A macOS pseudo-ransomware attack from September 2017 that could also be used to irritate iOS users may continue to plague Apple users. Macworld reader Richard says one morning he found his iPhone and iPad locked in Lost Mode. He was unable to regain access, and had to use Apple’s recovery process to verify his identity. This happened two weeks later to his wife’s iPhone and iPad, and then a friend of his wife’s had the same experience.
This is almost certainly related. In the previous attack, crackers would use database of passwords stolen and cracked from the many billions of leaked account/password combinations in the last few years. Some of those accounts were from iCloud users who used an icloud.com email address for their account name and re-used the same password on another site they used with iCloud.
As long as the password was unchanged, an attacker even with two-factor authentication (2FA) enabled could lock a Mac with a PIN only they knew. (There’s a way to unlock your Mac without paying the ransom: we explain how here.)
With iOS devices with passcodes enabled—which I assume is the case with Richard, his wife, and her friend—Lost Mode can be triggered, but the code to unlock should be the same as the passcode for the device. From Richard’s description, that appears that it wasn’t the case, or it’s possible that the behavior by a cracker triggered extra account protection on Apple’s part, requiring a phone call and identity verification.
In any case, if you haven’t changed your iCloud password in a while, do so. And turn on two-factor authentication while you’re at it.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org including screen captures as appropriate, and whether you want your full name used. Every question won’t be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.