Computerworld - Earlier this week, a number of iOS device owners woke up to discover that someone had locked them out of the iPhones, iPads, and iPod touches. The attack, primarily aimed at users in Australia and New Zealand (though there are now reports of users in North America and other countries being hit), demanded a ransom be paid to unlock each device. Ironically, the PayPal account referenced in the demand did not seem to even exist.
The "Oleg Pliss" hack, if you can call it one, wasn't particularly sophisticated. The party behind it -- most likely relied on information like user IDs (including email addresses used as usernames) collected by attacks on non-Apple websites like the recent breach that compromised eBay user accounts. Since a lot of people reuse user IDs, passwords and account security questions, all the hacker(s) needed to do was use that information to log into iCloud and use the Find My iPhone/iPad/iPod feature to lock the device and display a message on it. (The feature is typically used to locate a lost or stolen iOS device.)
Read more...
