In a statement Tuesday, Apple said the hack that caused nude photos of celebrities to leak was not the result of a widespread attack on its iCloud system. Instead, the hackers targeted the accounts of individual celebrities.
Here’s the statement:
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
But Apple’s response still leaves some unanswered questions. If the culprits weren’t able to infiltrate iCloud, then how were they able to target individuals? And what, if anything, can Apple do to prevent it?
As soon as the statement was released, several journalists and tech pundits pointed out that Apple appeared to be placing the blame on the user, not the fact that Apple IDs seem to be easy to crack if you have the right tools.
Apple sure is passing the buck with that statement.
— danprimack (@danprimack) September 2, 2014
basically, Apple’s denial of an iCloud breach is that the vulnerability that allowed accounts to be hacked doesn’t count as a “breach”
— The real Jon Brodkin (@jbrodkin) September 2, 2014
There are several theories as to how the hackers were able to access iCloud accounts. The most prominent one is the so-called “brute force” tactic, which means hackers use advanced software and other maneuvers to guess an individual user’s ID and password.
Apple’s statement implies that hackers did use a “brute force” method or something similar in the recent celebrity photo hack. Here’s that excerpt from the statement:
After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
But what Apple doesn’t say is whether a flaw on its end allowed the hackers to employ brute force methods. Other than enabling 2-step authentication, which requires you to validate your password through a secondary device, there’s not much assurance that you’re safe from being targeted. Still, as TechCrunch’s Matthew Panzarino points out, 2-step authentication won’t protect your photos and some other personal data. An Apple spokesperson declined to comment beyond the prepared statement.
As Sam Biddle of Valleywag discovered, celebrities aren’t the only victims of iCloud photo hacking. There’s an entire message board on a site called AnonIB dedicated to “iCloud rippers” who apparently use similar techniques to steal nude photos from random women. This was going on long before nude photos of celebrities leaked over the weekend.
So it shouldn’t be a surprise that the narrative has shifted against Apple. Instead of explaining how iCloud user IDs are vulnerable, or why it hasn’t heavily promoted 2-step verification, Apple only delivered a delicate statement for the public to go on. We could learn more as Apple’s investigations continue, but what we have today isn’t very reassuring.
Still, this kind of problem isn’t exclusive to Apple. Home Depot said Tuesday it was investigating a potential security breach. And the same methods hackers used to access iCloud accounts can be applied to Android phones, Windows Phones, BlackBerrys … whatever.
Until a better solution comes out, your best bet is to enable 2-step (some services call it 2-factor) verification on everything you can. It’s not perfect, but it’s better than nothing.
Business Insider Emails & Alerts
Site highlights each day to your inbox.