This afternoon, Apple confirmed that stolen and leaked private photos of several celebrities were not due to a breach in its iCloud nor Find my iPhone services. Speculation swirled over just how the attackers accessed the accounts of Jennifer Lawrence, Jenny McCarthy, Rihanna, Kate Upton, Mary E Winstead, and others.
A trove of naked photos and video content stolen from the stars appeared on the 4Chan chatroom site over the weekend. Questions about how the hackers got hold of the celebs' accounts began to center around a possible flaw in Apple's iCloud and Find My iPhone after Apple reportedly issued an update that fixed a hole that would allow a brute-force password attack.
In a statement issued today, Apple said:
When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
Apple recommends users create strong passwords and use two-factor authentication, which is an option for Apple ID accounts. Apple did not comment on the reported flaw nor did it respond to questions about it via a media inquiry.
One security expert says he tested whether AppleID would lock him out after a certain number of attempts after hearing about the possible patch by Apple: It did. "After ten attempts, it locked me out," says Rik Ferguson, global vice president of security research at Trend Micro. He was unable to confirm whether Apple's authentication service had always done so, or whether this was due to a fix by Apple in the wake of the celeb hacks.
[Read the rest of this article on Dark Reading.]
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio