Skip to main content
No. of Recommendations: 7
Please be patient—it takes a while to get to my point, but this is important.

There are over 100 million iCloud accounts.

Recently, several iCloud email accounts ( and have been used to send spam.

In the past I was usually quick to point the finger at those users, but this time I think iCloud itself may have suffered a security breach.

Some background:

There are several ways an attacker can send email from your address.

1) The easiest way is to simply forge your email address. They just change the "from" header so that it shows your address, and then send out the spam from their own computer. There's actually nothing to stop mail forgers because they haven't actually broken into your computer. And forging the "from" address on an email is as easy as forging the "from" address on a paper envelope. Think about this: You could send a death threat to the president, and in the upper-left corner of the envelope you could write down the name and address of someone you hate. Pretty soon that person is getting a very unfriendly visit from the Secret Service.

Forged email leaves no trace on the account owners computer, because the account owner's computer wasn't ever used as part of the attack. It also won't leave evidence on the iCloud server, because such mail can be sent from any mail server. (In the same that you don't have to send a letter from your house — you can just drop it in any public mailbox.)

2) Another method involves the use of a trojan or some other malware attack to install remote control software on your computer. Using that software, an attacker can launch your email program, compose the spam messages, and send them on their way.

3) A third method uses a keylogger, another kind of malware that is also usually installed as part of a trojan attack. Keyloggers exist for both Mac and Windows, and can record every key you press into a log file, which is then sent to the attacker's computer. He then searches that file for usernames and passwords. With that, he can log onto iCloud from anywhere in the world and send spam from your account.

You'll note that the first example above leaves no evidence because neither your computer nor the iCloud server was used as part of the attack. The 2nd and 3rd examples both require the attacker to get malware installed on your Mac or PC, which can leave evidence behind.

You can't block forgers, but you also don't have to worry about them either since they can't actually get access to your data, and any average computer tech would be able to example a forged email and determine that it's a forgery.

You can protect against trojans and key loggers by being very careful to never install software from an untrusted source. You can also achieve some measure of protection by running anti-virus and other security software.

The one thing from which you can't protect yourself is a successful attack on your service provider's servers. For example, last year some programmers at DropBox made a small error that allowed any user to log in to any account without a password. As a DropBox user, there is nothing I could have done to protect myself from mistakes like that. Fortunately, the problem was discovered and quickly fixed. And since they kept logs of who logged in when, they were able to identify all of the at-risk accounts. You can read more about that incident here:

All of the above is prologue.
There is now some evidence that iCloud servers may have been compromised. The evidence isn't all in yet, but here are a few known facts:
• Spam is being sent from some and accounts.
• These aren't forgeries, but actual emails sent from iCloud servers. We know this because the spam shows up in the "Sent Mail" folder.
• Accounts belonging to both Windows and Mac users have been targeted.
• Some of the victims are savvy users who claim that have strong, unguessable passwords.
• Many of those victims never used their or email accounts. (The used iCloud for its other features, but not its email.)

I've been following this story for over a week now by reading the messages posted to this thread on Apple's website:

That thread spreads across 8 pages as of this writing, and it seems to have got Apple's attention. About an hour ago, a user reported getting this message from Apple:

"Thank you for your reply.

It appears that other customers are experiencing this same issue, therefore, Apple is currently working toward a resolution for the issue you have reported.

You will receive an email after the matter has been investigated and further information is available.

Thank you for your patience. Apple wants your iTunes experience to be as enjoyable as possible.


iTunes Store/Mac App Store Customer Support"
Print the post  


What was Your Dumbest Investment?
Share it with us -- and learn from others' stories of flubs.
When Life Gives You Lemons
We all have had hardships and made poor decisions. The important thing is how we respond and grow. Read the story of a Fool who started from nothing, and looks to gain everything.
Contact Us
Contact Customer Service and other Fool departments here.
Work for Fools?
Winner of the Washingtonian great places to work, and Glassdoor #1 Company to Work For 2015! Have access to all of TMF's online and email products for FREE, and be paid for your contributions to TMF! Click the link and start your Fool career.