Apple has apologized for a recent spate of account hacks in China, which it says affected a ‘small number’ of user accounts.
Although details on exactly what happened have not been disclosed, Apple said that the affected accounts were not secured with two-factor authentication. This allowed criminals to phish for account credentials and then extract money using apps like Alipay, as reported last week.
Via the Wall Street Journal, Apple is strongly recommending that customers enable 2FA security on their accounts to defend against these kind of social engineering attacks.
It is not clear exactly how the account details were stolen by the internet thieves, or how much money was taken as a result.
Apple is likely apologizing on behalf of its user base here, because the most likely explanation is that the Chinese Apple users themselves told unscrupulous criminals their account details in some kind of scam.
It could be as simple as a phishing email that poses as a legitimate piece of Apple communication, and invites the recipient to login with their Apple ID username and password.
In reality, the account details are stored by the thieves and then used to ‘hack’ into the accounts. The thieves can then use apps like Alipay or WeChat to send money to themselves and drain customer’s credit.
If two-factor authentication is enabled, users must independently approve account access for new device logins. This greatly reduces the chance of phishing attacks ultimately working, as unknown login requests can simply be denied.
Apple’s operating systems encourage users to upgrade their accounts to two-factor authentication security regularly. However, there is still a significant proportion of the Apple ID user base that has not enabled the feature.