Apple's iCloud is a popular storage and syncing service used by millions of people to share data, photos and other personal information between devices and a computer. If enabled, it will update in real-time. While undoubtedly useful, it is vital that security remains a top priority.
If you ignore the security settings, the consequences can be severe. Just ask the 100-plus celebrity victims of 2014's so-called Fappening incident which saw hundreds of explicit photos stored via iCloud jump off smartphones and directly into the headlines.
In March 2017, a hacker group called Turkish Crime Family demanded $700,000 worth of cryptocurrency – or the equivalent in iTunes gift cards – as part of an extortion attempt aimed directly at Apple.
The group said, if its demands were not met, it would factory reset 200 million iCloud accounts. Apple later denied its systems had been breached or hacked, but this was missing the point altogether.
As the hackers said in a PasteBin update, its millions of hijacked credentials had been amassed from multiple leaked databases from other major online services over the last five years. It didn't need a breach.
By plundering a trove of @icloud.com, @me.com & mac.com domains from other large data leaks, the cybercrime team obtained real ammunition. As such, there are steps you should take right now to make sure your security is solid, and to keep your accounts safe from hackers.
Changing your passwords
The first thing you should do is change your Apple passwords – especially if you have been using them for a number of years. Security experts, even those from major intelligence agencies, say that regular password changes are not necessarily the best way to stay secure. However, in this instance, a quick update is likely needed to make sure you are safe.
Your new passphrase should be lengthy, and contain a mixture of letters, characters and symbols. Check out Apple's security page for a step-by-step process on how to do this. Apple passwords must have eight or more characters and include upper and lowercase letters, and at least one number. Remember, never use the same password on multiple accounts.
Enable two-factor authentication
Adding an additional layer of security to your accounts will help keep the hackers out.
Apple offers both two-factor and two-step options that will mean your account can only be accessed on devices you trust – such as your iPhone, iPad or a Macbook computer.
When you want to sign in with your Apple ID on a new device for the first time, you will need to provide two different pieces of information – your password and a six-digit code that's displayed on your trusted device.
Two-factor authentication is currently available to iCloud users with at least one device that's using iOS 9, OS X El Capitan or later.
You can follow these steps below to turn on two-factor authentication: On your iPhone, iPad, or iPod touch with iOS 9 or later: Go to Settings > iCloud > tap your Apple ID. Tap Password & Security. Tap Turn on Two-Factor Authentication. Simply follow the prompts.
Check where you are logged in
You should do a quick check to see what devices are currently linked to your Apple ID. This will let you see exactly what smartphones, tablets or computers it is logged into at any given time. It's important to make sure you recognise these devices and, if not, block access immediately.
Check exactly what you have synced
You may not realise exactly how much of your data is being shared with iCloud, so it's highly advised to give this a quick scan. Photos, documents and contacts may all be accessible via the iCloud portal. Using Apple's quick toggle buttons, you can choose exactly what gets shared.
"It's incredibly easy to put your photos into the cloud, but once they leave your device, they are no longer entirely under your control," warned Paul Norris, a senior engineer at security firm Tripwire told IBTimes UK via email.
"The blending of devices and the cloud has resulted in a blurry line between what you actually have and what you have access to," he continued. "In many cases, the experience of actual possession and that of access are nearly identical."
Check if your emails are already leaked
If you don't know if your accounts have been compromised you can check Troy Hunt's 'Have I Been Pwned' breach notification service. Using this, you can input your email and – with the click of a mouse – check if it is included in any number of the major breaches over the past few years. This includes LinkedIn, MySpace, Tumblr, VK, Dropbox and much more. If you find it in there, then a password change is more necessary than ever.
Other top tips:
- Use a password manager to keep your unique credentials secure
- Keep backups of any personal, sensitive or worthwhile material
- Delete all accounts you don't use anymore
- Disable the "Find My iPhone" function to stay secure from factory reset threats
- Use Apple's Keychain option to keep passwords and personal data up to date