Hired hackers just got caught stealing iCloud backups, and here's how to avoid being next

Your iPhone's biggest security threat in 2026 isn't some futuristic hack. It's a fake login page that looks exactly like Apple's, and hired hackers are counting on you not noticing the difference.

Hackers used fake Apple pages to break into iCloud backups

Three cybersecurity organizations recently pulled back the curtain on a years-long hacking campaign targeting journalists, activists, and officials across the Middle East, North Africa, and potentially the US and UK. A new report traces the operation back to a hack-for-hire group with ties to an Indian surveillance company.

The technique was surprisingly low-tech, though. Attackers built fake Apple login pages to steal Apple ID credentials, giving them full access to victims' iCloud backups: photos, messages, contacts, everything. Researchers found nearly 1,500 fake web addresses impersonating iCloud, FaceTime, and Apple sign-in pages.

Android users weren't safe either

On the Android side, attackers used spyware called ProSpy, disguised as popular apps like Signal, WhatsApp, and Zoom. Once installed, ProSpy could quietly monitor messages, access the microphone and camera, and track the device.

No fancy exploits, no million-dollar spyware tools. Just convincing fake pages and phony apps that prey on a moment of inattention, and that's what makes this so unsettling.

Why this matters to every phone owner

While this campaign focused on high-profile targets, the playbook trickles down to everyday scams fast. Hack-for-hire groups are reportedly cheaper than commercial spyware, meaning outsourced hacking like this is only becoming more common. We've covered similar phishing threats before, and they keep working because people keep falling for them.

It should be noted that this exposes something people don't like hearing: iCloud's encryption and Apple's privacy marketing don't protect you if you type your password into a fake page. The weakest link in your phone's security has always been you. Turn on two-factor authentication for your Apple ID and Google account if you haven't, and never click login links from unexpected texts or emails.

Fake login pages remain the most dangerous weapon against your phone

I'll be honest, it's frustrating that we're still having this conversation in 2026. Apple and Google have poured billions into device security, yet a well-crafted fake webpage remains the most effective attack out there. Don't panic, but stay skeptical. If an unexpected message asks for your login info, treat it as suspicious, because your phone is only as secure as your ability to spot a fake.