It's unclear what happened, but it looks like Pliss gained access to users' Apple IDs and their passwords. From there, he used Apple's Find My iPhone feature to completely lock down their gadgets and demand a payment through PayPal to regain access.
The best way to protect yourself Oleg Pliss, or any hacker with similar ideas, is to simply ensure that you have a strong password.
Once a user has your iCloud credentials, he or she will be able to access your contacts and calendar, remotely like your iPhone or iPad, and completely wipe everything on it.
Don't fall into the horrible habit of using variations of the same password for every important account you own.
It may take a little extra effort, but brainstorming unique and powerful passwords is the most accurate way to prevent unwanted intruders from obtaining your personal data.
One simple way to do this is to come up with a completely random sentence. Then, take the first letter of each word in that sentence. Throw in some numbers and symbols, and capitalize some of the letters. Now you have a password that's easy to keep track of as long as you can remember that sentence, but it'll just look like a mix of random characters to an outsider.
Keeping a password on your phone's lock screen is also important. iPhone users that keep their phones protected with a passcode have been able to unlock their device even after receiving an alert from Oleg Pliss, according to reports. Those who didn't, however, couldn't access their devices after receiving the message. If you don't know how to turn passcode on, Apple has some pretty detailed instructions here.
Apple has issued a statement saying that the hack was not the result of a vulnerability within iCloud, but that those affected were the victims of a phishing scam. Here's what the company said according to ZDNet:
Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact Apple Care or visit their local Apple Retail Store.
PayPal has said in a statement that there's no account associated with the email address Pliss specified in his or her message. Here's the company's official statement:
PayPal can assure customers that no PayPal account is linked to the email address referenced in the reported scam. Further, if any PayPal customers have sent money via PayPal in relation to this matter their money will be refunded. This is consistent with PayPal's policies to protect consumers against fraud.
Regardless of whether the incident was the result of an iCloud vulnerability or a phishing scam, having a strong password is one of the best defenses against hackers. The Oleg Pliss scenario is one of several account theft attacks that have surfaced over the past several weeks. Just last week, eBay asked its users to change their passwords after cyber attackers reportedly used employee credentials to gain access to the company's corporate networks.