A group of hackers threatening to wipe data from Apple devices attached to millions of iCloud accounts didn't obtain whatever log-in credentials they have through a breach of the company's services, Apple said.
"There have not been any breaches in any of Apple's systems including iCloud and Apple ID," an Apple representative said in an emailed statement. "The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services."
A group calling itself the Turkish Crime Family claims to have login credentials for more than 750 million icloud.com, me.com and mac.com email addresses, and the group says more than 250 million of those credentials provide access to iCloud accounts that don't have two-factor authentication turned on.
The hackers want Apple to pay $700,000 -- $100,000 per group member -- or "$1 million worth in iTunes vouchers." Otherwise, they threaten to start wiping data from iCloud accounts and devices linked to them on April 7.
In a message published on Pastebin Thursday, the group said it also asked for other things from Apple, but they don't want to make public.
"We're actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved," the Apple representative said. "To protect against these type of attacks, we recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication."
The hacker group confirmed there has been no breach of Apple services and hinted the leaked credentials were obtained through compromises on third-party websites.
To some extent, that would be possible because many users reuse their passwords across multiple websites and because most websites ask users to log in with their email addresses. However, the unusually high numbers advanced by the group are hard to believe.
It's also hard to keep up with the group's claims, as at various times over the past few days, it has released conflicting or incomplete information that it has later revised or clarified.
The group claims that it started out with a database of more than 500 million credentials that it has put together over the past few years by extracting the icloud.com, me.com and mac.com accounts from stolen databases its members have sold on the black market.
The hackers also claim that since they've made their ransom request public a few days ago, others have joined in their effort and shared even more credentials with them, putting the number at more than 750 million.
The group claims to be using 1 million high-quality proxy servers to verify how many of the credentials give them access to unprotected iCloud accounts.
Sign up for Computerworld eNewsletters.