires you to enter an additional code each time you log into your Apple ID in order to confirm that it’s really you, and not somebody else.

Two-factor authentication is really easy to turn on, and unlike the same feature from other online services, you don’t need to install any special apps or enter special codes in order to use it with your Apple ID — your existing iOS and macOS devices natively support it through Apple’s own push notification channels.

Once the setting is enabled for your Apple ID, then whenever you try to log in, whether it’s to get into iCloud.com from a web browser, to set up a new iPhone or iPad, or even just to access Apple Music from a new device, a six-digit code will be automatically transmitted to all of your current devices, and you’ll need to enter that code before you can proceed.

Since a hacker who manages to obtain your Apple ID password hopefully won’t also have your unlocked iPhone or MacBook in their possession, this means that they not only won’t be able to get into your account, but you’ll also know right away that somebody has been trying. As an added bonus, the two-factor authentication prompt you receive on your iPhone and other devices will actually show you where the attempt is being made with as much accuracy as possible.

Apple really could not have made this process any simpler, and when you consider how powerful and connected your Apple ID is, there’s really no good reason why you shouldn’t enable this to protect your digital identity.