The leaking of nude celebrity photos across the internet over the weekend sparked outrage, not only from those who were affected, but also from many in the security sector. It was widely believed that Apple’s iCloud was breached to gain entry, but the company has now explained that this wasn’t the case.
Celebrities who had their nude picture leaked across the internet include Oscar nominee Jennifer Lawrence and model Kate Upton. Rumour has it that as many as 100 celebrities have been compromised, with over 300 photos leaked.
“We take user privacy very seriously and are actively investigating this report,” Apple spokeswoman Natalie Kerris told reporters as soon as the hack became clear. Apple and the FBI have been trying to track down the culprits, but Apple has explained that the celebrities were at the receiving end of targeted attacks that compromised their user names and passwords.
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,” Apple said in a statement.
They further explained that the iCloud service wasn’t breached at any pint as part of a massive hacking attempt, but rather that the individual accounts of the celebrities were access through the dubious targeted attacks.
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”
If you feel a bit uneasy about using iCloud or the Find My Phone service, it is advised that you always use a strong password and enable two-step verification. (For a workshop on protect your iCloud account against hacks, click here.)
While iCloud’s security measures weren’t technically breached, it was still the weakest link in the attack. There’s a great article over at the Guardian that explains exactly how the criminals were able to use password reset features to get access to celebs private accounts.
Basically, they guessed or acquired the email addresses, and requested a password change from Apple’s servers. When you ask for a reset, Apple asks you to identify yourself with a security question. But these are usually based on trivial personal information which – for Hollywood actors at least – is easy to find in Facebook pages and interview articles.
So another way of looking at this is that iCloud was breached, just in a very low tech way that didn’t involve getting around Apple’s firewalls and other security.[Source – Apple, Image – CC by 2.0/Gage Skidmore]