Outsmart iCloud hackers and keep your data safe
Not too long ago the term "The Cloud" was a mysterious description for all of the data we did't store on our own devices. Few people understood what it was. Things have changed now, but the average consumer still struggles to understand the intricacies of storing and sharing private content within cloud-based applications.
Today, over 782 million Apple users are comfortable using iCloud. They're also using other cloud-based apps that gather private user data, with or without informed consent.
As reliance on iCloud increases, cybersecurity and privacy risks become more and more complex, and users should be informed. After all, there's a lot of data in it. With this article, we're seeking to help you take the right actions to protect your privacy. Sometimes that involves shedding a little convenience, though not always. And it's worth it.
The security of your cloud data and phone is worth your full attention. We aim to make it easy, and have compiled a comprehensive list of actions you can take to increase the security of your iCloud account and iPhone.
Easy things you should do to stay safe 🔒
Let's start with the basics...
1. Don’t trust emails asking for iCloud authentication
Phishing emails fake legitimate security measures. They're the emails that appear in your inbox, appearing to be from Apple, Google or others, and which usually contain a message with some urgency: "click to ensure your account stays active", for example. These are all nonsense -- and dangerous to click on.
Phishing emails simulate legitimate attempts to validate a user’s recent activity, and ask for a user credentials. That's the first red flag. The message could be: "We've recently detected suspicious activity in your iCloud account. Use this form to reset your password".
Every time you see an email specifically asking for credentials, check the URL. If you see any other domain than iCloud.com, or if you notice an insecure certificate when browsing, it's most likely a phishing attempt. Here's Apple's icloud.com, and the secure certificate that you should see on it:
We recommend you to access your iCloud account directly without using any email link. Always use the official iCloud site to log in, change password or check for warning messages. If you don't see anything suspicious, the email is probably from a hacker trying to steal your iCloud credentials. You can get in touch with Apple’s security team and report them these attempts.
2. Don’t click on anything suspicious
Every now and then an exploit is discovered that can compromise your data simply through clicking a link.
Mike Murray, a security expert from Lookout, described the last issue like this as “the most sophisticated spyware package we have seen in the market”. It was linked with NSO Group, an Israeli company which makes security applications for governments. A few hours later, Apple launched an iOS update, which solved this vulnerability.
What can we take from this? Even though the problem was solved rapidly, other security holes could be discovered. If you receive any unusual message or email containing links, it’s best to ignore it.
Having a private email address is a good way to avoid targeted or random spyware attacks in this way. Here are three things you can do to ensure privacy:
- Use a separate email address for purchases, social networks and promotional messages, and a private, rarely disclosed one for information you wish to keep secure. Share it only with trusted people.
- Create filters for email accounts you trust -- and avoid opening messages that look like spam but got past your filters
- Enable two-factor authentication for your email -- perhaps using a cell number to receive notifications for suspicious activity
- Encrypt your email -- use a web based email provider or set up your Outlook to use encrypted connections with GPG
- Use an additional anti-spam app and make sure you filter any annoying messages
3. Use a strong password -- and change it regularly 🔑
If it's not too annoying to change your password every 6 months, go ahead and take 5 minutes now to update yours today.
One of the most basic methods to protect your iCloud is to use a strong password. We suggest using a long password containing numbers, letters and punctuation signs. Don’t forget to save the password in a very safe place.
Combine capital letters and numbers to form a secure password. Security company McAfee suggests avoiding password terms that include personal information, like your birthday, pet's name or a favourite colour, because they're easy for hackers to guess. Don’t choose any favourite band, your birth place or any other relatable guess as your iCloud password. The Telegraph have written on the most commonly used passwords, and they're worth avoiding!
Consider using phrases to protect the integrity of your account, which are easy for you to remember as an individual but difficult for existing software to rapidly generate. Ideal passwords are at least 14 characters long. Replace certain letters with numbers or symbols:
[email protected], for example.
If you're not sure how strong your password is, there are a few free online tools to help you:
We'd not recommend putting your actual password into either of them, though.
4. Use strong security questions and answers 🔑🔑
More than a year ago, Colin Powell and George W. Bush lost their email data after their accounts was illegally accessed by a hacker. The hacker managed to gain access by guessing the answers to their security questions. Beware!
For example, a possible security question is: "Where are you born"? If someone knows the place where somebody is born, it could eventually answer this question and get access to its iCloud data.
To avoid this possibility, use more difficult questions and answers. For example, choose an alternate question like: “Which is your favourite movie?” or “Which is your favourite author?”. Ideally, make up the answers, and record your made-up answers in a secure password manager. By using more difficult security questions, you stand a better chance of safeguarding yourself.
5. Activate two-factor authentication (2FA) on your iCloud account 🔑🔑🔑
A few years ago Apple introduced an additional layer of iCloud security. This feature protects the iCloud account even where password know to somebody else. As long as the potential hacker doesn’t have access to your trusted devices, the iCloud account remains inaccessible.
Two-factor authentication is an account owner verification process that is triggered whenever a new log in is attempted. Apple introduced 2FA in 2016, and Reincubate has been providing support for this feature ever since.
Two factor authentication works like this. When you try to login to your iCloud account, you are sent an unique code. To complete the login process, you're required to enter both your password and the code received on your phone. Without code (randomly generated in real-time), anyone who wants to access the account won't manage to get in -- even if they have your username and password. So, the bad guys will get locked out and you'll get a pop-up or a text message alerting you if and when they're trying to get in.
This is what you would see on an Apple device with 2FA engaged when a login from a new location is attempted:
This is how you can enable two-factor authentication for iCloud (read more in Apple's own words:
On your iPhone, iPad, or iPod touch with iOS 9 or later:
- Go to
iCloud> tap your Apple ID
Password & Security
Turn on Two-Factor Authentication
On your Mac with OS X El Capitan or later:
- Go to Apple menu >
Turn on Two-Factor Authentication
We cover two-factor authentication and its history in more detail in our guide here.
6. Associate your iCloud with a secure email account
Yahoo!'s recent scandal revealed that email accounts are sometimes not as well protected as you might hope. With more than 500 million emails hacked, there's always the potential that hackers hack your email account, then try to send a password reset email to your email address using the iCloud login system.
If you have an iCloud account associated with a Yahoo! email address, it’s best to change your password as soon as it possible. Actually no, it's better to switch mail provider. Sorry, Yahoo!. Gmail is robust.
7. Don’t use unsecured wireless networks
Free hotspots can be a convenient way to browse the web, particular when you're on the move. But they're not secure.
Are they legit? Whoever operates a network has the capability of intercepting or recording traffic sent over it. If you don't know who is running the network -- and you don't trust them -- you shouldn't use it. If the network isn't secured properly, there's also the potential that other users of the network could attack your devices and potentially intercept your traffic or your device's data.
The best thing you can do is to avoid accessing the Internet using these hotspots. Secured public Wi-Fi connections are safer but you are still exposed to risks if you use them to access the iCloud.
Use a good data plan instead with your carrier and make sure your home WiFi network is secured.
If you do need Wi-Fi access on the go, invest in a Mi-Fi device, or consider using a VPN to protect your traffic. That won't protect your device from other users on the network, however.
8. Enable "Find My iPhone" on your device
Once activated, this option allows you to get in touch with your lost or stolen iPhone, or to remotely erase it. We’ve covered this in depth before.
The main idea is that you can use this feature to access your lost iPhone remotely, send messages to its display, find its position or entirely wipe its data unless you recover it. Access your iCloud account and activate “Lost mode” for that device and your iCloud account will be safe.
Another benefit of this feature is that it prevents anyone else using your iPhone if it's stolen. It can't easily be reactivated, so it's worth a lot less to a potential thief.
9. Delete unwanted or sensitive content from Photo Stream or iCloud Photo library
If you have images which aren't so important to you, delete them. Similarly, if you have any particularly confidential content, perhaps it's best not to keep it on your smartphone. If you delete it, ensure you remove it from "Deleted items", too. Be aware of all the ways this data can be recovered.
Do your iPhone have content you could be blackmailed or extorted with? All the more reason to follow this list.
10. Encrypt your locally saved data
If your computer is stolen and it has an encrypted disk, you can make an insurance claim and forget about it, assuming you had a strong password. It's nice to to worry about someone accessing your data. Don't risk it!
All recent versions of iOS automatically encrypted the contents of your iPhone and iPad. If that gets stolen, our next tip is important.
11. Enable "Erase Data" to delete data after 10 failed passcode attempts
This is one of the most simple methods to prevent your phone being attacked. If this option is enabled and somebody tries to guess your passcode, your iPhone will wipe itself after 10 failed attempts. Don't worry: this isn't something you're likely to do by accident. There's a long timeout between failed attempts. It'd take a serious attempt to have someone erase your phone.
To activate this feature, from
Touch ID & Passcode and activate the
Erase Data option. Once this is enabled, your iPhone and iCloud data will be safer.
12. Lock down your lock screen: be prudent with Siri's settings and message previews
We take a deeper dive into securing your lock screen settings. Do check it out, as it'll help you stop people reading messages on your lock screen, or asking Siri to read out your personal data. Oops!
13. Make an iPhone backup
Regular backups are so important, there’s even a dedicated World Backup Day for them. Despite greater awareness, better habits, and easier technology, many users are still not creating regular backups.
Rather than going into detail on creating a backup here, we've got a comprehensive guide on choosing between iTunes and iCloud backups, and how to make them work well for you.
14. Remove any unused or unrecognised devices that are connected to your iCloud account
To see this go to iCloud.com:
Settings, and you'll see
My Devices in the page showing all devices you are signed in.
Remove any you don't recognise. Devices authorise here have low-level access to your iCloud account and all of the data in it.
If you do this, you won't be able to use "Find my iPhone" with the devices. If you don't trust them, you should zap them. Too risky otherwise.
15. Sign out of any iCloud-authenticated browsers you're not using
If you have logged in to iCloud on the web on a computer that is not yours (like a work computer, a friend’s computer, or one in an internet cafe) and forget to logout, it’s recommended that you do it using this option.
- Go to iCloud.com and log in with your username and pass
- Select the Settings icon
- At the bottom of the screen you’ll see a blue link that says "Sign Out Of All Browsers"
- Click it and you'll be signed out of all browsers on any device anywhere in the world where you are signed into your iCloud account
16. Turn off access to sensitive data for apps that don’t need it
To keep you data private you could also restrict access to apps that don’t need it, for example access to your contacts, calendar, photos, etc. Of course, hopefully you didn't grant access in the first place.
On your iOS device, go to
Things you might want to do
Not everything you can do to secure your account and iPhone is convenient -- or makes a big different day to day. Here's our assorted tips that didn't make the grade as "must-do". They're still worth reading and considering, however. 👍
1. Turn on "Limit ad tracking"
Ad tracking is used by advertising networks to target ads at you. If you limit this it restricts tracking of ads across apps. Well, apart from when Google bypass it.
On your iOS device, go to
2. If you're a macOS user, consider pair-locking your iPhone
Pair-locking requires a little technical knowledge and isn't for everyone, so we've covered it in more detail in another article. In short, it prevents your iPhone from ever exchanging data with another computer. Cool.
3. Turn off Safari’s AutoFill
If you're using iCloud Keychain, your saved data in Safari can be shared between browsers. This means your passwords and pre-filled password data from your desktop Mac can be accessed on your iPhone, and vice versa. To avoid this, disable the feature.
For this, access Safari’s settings, go to
AutoFill and disable it.
We've covered off the most important security features to restrict unauthorised iPhone or iCloud access. As new tools are developed by hackers and forensics companies the risks increase, and perfect security is impossible.
As a company, data privacy and security are in our DNA. iPhone Backup Extractor is built to ensure compatibility with all of Apple's security measures, and we're committed to ensuring our product is used by legitimate, ethical users. Stay safe!