`` There have not been any breaches Attack.Databreach in any of Apple 's systems including iCloud and Apple ID , '' an Apple representative said in an emailed statement . `` The alleged list of email addresses and passwords appears to have been obtained Attack.Databreach from previously compromised Attack.Databreach third-party services . '' A group calling itself the Turkish Crime Family claims to have login credentials for more than 750 million icloud.com , me.com and mac.com email addresses , and the group says more than 250 million of those credentials provide access to iCloud accounts that do n't have two-factor authentication turned on . The hackers want Apple to pay Attack.Ransom $ 700,000 -- $ 100,000 per group member -- or `` $ 1 million worth in iTunes vouchers . '' Otherwise , they threaten to start wiping data from iCloud accounts and devices linked to them on April 7 . In a message published on Pastebin Thursday , the group said it also asked for Attack.Ransom other things from Apple , but they do n't want to make public . `` We 're actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved , '' the Apple representative said . `` To protect against these type of attacks , we recommend that users always use strong passwords , not use those same passwords across sites and turn on two-factor authentication . '' However , the unusually high numbers advanced by the group are hard to believe . It 's also hard to keep up with the group 's claims , as at various times over the past few days , it has released conflicting or incomplete information that it has later revised or clarified . The group claims that it started out with a database of more than 500 million credentials that it has put together over the past few years by extracting Attack.Databreach the icloud.com , me.com and mac.com accounts from stolen databases its members have sold Attack.Databreach on the black market . The hackers also claim that since they 've made their ransom Attack.Ransom request public a few days ago , others have joined in their effort and shared even more credentials with them , putting the number at more than 750 million . The group claims to be using 1 million high-quality proxy servers to verify how many of the credentials give them access to unprotected iCloud accounts . Apple provides two-factor authentication for iCloud , and accounts with the option turned on are protected even if their password is compromised Attack.Databreach . The latest number of accessible iCloud accounts advanced by the Turkish Crime Family is 250 million . That 's an impressive ratio of one in every three tested accounts . The largest ever data breach Attack.Databreach was from Yahoo with a reported 1 billion accounts . `` At best they ’ ve got some reused credentials , but I wouldn ’ t be surprised if it ’ s almost entirely a hoax . '' Hunt has n't seen the actual data that the Turkish Crime Family claims to have , and there is n't much evidence aside from a YouTube video showing a few dozen email addresses and plain text passwords . However , he has significant experience with validating data breaches Attack.Databreach and has seen many bogus hacker claims over the years . To be on the safe side , users should follow Apple 's advice and create a strong password for their account and turn on two-factor authentication or two-step verification at the very least

In examples uncovered by Check Point , the emails were made to look like Attack.Phishing they were sent from Attack.Phishing a tax agency , and ostensibly warn the recipients about inconsistencies in their tax returns . The attached file ( Dokument.zip ) they are instructed to open is made to look like Attack.Phishing a document file , but is actually an application . If the victim downloads and opens it , it will perform a myriad of silent changes on the target machine , all geared towards setting up a malicious proxy server , which will allow the attacker to gain complete access to all victim communication . “ [ The malware ] uses sophisticated means to monitor—and potentially alter—all HTTP and HTTPS traffic to and from the infected Mac . This means that the malware is capable , for example , of capturing account credentials for any website users log into , which offers many opportunities for theft of cash and data , ” Malwarebytes researchers explained . “ Further , OSX.Dok could modify the data being sent and received for the purpose of redirecting users to malicious websites in place of legitimate ones. ” In another instance , unearthed by Malwarebytes , another variant of the same dropper doesn ’ t do the fake “ OS X Updates Available ” routine , but installs an open source backdoor named Bella , generally available from GitHub . The software is a Python script capable of extracting Attack.Databreach a wide variety of sensitive data from macOS machines ( passwords , keychain , screenshots , location data , iMessage and SMS chat transcripts , etc. ) . This version of the script has been configured to connect to a C & C server in Moscow . “ Business users should be aware that this malware could exfiltrate Attack.Databreach a large amount of company data , including passwords , code signing certificates , hardware locations and much more . If you ’ ve been infected , contact your IT department , ” the researchers advised , and noted that it is unknown whether there is any connection between Noah , the author of Bella , and the creators of the OSX.Dok malware . “ Bella may simply have been used by unrelated hackers since it is freely available as open-source software , ” they pointed out . Well , the valid developer certificate that has been used to sign the malware has been revoked by Apple , so potential new victims won ’ t be able to open the app and get infected . Of course , future versions of the malware could be signed with another , likely stolen , developer certificate . In the meantime , though , users who have been successfully hit with OSX.Dok are advised to either erase the hard drive and restore the system from a backup made prior to infection , or get help in cleaning the machine from an expert . “ Removal of the malware can be accomplished by simply removing the two [ malicious ] LaunchAgents files , but there are many leftovers and modifications to the system that can not be as easily reversed . Changes to the sudoers file should be reversed and a knowledgeable user can easily do so using a good text editor ( like BBEdit ) , but making the wrong changes to that file can cause serious problems , ” they noted . The bad certificate should also be removed , and so should a LaunchAgents file named homebrew.mxcl.tor.plist . But , according to them , “ the numerous legitimate command-line tools installed , consisting of tens of thousands of files , can not be easily removed . ”