Back in September, Apple enabled a two-factor authentication (2FA) security option for iCloud in the wake of a celebrity photo hacking scandal. While this helped protect backups, photos, and other personal data stored using Apple's cloud service, it didn't extend to some other commonly used Apple services. According to a Guardian report, Apple is turning on 2FA for the iMessage and FaceTime services starting today.
If you've already enabled 2FA on your iCloud account, there's nothing else to do—signing into iMessage or FaceTime on a new device will now prompt you to generate an app-specific password on the AppleID management page. If you're unfamiliar, app-specific passwords are randomly generated passwords separate from your main account password that you typically use once to grant access to a specific app, and you can only generate these passwords using a device that has already been verified with your account. Once you've generated a password, you'll enter that into the password field along with your AppleID to sign in.
The experience isn't as good as it could be. Tap the "create" button on an iPhone, for example, and you'll be directed to the desktop version of a sign-in page to generate your password; ideally, Apple will come up with something a bit more mobile-friendly in the future. Several Apple services still aren't protected by two-factor authentication—you can sign in to iTunes, the App Store, or the online Apple Store without needing anything other than your account password—but it makes sense for Apple to focus first on services that are more likely to expose sensitive data.
On Monday, imageboard site 8chan's "baphomet" subboard, an Internet destination known for hosting aggressive "doxing" posts, received a major history wipe the day after one of its users posted the personal information of a federal judge in the Silk Road case. Archived posts sent to Ars Technica contained the full mailing address, phone number, and Social Security number of Judge Katherine Forrest at the top of a "dox thread" from Sunday, February 8, that contained many other random people's personal information.
(Due to the way baphomet users frequently post and then delete sensitive information, we have relied on archive.today links to verify the following 8chan activity. The site has also disabled the ability to search through the baphomet board through its default tool.)
Forrest's details were identical to those that had been posted by anonymous darknet users in October of last year, though this time, they didn't also include any threatening messages. A follow-up post by baphomet's "Board Owner" account stated that "HW," a reference to site founder Frederick "hotwheels" Brennan, deleted "the SSN posts" and told the baphomet board founder, previously identified via an associated Twitter handle as Benjamin Biddix, to "lay low."