Hackers got into Apple’s iCloud last summer, exposing tons of celebrity nude photos online.
Apple has improved its security measures since then, but a lot of your personal info may still be vulnerable to a similar attack, as developer and Hackers of NY founder Dani Grant pointed out on Medium.
After the iCloud hack, Apple announced it was enabling two-factor authentication for iCloud, an enhanced security measure to protect users’ personal data.
Two-factor authentication prevents someone from accessing your information with your password alone.
If Apple sees you signing into one of its services from a new device, it prompts you for a unique code sent to a trusted device (usually a mobile phone) or a special longer code it gave you when you set up two-factor.
Apple also emails you when it sees you try to login from a new device.
But even if you have two-factor authentication set up for iCloud, Apple has a lot of other services. Some of those services still be accessed by guessing or getting you to reveal your password, the same way hackers previously broke into iCloud.
For instance, Grant discovered she could log into her iMessage account on a new computer with just her password.
That could allow somebody to impersonate you.
“Imagine that a hacker gained credentials of someone of power,” said Grant. “They could make statements on behalf of a senator or an executive, for example.”
It wasn’t just iMessage. Grant found she could sign into iTunes, FaceTime, the App Store, and Apple’s web site on new devices, all without two-factor authentication. Grant only received one email from Apple, about her login to FaceTime.
These services don’t overlap with iCloud (except for Contacts, which someone could get a pretty good idea of through your iMessage and Facetime), so Apple isn’t lying about what’s protected by two-factor and what isn’t.
But that’s still a lot of information left unprotected. Your iTunes account has your address, your phone number, and some of your credit card information.
An Apple spokesperson told Business Insider that users logging into iMessage or FaceTime from a new device will get an email or push notification.
You definitely should set up two-factor authentication for all the accounts it’s available for. But that doesn’t mean you’ll be 100% safe. Guard your passwords carefully, and be wary any time you receive an unsolicited email, phone call, or other communication asking you for your password — that’s how most scams begin.
Business Insider Emails & Alerts
Site highlights each day to your inbox.