The high profile leak of celebrity images, many explicit, has been solely blamed on a vulnerability found in Apple iCloud‘s Find my iPhone service. A brute force attack using a Python script was purportedly used on victims’ accounts to successfully gain access.
Nude photos and more of over 100 celebrities such as Jennifer Lawrence, Kirsten Dunst, Kate Upton and Victoria Justice were leaked on Sunday on 4chan’s /b/ forum. In a tweet yesterday, Kirsten Dunst lamented, “Thank you iCloud.”
Apple patched the vulnerability that allowed continued guessing of user passwords without recourse or notification.
The Cupertino company, however, was adamant that the hack was not an iCloud fault per se, but a large scale targeted attack on user names, passwords and security questions. Nothing uncommon on the internet.
After more than 40 hours of investigation, Apple said that none of the cases resulted from any breach in any of Apple’s systems, including iCloud and Find my iPhone.
Read Apple’s full statement below:
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232
The FBI has stepped in to investigate the case.
The flagrant breach of privacy could happen to anyone of us. With the advent of cloud services and myriad online services we subscribe to, just how safe and secure are our passwords?
To protect against this sort of attacks, it is recommended we use a strong password (please, not ‘qwe123’ or ‘abc123456’) and also enable two-step verification where available.
Apple is actively working with authorities in further investigations.