How much is your data worth to Apple? That’s the question hacking collective Turkish Crime Family seems to be asking by blackmailing Apple to pay thousands of dollars or have millions of iCloud accounts wiped remotely.

The story started a few days ago, when Motherboard reporter Joseph Cox wrote about the hackers, who claim to have access to over 600 million compromised Apple accounts.

The group is currently demanding a large ransom from Apple to prevent them wiping millions of iPhones clean on April 7.

Accounts differ greatly on how many compromised accounts the hackers have access to, ranging from 300 million to 750 million, in their latest post on Pastebin – of which they claim 250 million are currently active accounts.

Apple vehemently denies that their security was breached, a fact that the hackers confirm in the same message.

Over past five years, the group claims to have been quietly hoarding accounts ending on @icloud.com, @me.com & mac.com, “due to those domains not having a popular demand in the cracking community.”

In an email to TNW, a spokesperson for the group told us they decided to make and publicize this threat now “mainly to spread awareness for Karim Baratov & Kerem Albayrak which both are being detained for the Yahoo hack.”

According to an article on PC World, “Karim Baratov, a Canadian national, was indicted last week for allegedly hacking into email accounts at various email providers at the request of two officers from the Russian Federal Security Service, the FSB.”

But whatever their motivation, the biggest loser in this story is Apple. Even if the hackers have access to only a fraction of the accounts they claim to have, it’s already a huge deal. And going on the sample the hackers sent to TNW, at least a fraction is legit.

The hackers have presented the company with a Catch-22: either they pay up and risk public shaming – not to mention that doesn’t solve the real problem of Apple accounts being traded among people with nefarious goals. Or they don’t, and risk however large a number of accounts being wiped.

The only other option that remains for Apple is a big one: asking everyone on a @icloud.com, @me.com or @mac.com to reset their password before April 7. All 800 million of them – or about four times the amount of users LinkedIn had to force password reset on after they discovered their breach.

Since Apple doesn’t know exactly which accounts are compromised, that would seem the only option they have – aside from backing up all accounts and crossing their fingers, maybe.

So what is Apple waiting for? In a statement they said the company was “actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. “

Are they hoping to catch the people involved before they do actual damage, at the expense of compromised users’ safety? Risky.

As long as Apple doesn’t take steps to compel all users to change their passwords, and keeps betting on law enforcement to catch the culprits before they start wiping accounts, the safest bet is to take matter in your own hands.

Change your password now. Doing so isn’t giving in to ransom, it’s just good password hygiene – something Apple should encourage instead of suss.

Read next: Facebook adds Mentions and Reactions to chats on Messenger