Apple: Celebrity Photo Theft Due to Compromised Passwords, Not iCloud Security

Cloud SecurityApple released a statement Tuesday claiming that stolen celebrity photo thefts released over the holiday weekend were the result of targeted attacks on individual accounts, rather than a breach of iCloud security or Find My iPhone. The company said in an "Apple Media Advisory" that it was continuing to investigate and was working with law enforcement to identify the thieves.

Nude and otherwise risque photos of more than 100 celebrities were posted to 4chan over the weekend. Images—both faked and real—of Jennifer Lawrence, Ariana Grande, Mary Elizabeth Winstead, Kate Upton, and others were involved, and the thief claimed to have hacked into Apple's iCloud and Photo Stream.

Apple, however, said that 40 hours of investigation has so far found that, "certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions." The company added that, "None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone."

The reference to Find My iPhone is in response to media speculation that a gap in Find My iPhone security may have been used by the thief or thieves to gain access to celebrity accounts. That gap allowed users to enter their passwords an unlimited number of times, making it vulnerable to brute force attacks.

Apple sealed that gap over the weekend, adding fuel to the speculation that the gap was involved. The company's statement on Tuesday suggests it was the result of a more general tightening of security.

Apple's Media Advisory in full:

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.