Wave of Australian iOS devices held for ransom via Find My iPhone hack

Sydney Morning Herald:

One iPhone user, a Fairfax Media employee in Sydney, said she was awoken at 4am on Tuesday to a loud “lost phone” message that said “Oleg Pliss” had hacked her phone. She was instructed to send $50 to a PayPal account to have it unlocked.

There is conjecture that the hackers have access to some recently stolen eBay passwords and that the victims have the same password on both eBay and for their Apple ID. Regardless of whether this is true or not, this is a pointed example of why you should not reuse passwords.

“It’s quite possible this is occurring by exploiting password reuse,” Mr Hunt said. “Regardless of how difficult someone believes a password is to guess, if it’s been compromised in another service and exposed in an unencrypted fashion, then it puts every other service where it has been reused at risk. Of course it also suggests that two-factor authentication was likely not used as the password alone wouldn’t have granted the attacker access to the iCloud account.”

Two-factor authentication is critical. If you have not set it up, here’s the place to start. [Via MacRumors]