111 comments

[ 2.7 ms ] story [ 159 ms ] thread
Can confirm. I've had someone contact me on snapchat and show me screenshots of Apple's internal tools and offer to run queries for $$$. He was willing turn off 2FA, change the email, and reset the password (thus, giving me access) for $$$$.

He told me that he texts a friend who calls and pretends to be the customer in question, and texts him all the verification questions he has to ask as part of SOP.

Many AppleCare employees work from home, so I can see it is difficult to track and stop this sort of thing.

Let em come out of the woodwork.
Did you report that?
I emailed security@apple.com and never received a response.

Generally, when I need to get the attention of big tech corporations I talk to a friend who works there. Unfortunately, I don't really know anyone who works at Apple.

You don't have any contact details in your profile; check mine and send me any details you can. I'll ping the appropriate people.
Also, we need your ss# and your keys
If HappyTypist isn't comfortable emailing my @apple.com email address they can file a bug at https://bugreport.apple.com and email me the bug # instead.

Assuming this story is true, I would personally like to catch the person responsible.

Huh? With 2fa activated there are no verification questions on the account, it makes that very clear when you enable 2fa.
Oh snap. And Apple has been touting itself as the champion of privacy in comparison with Google, Facebook and Microsoft... This doesn't look good for them
Even the NSA has leakers.
And if the NSA championed themselves as the defenders of privacy, how hard would you roll your eyes?
For my point it doesn't matter what the nature of the information is. Both Apple and the NSA want their people to keep secrets secret. But I think the NSA goes a fair bit further to prevent their employees from leaking far more sensitive info, and leaks still occur.
Well, I guess there is a difference between what your company as a whole believes in, and what 20 criminals disguised as employees do...
Being the victim of criminal behaviour, and not caring about other people's privacy are two very different things.
Caring about peoples privacy, and technological negligence that results in that privacy being impinged upon, are in fact the same issue.
It's not technological negligence to allow customers the means to access their own data if they forget their password. it's common sense.
It's technological negligence if you set out to protect customers privacy, but your employees decide to steal it anyway, because they can.
In the end, this is a problem with _all_ cloud services that do more than just _store_ data. If it does anything with your information at all then it's possible for an insider to look at it.
By that argument, all theft is negligence.
Technically speaking, you are correct, but so what?

It does kind of sound like victim blaming, but if you store a bunch of cash under your mattress, don't be surprised if someone tries to take it.

Likewise, if you store a bunch of customer data, someone will try to come and take it. If you make it accessible to anyone other than the customer, you can't act surprised if someone takes it.

Yes, and if this is indeed true, so what?
It means that any system or organization that isn't already perfectly secure is an embodiment of negligence.

Since that is impossible, all companies and all systems are negligence.

A term that applies to everyone means nothing.

Nevertheless you can say it and make businesses you don't like sound bad.

It's not Apple's policy to sell information. This is employees engaging in criminal behavior. Still not good for Apple, but it's correctable (firing and pressing charges as appropriate; institute stronger internal policies on both hiring and information access). Facebook and Google can't stop selling our information without going out of business (or a major pivot).
Google doesn't sell the information either. (You can buy ads, though.)
It kind of doesn't matter though. They are still the cause of a bunch of data being leaked through their actions. They should be held accountable for it whether it was intentional or not.

Your point is very valid, but the crime being committed against their customers is also very valid.

Google doesn't sell our information.
Is Apple storing everyone's data in China / do these 'bad apples' in China have access to every iCloud customers or is it just a local Chinese concern?
Per the article, it's not clear at this point which user (Chinese or non-Chinese or both) they were able to obtain.
Only Chinese user data is stored in China.
It does not make economical sense to store data in China
Hoping comments can resist the urge to turn this into an apple bashing thread.

Having someone purposefully steal your data from the inside doesn't mean you don't care about privacy.

They likely won't reveal anything but I'm curious how they could get the info out of Apple systems. Most companies of Apple's size lock down work stations to the point of slowing down workers efficiency to keep customer data safe. Especially with their over seas operations.

The article author couldn't determine from the police statement if the criminals had access to just chinese customer data or foreign customer data as well. If the criminals had access to foreign customer data as well that would a failing on Apple's part (and might result in some sanction in Europe for example which has been placing more emphasis on the privacy of its citizens' data with American companies after the reveals from Snowden)
(comment deleted)
Hum. No one is giving some slack to a bank for having rogue employees. Part of the job of being a large organisation is ensuring your employees do not misbehave. In this case at the very least ensure they have minimum access to users data.
Or setting up the technology so nobody at apple can even access the unencrypted data. Much more effective than policies that you expect people to follow.

I work at a fairly security conscious company, and the only data I can't access is that encrypted at the consumer's end.

> Having someone purposefully steal your data from the inside doesn't mean you don't care about privacy.

True, Apple cares much more than average. It shows that our current tech world has such a poor emphasis on privacy that even the companies that care most still screw up big.

Interesting that you say that, because Google is constantly being bashed here for it's lack of privacy concerns (rightly so, IMO). When Apple makes the similar mistakes, I feel that they should also be bashed. I don't think of them as an "evil" company, like Google, but they do seem incompetent, or maybe more fairly: focused on the wrong things.

They've touted before that they are the company to use if you want your data to remain private and secure, but continue to act in direct violation of that. This seems highly problematic to me, and, IMO, they should be raked over the coals for this.

>The suspects, who worked in direct marketing and outsourcing for Apple in China [...]

Uh, would they be given unrestricted access to user data? Or does every Apple employee have access to this data and are left to exercise restraint?

And what about Apples claim that data is encrypted at rest?

This is always the argument that makes my friends and family call be paranoid in data privacy discussions: "Even if the company has good intentions when they collect your data, there's no telling who else might end up with access to it in the future."

Obviously this is bad overall, but at least now I can point to a specific example of this happening.

The example I previously used was this old case:

Google Engineer Allegedly Fired For Accessing Private User Information To Stalk Teens

Source: http://www.businessinsider.com/google-engineer-stalked-teens...

and microsoft accessed a hotmail account to investigate a leak https://arstechnica.com/tech-policy/2014/03/microsoft-will-n....

One perspective is that every company gets to screw this up once and then has to get serious about privacy.

But it's possible this is happening all the time, victims don't know their saas vendor was complicit in releasing their information. If the companies ever catch the perps, they're quietly fired in exchange for a non-disclosure agreement that serves the interests of all parties (except the consumer).

> Reporters successfully obtained a trove of material on one colleague — including flight history, hotel checkouts and property holdings — in exchange for a payment of 700 yuan (US$100).

So it's not just email addresses / metadata from iCloud. This implies that 1) at least some iCloud data is stored unencrypted at rest, and 2) employees can query this data using internal tools.

This seems pretty bad.

This does not necessarily imply that the data is unencrypted at rest. The query tool or the query backend could handle decryption seamlessly. S3 offers similar encryption at rest that is invisible to authorized requesters. If the story was that someone raided an Apple data center, stole hard drives, and leaked customer data, then we would have reason to assume that.
I assumed "encrypted at rest" to mean encrypted with the user's passcode, meaning it could only be decrypted from a properly authorized user session, not some internal apple tool.
From my understanding, that is how Apple encrypts on device. They don't use this with iCloud data at rest and instead maintain encryption keys themselves [1] so in the event of, for example, a user losing their credentials, they would still be able to assist.

[1]: https://support.apple.com/en-us/HT202303

> Privacy advocates and privacy caring IT specialists have repeatedly asked Apple to offer such an option, but so far Apple has decided that regular people would turn such an option on, forget their password, then ask Apple for help and would be unhappy with their brand experience if Apple could not help them out.

From Darthy's comment 30 minutes ago https://news.ycombinator.com/item?id=14513803

Always wondered that about encryption at rest as a feature in cloud services. The key is stored in the same system somewhere (or your app wouldn't function). A rogue employee can find the key if they want. So what is the practical benefit?
AFAIK, encryption at rest protects against a very specific threat. That is, someone goes into the data center, turns off your server, and steals the hard drive.
The preceding sentence seems to indicate that is referring to black market information from government databases, which is its own problem, but isn't related to iCloud.
I have read a Chinese version of this news report in which none of the above is mentioned. I think this sentence refers to another privacy incident.
Suddenly potential workings behind celebrity nude photo exposure scandals, the most recent one just a month/weeks back, becomes more clear. Of course, brute forcing, weak passwords, or phishing, may still have happened, but this sure sounds convenient and perhaps not even expensive for hackers sharing the cost. It also sounds troubling with government staff exposure and all.
In fairness I don't think this was necessary for the celebrity leaks. With a celebrity, with much of their lives being public knowledge I can imagine it was probably easy enough to guess their security questions.
So what, The board of Apple only care about their money.
Where is it being sold? I wanna check if I or family members have been made.
So what, the board of Apple only care about their money
Where is it being sold? I wanna check if I or family members have been made.
Apple does not allow your iOS iCloud data to be encrypted in a manner where Apple cannot access it. As is alluded to in this article.

Privacy advocates and privacy caring IT specialists have repeatedly asked Apple to offer such an option, but so far Apple has decided that regular people would turn such an option on, forget their password, then ask Apple for help and would be unhappy with their brand experience if Apple could not help them out.

If Apple would implement such an option where Apple could not access your data, shenanigans like the ones outlined in the article could not happen. It would also allow people who feel the state will misuse their info use iCloud for the first time.

There could be something good that comes out of this. These bad news could pressure Apple into finally offering an optional iCloud service where only you can see your data.

Answers to likely responses: "just use a different cloud service": on iOS, for cloud backups, there are no alternatives: it's iCloud or nothing.

Just use different OS then
Like?

On mobile, the only realistic alternative is Android, which is a privacy and security nightmare.

On general purpose computers, Linux is better from the perspective of privacy. But for large parts of the general population, Windows is the only realistic alternative. And we know how important privacy is to Microsoft these days :(.

> Android, which is a privacy and security nightmare

Only if your only source of information about Android is WWDC keynotes.

But did Phil Schiller tell you about the Korean "malware" that was very quietly purged from App Store last week?

How many of the Android devices are using the latest version and what's the option for the rest of them, excluding rooting? There are many advantages of Android, but this is not one of them.
> How many of the Android devices are using the latest version

This comes up every time security discussed. But it is not as black as white as you think:

1. Security patches are separate from OS upgrades [1]. Many vendors incorporate security patches without upgrading the OS.

2. Many core Android components are upgraded via the store.

3. Google scans and remove bad apps from your device no matter Android version [3]

--

[1] https://source.android.com/security/bulletin/2017-06-01

[2] https://www.howtogeek.com/179638/not-getting-android-os-upda...

[3] https://support.google.com/accounts/answer/2812853?hl=en

How may android botnets are there, and how many devices infected?

Huw many iOS?

I suspect most privacy problems come down to the apps on the users device for both platforms, but in terms of security Android is worse overall because of the abysmal rate of updates, and lack of widespread backing store encryption. That leaves a lot of Android devices open to shady apps and data loss after theft.

Both platforms can always do better of course, and should learn from each other. But to pretend device security hasn't been a genuine focus for Apple is blinkered.

> lack of widespread backing store encryption

I am not sure what you mean.

Only if your only source of information about Android is WWDC keynotes.

Don't be silly. Google's own dashboard shows that the vast majority of devices are running old versions of Android with known security vulnerabilities:

https://developer.android.com/about/dashboards/index.html

Besides that, most likely >99% of the users are using a device with Google Play Services and other Google applications. It is no secret that Google mines pretty much all data available for advertising purposes (as outlined in their privacy policy).

Moreover, most Android devices use no or weak device encryption. The Google App Store has a rich history of applications slurping all kinds of data (though things will probably get better with fine-grained permissions).

And then we haven't even talked about Asian and American vendors that 'accidentally' install third party spyware:

https://www.cyberscoop.com/android-malware-china-huawei-zte-...

So no issues then otherwise there would huge cry from android users like those from Windows users
Like?

You use your iPhone but disable iCloud.

If photos are important to you, use a dedicated camera and upload to your home NAS.

I recently discovered CopperheadOS [0], and I've been playing around with it on my old Nexus 5X. It's very barebones, but you can pick up good open alternatives to most closed software on F-droid. I'm still not ready to drop Google services completely, but it looks promising.

If you're willing to pay the premium, they sell the Pixel and Pixel XL with CopperheadOS loaded.

[0] https://copperhead.co/android/

Yes, I was hinting towards Linux. If you worry about security then the answer is pretty clear - don't store anything valuable on mobile devices.
Answers to likely responses: "just use a different cloud service": on iOS, for cloud backups, there are no alternatives: it's iCloud or nothing.

Moreover, in the case of Apple this could actually be productive. They have been pushing the privacy angle. Let's not forget that this is the company that pushed out end-to-end encrypted chats to tens (hundreds?) of millions of users before Whatsapp did it.

If Apple offered this option, this would be a boon to tens of millions of people, which is far more productive than a few experts moving to relatively obscure alternatives.

Apple could utilize their newer devices' capabilities of finger print recognition. If you don't have a device capable of this, you don't get encryption. Sound very Apple™.
Genuinely trying to get an understanding of the pros and cons here, but is there any guarantee that this, or any other, data theft ring used iCloud? I mean, let's say I have an iCloud and it is encrypted in a completely secure fashion such that even Apple cannot access it. Well couldn't this ring have just collected my phone number, Apple ID etc etc from some other Apple database?

Maybe I'm misunderstanding the threat here, but it seems to me that this is not going to be fixed by simply encrypting iCloud. Sure, that would be part of a comprehensive response, but the main problem seems to be that these people had access to internal Apple databases. To my mind, "internal" means everything from retail POS data to iTunes. I guess I'm trying to understand why encrypting iCloud would prevent a ring of internal Apple employees from gathering a person's information and selling it?

And, to be frank, it's concerning because it's not just Apple. What stops a group of internal employees of any company from gathering a person's information and selling it?

What are needed are strong guarantees about data security internal to these companies. My background is in health care technology, so the analogy I would make is HIPAA. But we need HIPAA for everything instead of just for healthcare information. Right now if employees of enterprises outside healthcare access a person's information and they don't sell it, they're just checking on a friend, there is no liability for that. Under HIPAA you're fired at a minimum. That's what we need.

Given the way iCloud security works I'm not sure iCloud was breached at all [1]. Other reports seem to indicate that it was employees at Apple stores and third party resellers who had access to names, phone numbers and Apple IDs [2]. Presumably they would try to phish them later on.

[1] https://youtu.be/BLGFriOKz6U?t=32m35s

[2] http://www.foxbusiness.com/features/2017/06/07/chinas-new-cy...

It's almost as if people commenting here haven't even watched Ivan Krstić's Black Hat video...
"Answers to likely responses: "just use a different cloud service": on iOS, for cloud backups, there are no alternatives: it's iCloud or nothing."

That makes me unhappy with the brand experience.

There are other backup backup solutions. You can backup your camera roll to a Synology device in the background: https://www.synology.com/en-us/knowledgebase/Mobile/help/DSp...
Unfortunately, this still requires location services. I really wish Apple would allow true background photo sync.

From your link:

To upload photos in the background: iOS apps cannot perform background tasks for more than 3 to 10 minutes. Using geofences to add locations will trigger and resume upload tasks in the background for another 3 to 10 minutes whenever you leave or reenter the defined areas. Tap > Geofence > Create to add geofences.

>> Privacy advocates and privacy caring IT specialists have repeatedly asked Apple to offer such an option, but so far Apple has decided that regular people would turn such an option on, forget their password, then ask Apple for help and would be unhappy with their brand experience if Apple could not help them out.

Were I an iCloud user, I would pay big $$$ for such a feature. But... they do have a point, and anyone who's helped their friends and relatives with IT issues can confirm that.

>they do have a point, and anyone who's helped their friends and relatives with IT issues can confirm that.

I think it's a pretty common state of affairs when dealing with complaints about Apple's choices. It's not that they're (necessarily) malicious, or that they don't care about security etc. It's prioritising the user experience of an average user over the concerns of a relative minority.

I, personally, hope they never stop thinking about their products in that light.

You are correct, but the problem is that they tout themselves as the goto company for privacy and security. If you are focused on usability over security, maybe don't advertise yourself otherwise.
There are alternatives, but with more friction and fewer features. My iPhone backups are made to an encrypted disk locally and backed up offsite with Backblaze, also encrypted.

Have never used iCloud for the reasons you mention, and haven't missed it.

Correct me if I'm wrong but isn't this the same thing as turning iCloud backups off and doing local encrypted backups instead?

It seems like a reasonable choice to me, if you don't want to store in iCloud you can keep it locally with a different encryption model.

The problem is the deep integration between iCloud and Apple devices.

Lots of stuff can't be just backed up to a different cloud provider/do locally.

Yes but only iCloud backups can happen automatically and wirelessly every night. For local backups you need to attach the phone to your laptop using your usb cable and click "back up" in iTunes manually every time.
This is not true. Wi-Fi Sync (that includes iTunes backup) is available since iOS 5[1]. It works automatically if phone is plugged in and computer used for back is online.

[1] http://osxdaily.com/2011/10/13/wi-fi-sync-for-iphone-ipad-io...

I stand corrected, I did not realize this supported automatic backups. It still requires your laptop to be on the same LAN though. It'd be nice if one could host a simple https server somewhere and configure the iOS unit to sync over the internet.
Roughly half the population has an IQ below 100. Let that sink in for a moment. Do you really think they are able to manage their digital keys such that they never ever lose them in a lifetime? Look, I am all for encrypted storage, it's the only thing I'd use (but I store everything on my own HDDs that are in my physical possession), but I see Apple's point here.
Nothing in the article suggests that iCloud data was compromised. It said

> users’ names, phone numbers, Apple IDs, and other data

Names, phone numbers, and Apple IDs just require access to directory services, doesn't need to touch iCloud at all. It doesn't say what "other data" is, but presumably that's not iCloud either, because it if was iCloud data that would be a much bigger headline and wouldn't have been omitted from the article.

I see a lot of people defending Apple but I wonder how would they react if this was Microsoft.
I wonder how they would react if it was Goldman Sachs...
This being the Chinese government it could also mean they try to discredit a strong foreign platform that is really hard to control in terms of privacy and security. No doubt Apple is giving all governments headaches not only the US.

If people believe they still can be hacked or tracked while using Apple equipment less people might be tempted to use it.

Not telling the sale of data didn't ever happen. I think if it's true that Apple should one up their security even more.

So now after forcing Microsoft to have a Chinese version of Windows 10 without spyware, Blizzard forced to show the Overwatch loot boxes odds and this, we are living in a World where China, "Great Firewall" China is now the biggest advocate of users privacy.

What is happening?

Small spiders meet a bigger spider.
oh, they can just quit the Chinese market by following what google did almost 10 years ago. look at google's share price & revenues, surely you don't need the Chinese market to be successful.

fb is another good example.

Apple is huge in China. I agree that Apple doesn't need China to be successful, but that's a lot of money left on the table: for what purpose? For principles? For the subset of your customers who are concerned about privacy?
The Microsoft case doesn't need to be surprising, because Microsoft is a part of PRISM and maybe other such programs. To China that means Microsoft products might as well be sending data directly to NSA datacenters. They probably don't like the NSA having that kind of view into their country.
Hitler was also a fan of nature and animals...

So you know, even though China is a dictatorship it sometimes still does good things, like catch common criminals.

Don't all large companies have auto auditing of access to customer data?
lol

Sorry, but having worked for 3 large companies (not apple, or Google, or any in the same field), the auditing is purely just for show. They claim it publicly, but very little is actually done to ensure the safety of that data. When I started as an entry-level tech at 2 of them, I was given direct access after just a couple of days.

I'm sure there are plenty that do treat their customer data securely, but in my limited experience, that's not many of them.

This is common for large law firms. My employer has software that enforces ethical requirements and monitors users to detect suspicious activity.
Time for Apple to pay up Chinese government again. Their Chinese competitors sell customer data as a business model and authorities are totally cool with that.
Apple's focus on privacy has always been a splinter in the eye of Chinese authorities.

I strongly believe that this is an excuse Chinese authorities had been looking for that will use to pressure Apple in China at the same time create the illusion to the general public to not trust Apple.

I find it especially suspecious that the Chinese media put so much emphasis the privacy concern of this event and in modern Chinese culture, privacy is much less regarded as compared to western countries.

Anyone remember the propaganda while Google was being driven out of China? Straight up false info about Google were broadcasted on CCTV-1, the prime time national channel. A lot of my friends in China became very patriotic and viewed Google as some sort of evil corporation trying to undermine Chinese culture.

> Apple's focus on privacy has always been a splinter in the eye of Chinese authorities.

So was UK authorities, US authorities, and lots of other authorities, there is no need to single out China in this case.

> I strongly believe that this is an excuse Chinese authorities had been looking for that will use to pressure Apple in China at the same time create the illusion to the general public to not trust Apple.

Yes, it could be the excuse for Chinese authorities, but this case could have happened anywhere else in the world given the way Apple stores information, and similar incidents have happened before for other companies like mentioned in other comments. So I don't see a strong evidence that this particular incident is related to some ulterior motive of Chinese government.

> I find it especially suspecious that the Chinese media put so much emphasis the privacy concern of this event and in modern Chinese culture, privacy is much less regarded as compared to western countries.

The entire incident is about privacy issues, what else do you expect the media to talk about? New iPhone colors?

> Anyone remember the propaganda while Google was being driven out of China? Straight up false info about Google were broadcasted on CCTV-1, the prime time national channel. A lot of my friends in China became very patriotic and viewed Google as some sort of evil corporation trying to undermine Chinese culture.

As far as I remember, Google did not want to comply with Chinese regulations on censorship, so it was not allowed to operate in China, simple as that. I don't think people had that bad of an impression about Google, more like they felt bad losing a good search engine or simple just don't really care.

I suppose time will tell :)
i have seen hn commenters praise apple for "taking a stand on privacy". but how can anyone believe that when they collect so much personal data about the people who purchase their hardware? the old apple did not do this.

1. collecting data on users for months and years after purchase, 2. storing it electronically on remote computers, 3. some connected to the internet. yes, this surely points to a company is concerned about user privacy.

if something goes wrong can you sue apple?

we should expect every hardware vendor from laptop mfrs to the rpi foundation to be silently collecting data from their customers long after the merchandise is purchased. they need to do this, because...

wtf?

1. collecting data on consumers and 2. storing it online.

#1 is incompatible with a pro-consumer stance on user privacy.

#2 is a guarantee that others besides the company are going to get that data, whether the consumer is told about the breach or not.

This is why I use Android without GApps.

You have to trust the company, the employees, its security, the goverment.. Better to think of everything you upload as already posted in pastebin. It's relatively accurate.

I find it odd that a company that touts user privacy (an immediate pivot when their iAds venture failed spectacularly) and security would have their user data so easily stolen. There is absolutely no way these corrupt Apple employees should have even had access to this type of sensitive information.