If Apple’s security systems see that an iCloud account is being used in a suspicious way, or may be subject to abuse, it can result in the account being locked. This starts a process for the rightful owner of the account to assert that it is theirs, and it blocks all other access until this is completed.
As Apple say: "If you or someone else enters your password, security questions, or other account information incorrectly too many times, your Apple ID automatically locks to protect your security and you can't sign in to any Apple services. You can unlock your Apple ID after you verify your identity."
Back in 2014, the iCloud photo leak triggered a response from Apple whereby they locked a large number of iCloud accounts. Whilst this caused some inconvenience for a number of users, it was a sensible precaution to safeguard their data.
Since early March this year, we’ve observed a new series of account locks, and again these coincide with reports of vulnerabilities in the iCloud and iOS. There are three stories currently circulating in the news.
On March 7th Apple released a statement with regards to WikiLeaks’ disclosure of CIA documents on iOS vulnerabilities, confirming that many but not all of the weaknesses were already patched. Just over a week later, more stories circulated on a new iCloud leak.
Yesterday the news worsened, with Motherboard reporting that hackers are trying to extort Apple over illegal access to some 300 - 559 million iCloud accounts.
According to one of the emails in the accessed account, the hackers claim to have access to over 300 million Apple email accounts, including those use @icloud and @me domains. However, the hackers appear to be inconsistent in their story; one of the hackers then claimed they had 559 million accounts in all.
Apple reported in 2016 that there were nearly 800m iCloud accounts in existence. Allowing for growth since then -- if this news is verified -- this could be more than a third of all iCloud accounts affected.
More and more locking
The waves of account locks will mean many users woke up to a locked account, after years of using iCloud without any incident, and others have experienced having their account locked 2 or three times in a row.
As cyber-criminals are turning to Facebook, Twitter and other platforms to launch attacks on the cloud, the qualifiers of “suspicious user activity” are increasing in complexity. We believe Apple have made a number of encryption and algorithm changes that look at user and device behaviour, and that they have set off a chain of further account lockings. In some cases, these seem to be leading to false-positive locks of accounts, sometimes several times in a row.
A simple step to better secure iCloud accounts
Many people do not recognise the inherent risks of using simple login credentials, as they normally trust platforms to protect both the security of their accounts and their privacy. Reincubate released free 2FA support in the Cloud Data API and the iPhone Backup extractor last year and rolled it out to all of the company’s services. Use of this makes it very difficult for non-account holders to backup data that doesn’t belong to them, as they cannot pass the two step authentication system without access to the related device.
Critically, users should update their iCloud passwords if they haven’t already done so recently, and they should enable two-factor authentication (2FA) to better protect your account. We’ve got more information from this in our guide on recovering iCloud data and working with 2FA. Fortunately, as we wrote in our 2017 iCloud security round-up, Apple are going to be doing much more to encourage users to enable 2FA in their 10.3 release.
How to unlock a locked iCloud account
Where users of these services experience issues logging in, it may be where Apple has locked the iCloud account. To make it work again, first check iCloud settings, either on the device itself or via icloud.com, verify the account, pick a new password, and then log back into the iPhone Backup Extractor. The new credentials should work.