According to BGR , the report says the attackers then quickly used the iPhone's password to take over the Apple ID by setting up a new security key, essentially locking the victim out of their own Apple account.

The attackers can then use the device to make purchases with the victim’s card until it is canceled. More importantly, they can completely wipe the phone’s data and sell it, as the victim’s Apple ID can no longer prevent the phone from being reactivated.

At the moment, Apple has no way to counter this type of attack by thieves. Therefore, the best way that users can do is to apply defensive measures with the two suggested settings below.

Set up strong passwords with Face ID

If you haven’t set up a Face ID and password combination for your lock screen, a thief will be able to get into your phone as soon as they get their hands on it. So the first thing you should do when setting up your iPhone is turn on Face ID and create a strong password that’s longer than six characters.

Then make sure the user always uses Face ID when out and about. If the first authentication attempt fails, try again instead of entering the password in public. Also, change that password occasionally if the user thinks someone else knows it.

Since using 6 digits is easy to remember, users should follow these steps to set up a strong alphanumeric iPhone passcode to prevent bad guys from remembering it: Open the Settings app > Face ID & Passcode > enter the current passcode and select Change Passcode. Verify the old passcode but do not enter a new 6-digit passcode, instead tap the Passcode Options menu button above the keyboard and select Custom Alphanumeric Code. Now set up a strong passcode.

Use Screen Time to prevent Apple ID hijacking

Assuming the password is not strong enough even if it is longer than 6 characters, to prevent a thief who steals the iPhone from being able to access the Apple ID and use the security key to lock the phone, the user needs to prevent Face ID access unless they know the Screen Time password.

This is a great security feature that users should take advantage of. To do this, open the Settings app > Screen Time. Scroll down to set a passcode for it and make sure the user remembers it. Enter your Apple ID credentials so you can recover the Screen Time passcode if you forget it. Go to Content & Privacy Restrictions and turn on Content & Privacy Restrictions, scroll down to Allow Changes. Tap on Account Changes and select Don't allow. Users can also block passcode changes at this step.

When this setting is enabled, the user will no longer be able to access their Apple ID on the iPhone unless they repeat the steps above to authorize changes to their account. Blocking passcode changes also removes the Face ID & Passcode menu from the Settings app, so a thief can’t change the phone’s passcode.