So far the best coverage of this breach in terms of how it occurred is here. We hope to answer a few more questions that seem to be swirling on the Web.
Is this breach real?
Probably. We think so for two reasons:
- The FBI agent that was supposedly breached is real. He’s a known recruiter in the FBI focused on getting white hat hack hackers to work for the feds. Here’s his Facebook video: https://www.facebook.com/video/video.php?v=512364171294
- The data base that was breached seems authentic—though only Apple can confirm. However, the structure and format of the data indicates that this is a real breach. It would be hard to fake such data.
What is new about this hack?
There are two things interesting about this attack:
- Shows a new angle on hacktivism—This breach resembles a new innovation by hacktivists. Specifically, they targeted an individual in the same way government-sponsored hackers (a.k.a., APT hackers) would attack. Sure, Anonymous/Lulzsec targeted HB Gary in the past but we haven’t seen this type of attack reappear until now. Is this part of a broader trend of hacktivists expanding their attack methods? Could be. For example, the recent Saudi Aramco breach used malware, a type of attack not normally associated with hacktivists.
- This attack was not pre-announced—Normally, hacktivist attacks are pre-announced, often an Operation [FILL IN THE BLANK]. Doesn’t seem to be the case here.
What can hackers or FBI use this data for?
If the hackers have what they claim, they may be able to cross reference the breached data to monitor a user’s online activity—possibly even a user’s location. To be clear, the released database is sanitized so you cannot perform this type of surveillance today. But with the full information that hackers claim to have, someone can perform this type of surveillance. This implies that the FBI can track Apple users.
What scams can we expect?
How many people will get infected “finding out” if their apple device was one of the 12 million? Here’s one blog that already points you do a site where you can “check” if your creds were stolen:
How do we know if such sites are real or scams to find out your real credentials? Sites like this sometimes appear after high profile breaches and consumers shouldn't visit them.