Aussie teen fan breached Apple's servers. 90GB taken.

Options
wkleem
wkleem
Community Member
edited August 2018 in Lounge

Downloaded 90GB! of secured data. He says he wants to work for Apple. Apple says the data wasn't compromised.

https://theverge.com/2018/8/16/17701706/apple-hack-system-australia-teen

"He reportedly developed multiple backdoors and evaded detection up until a raid on his parents’ home exposed a bunch of stolen files and instructions saved in a folder very obviously named “hacky hack hack.” Australian police also seized two laptops, a phone, and hard drive from the teen. He also apparently relied on some sort of software to help him inside, but again, it’s not clear what function this software served. He has pleaded guilty and is due next month for sentencing. We’ve reached out to Apple for comment and will update if we hear back."

It's probably best to change passwords? 1Password for iOS can only be purchased from the App Store.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • rickfillion
    rickfillion
    Options

    I hope they release more information about what was obtained, and in what form? Did they download unencrypted user data? Encrypted user data? Server logs?

    It's probably best to change passwords?

    Not necessarily. If either your Apple ID or Master Password is weak (assuming you're syncing your data to iCloud), then yes you should change them, but you should have changed them regardless cause you shouldn't have weak passwords for either.

    Rick

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    I concur with @rickfillion. Until we know more there is no reason to change passwords.

    The article in the The Verge uses as its source an article in The Age which was clearly not written by someone who understands these sorts of things. (This is a pity because The Age does have some excellent journalists who understand information security.)

    For all we know, what the attacker obtained from "Apple's mainframe [sic]" were loads of ssh public keys:

    Further analysis found that the schoolboy successfully accessed “authorised keys” as part of his offending.

    Presumably that is authorized_keys (which aren't secret).

    I feel very sorry for the defendant if the court's understanding of "hacking" is no better than what is reported.

  • wkleem
    wkleem
    Community Member
    Options

    Thanks! @rickfillion. I previously had issues with Apple's password generation with very long passwords. I've settled for 25, I think, characters which is the approximate limit I can use without triggering Apple's repeat characters, like "aaa" and not "aa" fails the password generation for Apple ID.

    I must check it again.

  • Ben
    Ben
    Options

    :+1: :)

    Ben

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    You might be going for over-kill with 25 character passwords anyway, @wkleem.

    Remember that using mixed case letters alone, you already exceed 128 bits with a length of 23. And a 70 bit password is going to be well out of reach of even the NSA if they were to put enormous resources into cracking it. (This is because it is more expensive to generate and test a password guess than it is to test a cryptographic key. So even if they can, with substantial effort and cost, crack a 70 bit key, a 70 bit password will still be far outside their reach.)

    A password of length 16 with mixed case, digits, and symbols from our generator will give you around 100 bits.

    People under estimate just how strong our generated passwords are.

This discussion has been closed.