Apple: Celebrity Photo Theft Due to Compromised Passwords, Not iCloud Security

| News

Cloud SecurityApple released a statement Tuesday claiming that stolen celebrity photo thefts released over the holiday weekend were the result of targeted attacks on individual accounts, rather than a breach of iCloud security or Find My iPhone. The company said in an "Apple Media Advisory" that it was continuing to investigate and was working with law enforcement to identify the thieves.

Nude and otherwise risque photos of more than 100 celebrities were posted to 4chan over the weekend. Images—both faked and real—of Jennifer Lawrence, Ariana Grande, Mary Elizabeth Winstead, Kate Upton, and others were involved, and the thief claimed to have hacked into Apple's iCloud and Photo Stream.

Apple, however, said that 40 hours of investigation has so far found that, "certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions." The company added that, "None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone."

The reference to Find My iPhone is in response to media speculation that a gap in Find My iPhone security may have been used by the thief or thieves to gain access to celebrity accounts. That gap allowed users to enter their passwords an unlimited number of times, making it vulnerable to brute force attacks.

Apple sealed that gap over the weekend, adding fuel to the speculation that the gap was involved. The company's statement on Tuesday suggests it was the result of a more general tightening of security.

Apple's Media Advisory in full:

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

The Mac Observer Spin The Mac Observer Spin is how we show you what our authors think about a news story at quick glance. Read More →

That statement was an uncharacteristically quick response for Apple—it's also a sign that the company wants to get out in front of this issue. The company has a media event planned for September 9th, and it would clearly prefer the press to be focusing on what it will announce, rather than iCloud security and the privacy of Apple's customers, celebrity or no.

This is precisely the kind of issue where Apple is best served by being open, transparent, and aggressive. Security—especially cloud security—is of ever-increasing importance to everyone. If Apple wants to make the most of its cloud services, customers must be comfortable with the idea that their data is secure. Hiding behind a wall of denial and obfuscation wouldn't have helped Apple in that regards, making two statements in two days an important step.

Of course, this situation is far from over. For one thing, not even Apple is claiming that its investigation is all-inclusive, and law enforcement hasn't weighed in with its opinion. Neither have independent security experts. It could be some time before the dust settles on this.

Popular TMO Stories

Comments

Bosco (Brad Hutchings)

More fundamentally, it’s a huge Human Computer Interaction fail by Apple, Google, and Microsoft that regular non-techie users have no control over which photos get shared on the cloud and which stay on their phones. It’s another HCI fail that users aren’t strongly encouraged to manage online passwords and account access securely at an OS level.

Fundamentally, we’re more at risk having data stolen when it’s placed somewhere not under our control. This risk is swept under the rug rather than managed effectively. All three vendors do this terribly. Here’s an approach that could help:

https://www.youtube.com/watch?v=KId2HmtIQxI

Bosco (Brad Hutchings)

One more thing… I cover it in the video. This isn’t just about nude selfies. Many people are quite legitimately very leery of having pictures of their minor children out in the cloud in any form. Most businesses should fear having sensitive documents in the cloud as they become subpoena-able via third parties that may not be willing or able to object.

On both desktop and mobile, we lack mechanisms for ensuring that sensitive data/photos doesn’t get thrown up in the cloud.

Lee Dronick

Brad, also just to keep the clutter to a minimum. I might be on my iPad and take a screen shot of Maps to email someone, I don’t need that on my iCloud and then into iPhoto or Aperture. Now the sunset photo or what ever, I want synced to Aperture.

Bosco (Brad Hutchings)

Yeah, screenshots are a mess too. And on Android, Google has started syncing my TED talks from a 3rd party podcast player. LOL. I’ve been in WTF mode about that stuff for a month. But this iCloud breach really, really hit home. It’s not a technical security problem. It’s a usability problem.

paikinho

“Many people are quite legitimately very leery of having pictures of their minor children out in the cloud in any form. Most businesses should fear having sensitive documents in the cloud as they become subpoena-able via third parties that may not be willing or able to object.”

Couldn’t agree more.

vpndev

Fully agree with the issue of lack of control over what goes to iCloud/PhotoStream.

An “all-or-nothing” is poor.

Jamie

The corporate espionage surrounding Apple’s product announcements is just dizzying, and again, as an older Apple guy, it’s bewildering to me, nobody gave a **** fifteen years ago. Someday, there will be screenplays written about all of this. wink

vpndev

Bear with me while I digress, although only slightly, onto the issue of the “Apple ID”. Although some of us have old “developer IDs” )i.e. ones that don’t look like an email address) that are also AppleIDs, they really started with “.mac” email accounts. Or “iTools” as it was then known (early 2000).

And then the other uses started. First there was iTunes, later iPhone App Store, andFaceTime and iMessage/Messages, and Mac App Store, and Find my iPhone and Find My Friends and ... on and on.

Using a single AppleID for all these is unfortunate and quite constraining. Apple has, at long last, recognized a part of this with the upcoming “Family Sharing” capability (poorly done IMHO since it requires that your credit card info be on your kids’ AppleIDs to enable sharing).  We should be able to have separate IDs and passwords for various purposes, and make some super-secure and others less-so. For example, if I fund my iTunes account using gift cards, I might allow my kids to use my iTunes account for sharing, knowing that they can’t buy much. But I am certainly not about to allow anyone access to my primary ID - locked down with 2FA.

One idea that occurs to me is for Apple to allow sub-accounts for an AppleID, tied to and managed from the main account. The accounts would be your account name with specific suffixes. So if your primary account is myID@icloud.com, you can set up myID_itunes@icloud.com, and myID_appstore@icloud.com, and the like. Using the capabilities of the sub-account would be easy, perhaps with simpler authentication, while changing settings, passwords etc would require access through the primary account (2FA hopefully, and much harder).

Thoughts ? Comments ?  flames > /dev/null

Lee Dronick

As usual the clickbaiter tech writers are all over this.  “Apple’s iCloud has a fundamental flaw” then the last paragraph he says that we don’t know how they got into iCloud and that photos also came from other clouds. Of course reportedly few people read an entire online article.

vpndev

Personally, I back up only to my local Mac and not to “the cloud”.

Celebrities have a more difficult problem than most of us because more information about them is in easy circulation and there’s an incentive to get even more.

But it’s hard to see how the current two-step authentication could work nicely with restore-from-backup, because a typical use for this would be when your trusted device has been lost or stolen, and you’re trying to restore to a new one. This is a real challenge.

CudaBoy

Your cameras and Macs could be hacked way before the “cloud” and now people voluntarily throw their personal stuff up to a 3rd party bunch of hackable servers - c’mon people, wake up and ditch the cloud. And unplug your cams when you aren’t using them. iCloud DOES have a fundamental flaw - it got hacked - no matter how Apple tries to spin it. And by no means are they the only ones being hacked, Target and now Home Depot? It is a Fact Of Life that anything and anyone can be hacked so i say pull in the reins and keep your stuff on your local storage - and Folderbolt it, or whatever. My 2ยข

vpndev

Cuda: password compromise is not “iCloud got hacked”. It’s “password compromise”.

I use “the cloud” because it’s useful for me and the things I put there do not have substantial value to others. Think: holiday photos.

As I said just above - I do NOT back up my phone to the cloud. But I am not about to switch to your concept of a disconnected life. You’re welcome to that.

Log-in to comment