Report: 220,000 iCloud accounts breached due to jailbreak tweak backdoor

By , Aug 25, 2015

iCloud Breach

It’s a number that’s bound to raise some eyebrows: 220,000 iCloud accounts breached in what is being called a backdoor attack made possible by a malicious jailbreak tweak.

This leak, which was brought to our attention by /r/jailbreak, was reported by a Chinese online vulnerability reporting platform called WooYun. It’s an information security platform where security researchers report vulnerabilities and vendors give feedback. WooYun is a legit site, and it has reported thousands of security related issues in this month alone.

On a post on its website, WooYun details the nature of this particular attack, stating that 220,000 accounts have been compromised as a result of a malicious jailbreak tweak or plug-in. It also states that WooYun has notified vendors—presumably Apple—and are awaiting processing.

It’s sure to make any jailbroken iPhone user take note, but before you get too alarmed, understand that this hack has nothing to do with Apple’s security, and that there appears to be special circumstances in the case of this breach.

WooYun 220000 iCloud Accounts leaked

As we’ve seen in the not so distant past, the breach of iCloud credentials can have negative results, because if two factor authentication is not enabled for an account, then a person in possession of leaked credentials can access personal data, including emails and photos with relative ease.

This, indeed sounds horrible, as nearly a quarter of a million accounts were said to be compromised, and we know that not all of those accounts took the sound advice of enabling 2FA.

Who’s affected?

When you start to break down the facts, it appears that this breach has had an extremely limited reach, if any, on those who jailbreak their own devices. That rules out most of those who reside outside of China and surrounding areas.

The report states that these accounts were compromised as a result of a malicious jailbreak release. By just doing some mental math, it seems highly unlikely that any jailbreak tweak would receive the amount of penetration required to affect a quarter of a million users, let alone a malicious tweak posted on some shady third-party repo. So the likelihood that this attack is the result of any of the tweaks that we use in the community is very slim.

With such a large number of compromised devices, it would seem that such an attack is the result of a more organized and methodical method of entry—a preinstalled backdoor, if you will.

A fellow redditor, ZippyDan, user suggested this conjecture:

In Asian countries, it is very common for people to buy phones, new or used, from technology markets. At those markets are lots of competing stalls selling phones, and jailbreaking your phone and selling it to you preinstalled with lots of jailbroken / pirated apps is part of their service.

That is part of why jailbreaking / Pangu is so popular in Asia / China. There are entire markets of Chinese-only programs and apps that we are not really exposed to here on this English- / Western-dominated subreddit.

We aren’t really used to that kind of service in the west. Mostly you just buy your phone and get it brand new and virgin from the box and you’re on your own. Part of this is because technical know-how is much more costly in the US / West, and part is because cell-phone shops are much more scattered and there is much less competition to provide these kinds of services. In an Asian technology market, you might have 30 – 100 different shops all competing for your business in an area the size of a Walmart.

Anyway, my point is that if one of these “shady” apps is something that was somewhat common for these 3rd-party sellers to install, then this stat wouldn’t be that surprising. It doesn’t take 220,000 people with personal tech know-how to jailbreak and download a tweak: it just takes 220,000 people buying from a few hundred / thousand technology boutique shops that preload the software.

To me, this makes a lot more sense than having some jailbreak tweak hosted on some shady third party repo that just happened to get popular enough to convince a quarter of a million savvy jailbreakers to put themselves at risk.

Chinese iCloud Hacked accounts

A screenshots showing some of the leaked credentials, which contain Chinese names

Yes, there are shady tweaks that make it through the cracks, to be sure. Yes, there are malicious third-party repos that host cracked software and likely host malicious files as well. Yes, jailbreakers do inherently open themselves up to more risk than those who don’t jailbreak.

That’s all true, but it’s also highly unlikely that any of that was the case in this attack, if the breach is indeed the result of a malicious backdoor, as noted by WooYun.

Protect thyself

That’s not to say that jailbreakers in general can’t take something away from this. We all can strive to do better when it comes to security. Here are some of the things that we should all be doing to help protect ourselves and others:

  • Enable 2 Factor Authentication
  • Don’t add shady third party repos to Cydia
  • Don’t pirate tweaks or apps
  • Don’t install tweaks outside of Cydia

These may sound like basic things, but by following the above protocol, a jailbreaker can mitigate much of the risk associated with jailbreaking.

What do you think about this report? Does it move your needle in any particular direction as far as your opinion of jailbreaking goes? Sound off down below with your thoughts on the matter.

Update: I have it on good authority that this has affected certain Chinese users only, and is the result of a jailbreak tweak downloaded by the user, not preinstalled as conjectured above. More details to come soon.

  • Share:
  • Follow:
  • Scope


  • Marcus

    So these shady vendors in China were basically trying to get people’s credit card info through their iCloud accounts? And the people buying these shady Apple devices were oblivious to this? That sucks a lot. 🙁

    • Zzyzxd

      Most likely they will use those accounts to post fake reviews in App Store. Account info will be sold to spammers.

      • Marcus

        Or they will go to a store and buy stuff with the user’s credit card info. What you said is probably more useful and easier though.

    • Junior Nunez

      AT least apple has better security than android since anyone could still your information faster just by knowing your emails password!! Apple is still best! XD

  • Tommy Gumbs

    There are no facts yet! And the quote is also conjecture….as the writer states. Until more info is released who really knows. All one can know for sure is that J/B’ing can have its associated risks. It’s just a part of the game. However, the community seems to do everything it can to keep it safe and the track record has been very legit over the years. Still, I now keep away for J/B’ing.

    • Marcus

      As long as you follow the four rules Jeff mentioned at the end of this article, you won’t ever have a security issue. I’ve been jailbreaking since iOS 3 and I’ve never lost access to my Apple ID because it was hacked. I’ll admit, I pirated tweaks up until iOS 5. Once I got more involved with the community though I started paying for them because they aren’t expensive at all. And your device is more secure. You should continue jailbreaking.

      • Tommy Gumbs

        You said “as long as you follow the rules you wont……” Thats like saying if you ovey the rules of the road you wont have an accident. Lol

        And naw,im fine with the stock iOS.

      • Marcus

        Not necessarily. When you’re driving you have to watch out for drivers who aren’t following the rules. It’s not really a problem when you follow the rules with jailbreaking. And I would probably be fine with stock iOS too. I’ve just been jailbreaking for so long and it’s fun to have a jailbroken phone.

      • Tommy Gumbs

        The people not following “the rules” are the people using Jailbreaking to steal, pirate, hack, etc.

      • Marcus


    • Tim Liu

      i_82 is one of my WeiPhone tech group friends. He tried 10 iCloud account and 7 of them worked.

      • By tried, do you mean he was able to login to 7 out of 10 accounts from the breach? If so, wow…

      • Tim Liu

        Yes. those 10 were from the first few iCloud ID list which means they are the oldest iCloud account details. If he tries the newer recorded detail from the list… can’t imagine how many he will success.

      • If you’re on Twitter, hit me up @JeffBenjam

  • Matthew

    Jeff Amazing Evil Hand Over the laptop lol. 😀

  • TheShade247

    So today when i opened my MacBook’s lid the first message i got was to enter iCloud and facetime password. I entered it and it was keep asking me to re enter. Not sure if my account got affected with this. Anyone else experienced the same on there apple device?
    Btw my iphone is jailbroken and no i don’t have any pirated tweak/repo

    • NeftyCorrea

      nope your good thats happen to me before for some reason my imessage on the computer locks me out and facetime for no reason. usually when i sign out of it because it gets annoying lol once i trying logining back in it wont let me if you call apple they could fix it for you.

    • Tim Liu

      This only affect Jailbroken iOS devices since it occurred on a jailbreak tweak.

      • Tim, can you provide me with some additional information on this leak? You use Twitter?

  • I have never installed a third party repo unless you guys provide it. Also don’t pirate tweaks. You’ll be more vulnerable that way.

  • I’m not jailbreaking anymore at all! I’m pretty sure my device was hacked or with a vírus. My iPhone 6 Plus was pretty slow and the animations not fluid as usual and I wasn’t able to create na iTunes backup. When I restored my device and got the backup from my iCloud it was asking me to enter the password of 3 Apple ID’s I’ve never seen before! Pretty weird. Now using 8.4.1 and not looking to jailbreak again ever.

    • mahe

      it asks you for an other AppleID if the app you have installled is pirated …

      • I never used jailbreak for piracy. I had only Tweaks installed from official repos and most of them paid ones, like Springtomize 3, Slide2Kill, VirtualHome and Flipswitch.

        If I’ve ever installed a pirated app on my phone I would not come here to say that.

        The fact is that something weird has happened. What about the iTunes backups always failing saying “the phone was disconnected”? I was unable to backup my phone! With the iPad non jailbreaked I could backup normally using the same USB port and cable.

        So I’m pretty sure that something infected my phone and as we know, the jailbreak takes off all iOS security locks and make the system vulnerable. I’m not saying one of these Tweaks infected my phone. Just listing the ones I used and what happened. I don’t know exactly but it was pretty weird to ask for 3 Apple IDs I’ve never seen before and I’m 100% sure I didn’t had any pirated app or tweak or a different repository on Cydia. So there’s a big room for where it came from. And as I use jailbreak since my iPhone 4 and I never seem this before, I found it very very strange.

        All that I know is that if I didn’t jailbroke my phone none of this would happen.

        Jailbreak is gone for me from now on. I prefer to be safe with all apple limitations and don’t have a headache.

      • mahe

        Sorry, I didn’t want to offend you or call you a pirate. (English is not my native language)
        I should have better said: if you installed an IPA from another source (which can have several reasons beside of pirating)

      • No problem dude. I’m just saying it was pretty weird and scarring. Never happened to me before and I’m an iPhone user for a long long time. Always jailbroke my phone and never seem something like this before.

        So I just posted to share my story and maybe help or alert other people.

      • mahe

        I’m also on the ship since the iPhone4.
        Luckily I never ran into problems I couldn’t fix or at least tear down what tweak was causing it.

    • askep3

      Mahe is probably right, but it also happens if a friend downloads an app for you, and you back up your phone with that app on your phone. If you restore to the backup it will require that friends Apple ID to make sure you own the app.

      • I’m sure it wasn’t this. Read my reply above…

      • askep3

        I know he said he didn’t know the Apple ID’s I was just explaining why the ID’s would show up under normal circumstances just in case he didn’t know.

      • Mr_Coldharbour

        I agree. The Apple IDs that Rafael claimed to never have seen before could very well be a friend’s or significant other’s Apple ID he may have used to download an app, or the other person may have used their own ID on Rafael’s phone to download an app for him. Thus asking him for those specific Apple IDs to backup those purchases or if an app update occurs.

  • askep3

    Is there any way we can check if we were affected?

    • Maybe soon… but 99.9% sure you’re not. Unless you live in China and download questionable tweaks.

  • AJM

    I don’t use icloud. It’s that simple.

    • Mr_Coldharbour

      Likewise! I don’t use iCloud at all. Never signed up for it or associated with my devices or emails or anything. It’s even disabled on my devices, signed out, removed, etc. Nor do I use questionable tweaks/repos/app stores. Passwords and personal info never ever uploaded to the cloud, don’t use a cloud service for that matter. Everything is localised, backed up on site via cable to a Mac. Simple as that.

  • indiekiduk

    It was probably one of the worms that traverse iPhones with OpenSSH installed. Those things are viscous and upload everything, contacts, photos, emails and then attempt to SSH into every device on the network. On university campuses they spread like wildfire that’s where I came into contact with one. Until OpenSSH is fixed to either set a unique password or prevent remote access via the default password it’ll keep happening.

  • besrate hogsa

    This is bad news for us (jailbreakers)

  • iBanks

    Lol. I send this to tips @ iDB at 4:20pm and its posted at 10 something at night, but other posts make it to the site earlier in the day…… Interesting

  • iPhoneWINS


  • Jerry

    I told you…