Apple 'hacker' spared jail over iCloud blackmail

BBC/Apple iCloud logoBBC/Apple
iCloud helps Apple customers back up their devices

A 22-year-old man has admitted trying to blackmail Apple by claiming he had access to millions of iCloud accounts.

Kerem Albayrak from north London threatened to wipe 319 million accounts unless Apple gave him iTunes gift cards worth $100,000 (£76,000).

But an investigation found that Albayrak had not compromised Apple's systems.

He has been given a two year suspended jail sentence and ordered to do 300 hours of unpaid work.

In March 2017, Albayrak emailed Apple's security team, claiming to have breached millions of iCloud accounts.

He posted a video on YouTube that appeared to show him breaking into two accounts.

He threatened to sell the account information, dump his database online and reset the accounts, unless Apple paid his iTunes gift card demand.

Albayrak also said he would accept $75,000 worth of crypto-currency, but later increased this to $100,000.

He was arrested at his home in north London about two weeks after sending his threat.

Stuffing

Apple investigated his claims but could not find evidence that its systems had been compromised.

The UK's National Crime Agency found that Albayrak had gathered email addresses and passwords from other services, which had previously been exposed in data breaches.

He then tried his luck, seeing if anybody had used the same username and password for their iCloud account.

This type of attack, known as credential stuffing, can be automated to speed up the process.

Albayrak told investigators: "When you have power on the internet it's like fame and everyone respects you."

In addition to the 300 hours of unpaid work, he has been given a six month electronic curfew.

"Albayrak wrongly believed he could escape justice after hacking in to two accounts and attempting to blackmail a large multi-national corporation," said Anna Smith, a senior investigative officer for the NCA.