Poor and/or reused passwords lead to Chinese spam flood on iMessage

@john_munn says he’s been an Android user for years, no problem.

But 10 days into using a new iPhone, and whammo!

He gets a gazillion spam texts rapid-flooding iMessage, all in Chinese, like so:

Two things: 1) he’s far from alone. And 2) it’s not Apple’s fault.

On Wednesday, Mashable reported that one of the publication’s employees saw a message in her iMessage account from a foreign number she didn’t recognize, written in Chinese characters.

After that, she got a notification that her Apple ID was being used on another device.

She clicked OK – the only option offered – and that’s when the flood began.

She changed her password and security questions and contacted Apple Support, where a representative told her that many others had been calling in with the same problem on Wednesday morning.

The rep said it looked like an attempt to steal personal information. She also said that the “hack” was “fairly new” and that Apple’s developers were working on it.

But for now, the rep said, there was no way of knowing if any of the Mashable employee’s personal information had been stolen.

Other users who reported the same problem:

Why put quotes around the word “hack?”

Because of point two: it’s not an Apple hack. There’s no sign that Apple has been breached.

As Naked Security’s Paul Ducklin hypothesizes, it’s looking like yet another case of weak passwords reused on multiple sites.

That’s supported by what @john_munn went on to say in subsequent tweets: that since the spam-a-thon, he went on to take Apple’s advice.

Namely, not only did he pick a proper password – one that’s unique and difficult to guess – but he also turned on two-factor authentication (2FA).

A London-based Twitter user who posted about the hack on 17 October told Mashable that the messages stopped after he changed his password and turned on two-step verification (2SV): another term for 2FA.

The Chinese spam iMessage problem goes back at least as far as August.

To keep from getting swept up in this mess, watch out for email or other messages that ask for your iMessage or Apple ID. They could well be phishing attempts.

If you’ve already been hit, change your Apple ID password immediately. Here’s how:

  1. On your device, browse to Settings -> iCloud.
  2. Tap on your Apple ID displayed at the top of the screen.
  3. Select Password & Security, then tap on Change Password. You’ll need to input your passcode to prove your identity.
  4. Type in a New password and then Verify it.

Make sure to also set up 2SV.

And take care if you sell your iPhone or bring it to a third-party servicing outfit. Before you hand over your device, make sure to remove your Apple ID.

Here’s more advice from Apple, and below is a video showing you how to pick a good, strong password.

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)