Earlier this week, a number of iOS device owners woke up to discover that someone had locked them out of the iPhones, iPads, and iPod touches. The attack, primarily aimed at users in Australia and New Zealand (though there are now reports of users in North America and other countries being hit), demanded a ransom be paid to unlock each device. Ironically, the PayPal account referenced in the demand did not seem to even exist.
The "Oleg Pliss" hack, if you can call it one, wasn't particularly sophisticated. The party behind it -- most likely relied on information like user IDs (including email addresses used as usernames) collected by attacks on non-Apple websites like the recent breach that compromised eBay user accounts. Since a lot of people reuse user IDs, passwords and account security questions, all the hacker(s) needed to do was use that information to log into iCloud and use the Find My iPhone/iPad/iPod feature to lock the device and display a message on it. (The feature is typically used to locate a lost or stolen iOS device.)
It could have been worse
Apple acknowledged the incident, saying that the security of iCloud itself wasn't compromised and that affected users should reset their iCloud password and security questions, which seems to confirm the presumed vector of the attack.
It's also worth noting that the attack was easy to prevent or recover from as users with a passcode or Touch ID enabled on their devices could simply ignore the message and unlock their devices (and ideally reset the iCloud password). Users without a passcode should be able regain use of their devices by forcing them into recovery mode and restoring them via iTunes and a device backup.
What's important to consider is that the potential impact could have been much more damaging. A user's Apple ID, which functions as their iCloud login, delivers access to dozens of Apple services, ranging from Find My iPhone to setting appointments in Apple's stores; purchasing and accessing iTunes content; syncing sensitive account and credit/debit card numbers across devices using iCloud Keychain; and managing enterprise app installation on a user's device if it is used in the workplace.
Time for IT to talk security
That makes the incident a great opportunity for IT shops to talk about mobile and cloud risks to employees.
Over the past few years, IT departments have had to grapple with the trend of users taking their workplace technology needs into their own hands. Today's cloud- and mobile-enabled world means that workers frustrated by security restrictions, enterprise apps and collaboration systems that are slow or difficult to use -- and IT staffers that are slow to respond to their needs or don't respond at all -- can build their own set of tools and technologies without IT's permission or awareness.