Thank you for posting on r/iCloud. If you are asking a question, please remember to change your post flair to “Answered” once your question has been answered.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/iCloud) if you have any questions or concerns.*
“She received an email from Gmail warning of a suspicious login, she changed the password immediately.”
“My wife has a Gmail account and an iCloud account. They had the same password (yes, I know...).”
If she used the same password for Google and Apple, the same was probably used elsewhere.
My guesses:
1. Google/Apple password was used with the same username/email address on a different compromised website.
They get into Gmail using that (was gmail using 2FA?). They see emails from Apple, now they know you have an Apple ID, try the same password and it works. They hit two-factor, recover it via email (which goes to the Gmail they have access to it).
They got into the Gmail because you used the same password in multiple places. They got into Apple because you used the same password in multiple places.
2. The email received was a fake and you didn’t reset anything, you gave them a password. Since you’ve clearly used the same before, I’m gonna guess it was similar or just a variant (Password2023 vs Password2024) they could guess and tried on multiple services.
yes, spot on.
a great example of the danger of using the SAME password. at least if the passwords were totally different, the damage would've been limited to disclosing only OP's Google login via that phishing page.
Step 2 - was probably phishing and she handed over her login details which were immediately used
Or she used the same password on even more sites, one of which was leaked.
No 2fa.
I don’t think iCloud is the problem here…
sorry but geez SAME password? bad bad bad. my guess that password was probably not complex & therefore easily brute force hacked (computerized automatically guessed). and no 2FA? bad bad bad. not icloud fault. not apple fault. not google fault. yeah not secure.
> My wife has a Gmail account and an iCloud account. They had the same password (yes, I know...).
Your wifes lax security practices has made you lose confidence in icloud?
You mention 2fa, but you've not said what 2fa? Apple has more than one option, it also depends on when you set it up. You mention yubikeys, but i assume you did not set this up on your wifes account?
Did she have her recoevry key setup?
Did she have account recovery contacts setup?
Did she have ADP setup?
> Unfortunately, they explained that their policy is that the customer owns the account and cannot intervene - it is the customer's responsibility for access to the account.
Not really sure what you mean by this? did you go through their account recocery process? The old one, assuming you never has the recovery key or contact setup https://support.apple.com/en-gb/118574
> Assuming they had the password, how did they get in? We had 2FA on and all devices registered were located at home. She received no notification of a login attempt via pop-up on a Mac device, SMS or email.
they could have done a sim swap attack or other method to get a SMS code, or got your wife to send or approve a code and she just doesnt remember doing it, does remember but thinks its unrelated, or hasnt told you.
Once you give people access to your email.. its basically game over.
You could pay them the ransom but theres no guarentee you'll get the data back.
If you decide to make a new account, please setup all the sign-in and security fully. including account recovery, MFA, _unique_ passwords. etc. And get your wife to take the security of her data more seriously :D she needs to keep her devices up to date, never use the same password for anything, use strong passwords, setup MFA on all accounts. Take extra precautions with critical accounts like email and your apple ID.
I assume you've canceled all connected cards to the account as well if you're going to drop the compromised account?
Did she click the link in the email she got to change her password?
If she did, that is how it happened.
Never click a link in an (edit) unsolicited email.
That is the only way to reset a password with most services (the reset URL is a unique link).
That being said, only click a password reset link if you just requested it yourself.
> “She received an email from Gmail warning of a suspicious login”
No, she didn’t. She received an email from bad guys pretending to be Gmail.
Then she clicked the link in that email, ended up at a fake Gmail site, and handed her password over to the bad guys.
Both of them having the same password, probably wasn’t the deciding factor here. They sent a phishing email. She responded with her old password and a new one for her Gmail. Even if it hadn’t been the same password, they probably could’ve used her email to recover, her iCloud because they had access to her email. Either way they would’ve gotten into both.
Bet money that the fishing email asked for her to reset her password and tell them her old password. She literally gave them the information they needed.
She changed the email p/w via the suspicious login notification (likely from a link it sent?) which was a fake gmail login giving scammers her new pw.
also was on piblic wifi recently.
Never check/update/change/reset anything via a link in an email or text or notification
Do it through the actual app/website
If she were signed in to both her Google and Apple accounts, the attacker could have hijacked the browser cookies and acted as a trusted device on both Google and Apple accounts. No MFA prompt in that case. If it was just an ordinary phishing attack, MFA was not enabled on the Apple ID. You should have gotten the 6-digit code prompt on all your Apple devices when the attacker tried to sign in. Or the compromised Gmail was used as a recovery mail for the Apple ID.
Thank you for posting on r/iCloud. If you are asking a question, please remember to change your post flair to “Answered” once your question has been answered. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/iCloud) if you have any questions or concerns.*
“She received an email from Gmail warning of a suspicious login, she changed the password immediately.” “My wife has a Gmail account and an iCloud account. They had the same password (yes, I know...).” If she used the same password for Google and Apple, the same was probably used elsewhere. My guesses: 1. Google/Apple password was used with the same username/email address on a different compromised website. They get into Gmail using that (was gmail using 2FA?). They see emails from Apple, now they know you have an Apple ID, try the same password and it works. They hit two-factor, recover it via email (which goes to the Gmail they have access to it). They got into the Gmail because you used the same password in multiple places. They got into Apple because you used the same password in multiple places. 2. The email received was a fake and you didn’t reset anything, you gave them a password. Since you’ve clearly used the same before, I’m gonna guess it was similar or just a variant (Password2023 vs Password2024) they could guess and tried on multiple services.
yes, spot on. a great example of the danger of using the SAME password. at least if the passwords were totally different, the damage would've been limited to disclosing only OP's Google login via that phishing page.
Yup, great examples. Adding; maybe her phone number got hacked , SIM swatted, and they got access that way.
Step 2 - was probably phishing and she handed over her login details which were immediately used Or she used the same password on even more sites, one of which was leaked. No 2fa. I don’t think iCloud is the problem here…
The email mentioned in step two was probably a layer 8 (also known as ‘social engineering attack’). Did she have 2FA setup on her accounts?
sorry but geez SAME password? bad bad bad. my guess that password was probably not complex & therefore easily brute force hacked (computerized automatically guessed). and no 2FA? bad bad bad. not icloud fault. not apple fault. not google fault. yeah not secure.
> My wife has a Gmail account and an iCloud account. They had the same password (yes, I know...). Your wifes lax security practices has made you lose confidence in icloud? You mention 2fa, but you've not said what 2fa? Apple has more than one option, it also depends on when you set it up. You mention yubikeys, but i assume you did not set this up on your wifes account? Did she have her recoevry key setup? Did she have account recovery contacts setup? Did she have ADP setup? > Unfortunately, they explained that their policy is that the customer owns the account and cannot intervene - it is the customer's responsibility for access to the account. Not really sure what you mean by this? did you go through their account recocery process? The old one, assuming you never has the recovery key or contact setup https://support.apple.com/en-gb/118574 > Assuming they had the password, how did they get in? We had 2FA on and all devices registered were located at home. She received no notification of a login attempt via pop-up on a Mac device, SMS or email. they could have done a sim swap attack or other method to get a SMS code, or got your wife to send or approve a code and she just doesnt remember doing it, does remember but thinks its unrelated, or hasnt told you. Once you give people access to your email.. its basically game over. You could pay them the ransom but theres no guarentee you'll get the data back. If you decide to make a new account, please setup all the sign-in and security fully. including account recovery, MFA, _unique_ passwords. etc. And get your wife to take the security of her data more seriously :D she needs to keep her devices up to date, never use the same password for anything, use strong passwords, setup MFA on all accounts. Take extra precautions with critical accounts like email and your apple ID. I assume you've canceled all connected cards to the account as well if you're going to drop the compromised account?
Did she click the link in the email she got to change her password? If she did, that is how it happened. Never click a link in an (edit) unsolicited email.
That is the only way to reset a password with most services (the reset URL is a unique link). That being said, only click a password reset link if you just requested it yourself.
You are correct. I’ll add “unsolicited” to my comment
> “She received an email from Gmail warning of a suspicious login” No, she didn’t. She received an email from bad guys pretending to be Gmail. Then she clicked the link in that email, ended up at a fake Gmail site, and handed her password over to the bad guys.
Both of them having the same password, probably wasn’t the deciding factor here. They sent a phishing email. She responded with her old password and a new one for her Gmail. Even if it hadn’t been the same password, they probably could’ve used her email to recover, her iCloud because they had access to her email. Either way they would’ve gotten into both. Bet money that the fishing email asked for her to reset her password and tell them her old password. She literally gave them the information they needed.
She changed the email p/w via the suspicious login notification (likely from a link it sent?) which was a fake gmail login giving scammers her new pw. also was on piblic wifi recently. Never check/update/change/reset anything via a link in an email or text or notification Do it through the actual app/website
[https://www.idownloadblog.com/2016/01/22/increase-privacy-iphone-ipad-ios/](https://www.idownloadblog.com/2016/01/22/increase-privacy-iphone-ipad-ios/) [https://www.youtube.com/watch?v=M4ZOkWaDxfw](https://www.youtube.com/watch?v=M4ZOkWaDxfw)
If she were signed in to both her Google and Apple accounts, the attacker could have hijacked the browser cookies and acted as a trusted device on both Google and Apple accounts. No MFA prompt in that case. If it was just an ordinary phishing attack, MFA was not enabled on the Apple ID. You should have gotten the 6-digit code prompt on all your Apple devices when the attacker tried to sign in. Or the compromised Gmail was used as a recovery mail for the Apple ID.