Apple: iCloud is safe, but your passwords may not be
A group of hackers that goes by the name Turkish Crime Family, claims to have access to hundreds of millions of iCloud accounts, and it wants Apple to pay $75,000 in Bitcoin or Ethereum or $100,000 in iTunes gift cards to delete the compromised credentials.
This may lead one to believe that the collective has managed to hack iCloud, but according to Apple there "have not been any breaches" in any of its systems. "The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services."
That's something that probably shouldn't surprise anyone nowadays, as there have been a few massive breaches in the past couple of years which have exposed the personal information of more than a billion users -- if we go by Yahoo's biggest breach, which resulted in over a billion accounts compromised.
Apple, so far, has not taken any security measure in response, but, keeping in mind the above, it is entirely possible that the group indeed has access to iCloud accounts. What we do not know is how many.
One member claims over 300 million, while another claims 559 million. The fact that they cannot get their story straight is suspicious, but the threat should not be dismissed.
Motherboard, which originally reported on the hackers' claim, says they haven't provided any evidence that supports it. The group has reached out to Apple to make its demands known, and the company has responded to receive more information, but it is not willing to share a sample of the data it has to prove its claim.
Apple has until April 7 to meet the group's demands, after which it could release the data -- or sell it to an interested party -- in case that does not happen. Either way, there is something that you can do right now to protect your account.
First, you need to change your password, especially if you like to reuse passwords across your accounts and especially if you use one of the cloud services that got compromised in recent years (like Yahoo). Then you should turn on two-factor authentication. Here is a guide that explains how to do that.