Apple‘s “Find My iPhone” feature is handy if you’ve ever forgotten your phone at dinner, at the office, or at a bar—or even if you just thought you had. Unfortunately, hackers are also finding Find My iPhone and its desktop counterpart Find My Mac useful. If they learn your Apple ID and password, they can use it to remotely lock your device and hold it for ransom.
Normally, Find My (Device) is used when your iOS or Mac product is lost or stolen. By signing in with your Apple ID and accessing its online portal, you can check where it is. If it is lost, you can post a message on the lock screen so the finder can locate you. You can also remotely lock or wipe your device, in the case that it has been stolen.
In this instance, however, hackers who’ve learned victims’ account information will remotely lock the device themselves. This is accompanied by a message asking for ransom before they will unlock it. Usually, the ransom is in Bitcoin, as it’s more difficult to trace. Several people have recently tweeted about the issue.
— Jovan Cabrera (@bunandsomesauce) September 16, 2017
Normally, a measure such as two-factor authentication would protect against things like this. However, that doesn’t apply with Find My iPhone. The trusted device you may have wanted two-factor authentication messages sent to could be the one that’s missing. (However, couldn’t an email-based verification work instead here?)
With hacks and data breaches occurring on a regular basis, it’s likely that your email address, favorite username, and their associated passwords aren’t secret anymore. If you haven’t taken the time to ensure that you have a unique password for each and every service you use, a hacker can use the information gleaned from one leak to access another account. This seems to be what’s happening for these unfortunate Find My iPhone users.
Luckily, in testing this out, Lifehacker discovered that if your iPhone is passcode-protected, a hacker will not be able to lock you out. This was not the case for a password-protected Mac, however.
So if a hacker gets a hold of your password, there’s not much you can do. Your best bet for prevention is to use unique, difficult-to-crack passwords (and perhaps a password manager). You’ll also want to set a passcode on your iPhone, if you haven’t already. And if you’re not too concerned about your Apple device being stolen, you may also want to switch off Find My iPhone altogether.