Apple urges all iPhone, iPad and Mac owners to change their passwords, even as it assures customers that no financial information was compromised in the latest and most curious of Apple security breaches.
A number of Apple device owners across Australia and parts of New Zealand have come up on the Apple Support Communities forum to report that their devices have woken them up in the middle of the night with the message "Device hacked by Oleg Pliss" and demanding $100 to be sent to a Hotmail-linked PayPal account to unlock the device.
"Apple takes security very seriously and iCloud was not compromised during this incident," said Apple in a statement. "Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store."
If you have been affected by the hack and you have a passcode, simply enter the four-digit passcode and you'll be able to regain control of your device. If you don't have a passcode, you can restore your device to a previous restore point. You'll lose all data stored between now and the restore point, but at least you won't have to give in to what Oleg Pliss demands.
After gaining back control of your device, make sure you change your iCloud password. Those who were not affected should also change their passwords to be on the safe side.
The attackers, it seems, were able to get hold of users' iCloud usernames and passwords possibly through some previous security breach or an email phishing scam, and accessed Find My iPhone to lock users' devices. Find My iPhone is a feature that lets users find, lock and erase data from their Apple devices in case they lose them.
What puzzles most people, however, is the fact that most reports of the Oleg Pliss hack originate from Australia. A few come from New Zealand, others from users traveling outside Australia but permanently live in Australia and others from those who live outside Australia but have lived in the country for a while.
PayPal Australia also assured those affected by the attack that their PayPal accounts are safe. A spokesperson for the company said the Hotmail email address listed in the Oleg Pliss attack is not actually associated with a PayPal account, which makes the incident even more confusing. Even if the email was actually linked to a PayPal account, PayPal said there are certain protections in place.
"If money was sent, our customers would be covered thanks to PayPal's Buyer Protection," said the spokesperson.
PayPal customers in Australia are also protected by the ePayments Code of 2011, which is regulated by the Australian Securities and Investment Commission and offers "guidelines" for online payments.