• Tech
  • Security

Apple iPhones, iPads Held for Ransom: What Happened and What You Can Do

5 minute read

Another week, another security breach. This one’s extra weird, though.

What happened?

People are reporting that their iPhones and iPads (some Macs, even) woke them up in the middle of the night with a message demanding between $50 and $100 in order to regain access to the devices. Most of these people are in Australia, though some reports are trickling in from elsewhere.

Apple has a feature called Find My iPhone that lets you locate, lock and erase your device if you lose it somewhere. It appears that whoever’s behind this has gotten ahold of people’s iCloud usernames and passwords, then used the Find My iPhone feature to remotely lock devices, demanding payment in order to unlock them.

The incident is being discussed at length in Apple’s support forums. Apple hasn’t officially responded yet. I’ve requested comment from its PR team and will update this post if I hear back. (Spoiler: I probably won’t hear back).

Who is affected?

What’s interesting is that this issue is mostly affecting users in Australia. It’s also affecting some users in New Zealand, some users from Australia who are currently travelling abroad outside Australia, and users from outside Australia who are in or have been in Australia for a while.

At least one person in the U.S. with no ties to Australia in any way claims his or her device has been compromised as well.

How did this happen?

That’s a great question, and we’re not really sure of the answer quite yet. There are a few main theories floating around, none of which have been proven.

Some are speculating that a hacker got ahold of a bunch of usernames and passwords, either from an email phishing scam or from a previous data breach. That’s an easy explanation, but it doesn’t really address why the issue seems mostly isolated to Australia. Several users are reporting that they used wholly unique usernames and passwords for their Apple accounts, too.

Some are speculating about a man-in-the-middle attack, where an Australian Internet service provider has been compromised to the point that traffic sent between Apple devices and Apple’s iCloud servers has been intercepted. The trouble with this theory is that the issue isn’t isolated to single service provider, and it’s apparently affecting a handful of users outside the country.

And some are speculating that Apple’s iCloud servers have been compromised. The Australia angle makes that a bit unlikely, and Apple’s got enough layers of protection – data sent back and forth is encrypted, for instance – that this seems like a longshot. Some users are reporting that they’ve used strong, long and unique passwords and have still been affected, so this theory can’t be totally thrown out.

For what it’s worth, the man-in-the-middle theory — or some derivation of it — seems the most plausible to me, but it’s still early. The handful of random outliers keep poking holes in each theory, which makes this whole case wonderfully weird and interesting.

What should you do?

For starters, if you’ve received this ransom message, don’t bother contacting your wireless provider. They’ll send you to Apple.

If you use a four-digit passcode on your device, you’ll be able to regain control of it: Simply do the old Slide-to-Unlock trick and enter your four-digit PIN.

Whether you’re in Australia or not, just to be on the safe side, you should change your Apple password if you use it elsewhere. Go to iforgot.apple.com to change it, and check out this video for tips on choosing a strong password you can actually remember:

If you don’t use a four-digit passcode on your device and you’ve been hit with the ransom note, you can restore your device to its last backup point. You’ll lose photos, videos and other items you’ve collected since you last backed up your phone, but at least you’ll have control of your phone again. Instructions for how to restore your device using Recovery Mode are as follows, per Apple:

Follow these steps if you never synced your device with iTunes, if you don’t have Find My iPhone set up, or if you can’t get to your own computer. You’ll need to put your device in recovery mode to erase the device and its passcode. Then you’ll restore your device.

  1. Disconnect all cables from your device.
  2. Turn off your device.
  3. Press and hold the Home button. While holding the Home button, connect your device to iTunes. If your device doesn’t turn on automatically, turn it on.
  4. Continue holding the Home button until you see the Connect to iTunes screen.
  5. iTunes will alert you that it has detected a device in recovery mode. Click OK, then restore the device.

Once you’ve restored your phone, change your Apple password by following the steps a few paragraphs up if you haven’t already.

If that doesn’t work, your best bet may be to bring your iPhone into your nearest Apple store. Make sure to bring your ID and receipt, if you still have it, as you’ll need to prove the phone belongs to you in order to get help unlocking it.

More Must-Reads From TIME

Contact us at letters@time.com