Apple ‘actively investigating’ alleged iCloud hack that led to celeb photo leak

By , Sep 1, 2014

icloud ios 7 1

After nearly 24 hours of silence, Apple has finally commented on the alleged iCloud hack that led to a massive leak yesterday of nude celebrity photos. The Cupertino-based company says that it is aware of the reports and is “actively investigating” the claim.

“We take user privacy very seriously and are actively investigating this report,” Apple spokeswoman Natalie Kerris told Recode in a statement. She did not, however, provide any additional details on the attack, or if iCloud was even the source of the photos.

For those that missed it, a treasure trove of photos showing high profile celebrities like actress Jennifer Lawrence and model Kate Upton in little to no clothing popped up in a thread on 4chan. The original poster said they were obtained via an iCloud hack.

Many of the women named in the leak have since spoken out on the the matter. Some of them, such as Victoria Justice, are disputing the authenticity of the photos, while others, including Jennifer Lawrence (well, her PR agent), have confirmed their legitimacy.

Earlier today, it was reported that Apple fixed a vulnerability in Find My iPhone, which allowed for brute force attacks on Apple ID passwords. It’s been speculated that this loophole may have played a part in yesterday’s scandal, but it has not been confirmed.

[Recode]

  • Share:
  • Follow:
  • peterbreis

    Wow. NOBODY could see THAT coming!

    After all Apple said it was OK.

    So what financial and personal information do YOU have in iCloud?

    • https://twitter.com/aidanharris1 Aidan Harris

      I’m sorry but I disagree with you there. A lot f data in iCloud is encrypted using the devices password and as for brute force attacks they can happen to any web service and the only protection against them is for Apple to do the following:

      1. Block suspect ip addresses
      2. Show CAPTCHAS after X attempts
      3. Lock accounts and send emails explaining why

      Even then the above is not fool proof apart from number 3

      Furthermore if you have a treasure trove of nude photographs or as you put it “financial and personal information” why are you protecting such information with common password such as ‘Password1’?

      In addition to this Apple offers two step authentication which further medicated brute forcing attacks on passwords.

      To close, if you even knew anything about brute forcing attacks you’d know that such attacks lie solely with the user. If you use 10+ digit passwords that are padded and include multiple symbols, digits and letters no dictionary attack in the world will reveal your password.

      /rant

      • Chief

        This kid is SO MAD hahaha. Don’t be that guy that responds to EVERY post just because you can’t control your emotions. I know the mere thought that Apple may have been hacked is soul crushingly devastating for you but don’t worry. You can get through this. Stay strong.

      • https://twitter.com/aidanharris1 Aidan Harris

        I’m not mad although perhaps others might find it annoying with me responding to many comments. I think I’ve done enough commenting for today

      • Donovan

        Why should he be mad? He is just not as ignorant as the most people on here.

      • SoylentGreen

        Yeah we need to remember that if any the guys that actually purport to work here made a video miming the new “invisible iphone” and offering sales of such, many of the ppl would just send cash, no wonder you hear about ppl getting scammed by the tonne. Scary.

      • peterbreis

        Apple may claim a lot of things but their own forums are frequently hacked and I suspect so are their servers generally.

        They merely hide it all by never talking about anything until somebody busts them.

        Who said I am using Password1? I am using 12345 for all my sensitive data, because nobody would think that I would use such a simple password! AND I am being very careful to NEVER tell anyone that is what I am using.

        As anyone who does support on Apple’s forums knows, Apple’s current user base is extremely technically aware, pays attention to what is going on, and trusts no-one particularly Apple, so personally manage all the connections and interaction on their Macs, leaving nothing on default settings.

        …and what could be more secure and successful than that?

      • https://twitter.com/aidanharris1 Aidan Harris

        Hmmm. I can’t tell if you’re being sarcastic or serious…

      • peterbreis

        I think I can see the problem…

    • SoylentGreen

      Lol apple still maintain imessage is secure encrypted end to end, but left out the fact they they are the certificate authority and the ppl who WILL try and harm you if there puppeteers require it, but i guess ppl dont know that apple/google/microsoft are nsa/gchq socks. Look it up ppl they are all eugenicists that want only certain people using the earths resources, ive heard talks where they applaud population control by airborne ebola, HIV anyone? They are all globalists megalomaniacs with modern eugenist ideas (dont believe me, google it).

      • peterbreis

        …and I’ve googled you and ive heard talks that say you were behind the world trade center bombings, and that was just your mother!

  • Unicorn Drank

    The fact that I saw how freaky these celebs are makes me want to support them from now on lol… on another note, I’m kind of shocked that this happened, Im pretty sure Apple is going to have a difficult time recovering from this.

    • Rowan09

      Recovering? When did the decline happen? If they hacked regular people accounts now one would care as much, so a few celebrities makes it devastating?

      • Unicorn Drank

        Recovering from bad press since the press is only about apples iCloud, I don’t think you live in America, if a famous celebrity says they eat dog shit for breakfast in order for them to lose 10lb I bet you $100 that a flock of people will go and eat the dog shit. There’s a reason why these celebrities are rich and it’s because dumb ass people worship them more then their own lives, I’m sure if Victoria justice and JLaw stopped using their iPhones their little Sheeps will follow.

      • Rowan09

        You are wrong here’s why. When it comes to technology no one for most part cares what celebrities use. Samsung has a deal with the NBA and still no one is running out to buy the S5. Only celebrities that can get people in the most part to eat something stupid is Dr. Oz and it’s because he’s a Doctor. While people may be mad this happens they will still buy iPhones and it will only make Apple’s security better as well as others. I like Jennifer Lawrence but who cares what she owns as a personal device, she probably didn’t buy it anyways. Celebrities has power, but only certain celebrities can affect sales figures and these people are not the ones. I didn’t even read one article that stated they won’t own an IOS device anymore due to this event which we know little about. Let’s wait and see what actually happened first before passing judgment.

      • Unicorn Drank

        Seems like your taking the comment very literal, celebrities have a huge impact of a lot of Sheeps out there, unfortunately and if you believe that’s not true with technology, all I have to say it beats by Dre, there is a reason why companies endorse these celebs and it’s because it works. I’m pretty sure if they made no celeb endorsment they would be the tanking in sales and if you don’t believe that’s true, I must be living in a fairy tale.

      • Rowan09

        Which commercial by Apple was made with celebrities? I believe they may have made one but almost all of the commercials are regular people showing off what the device can do. You are missing the point, Beats By Dre sold because Dr. Dre is actually a producer and sold millions of albums and helped to sell millions of albums. As I stated before not 1 celebrity so far from I’ve read said they blame Apple and will not purchase another iPhone or IOS device. It would make more sense if they said I’ll be careful what I put on the cloud, but not that I won’t purchase an iPhone because of this issue. I remember another hacker that sold celebrities information and got pictures, etc, when he was caught he got 10 years. Jennifer Lawrence said she’s going to sue the hacker not Apple.

  • Donovan

    But, who actually believes their stuff is save on a server? Servers can be hacked, nothing is safe. I know my stuff can get stolen, but I got nothing to hide so what gives..

    • https://twitter.com/aidanharris1 Aidan Harris

      iCloud makes use of encryption so your data is safe. Nobody but Apple, you and in select cases the authorities can access your data. The brute force attack on Apple can happen to most websites and since it usually involves a dictionary type attack where passwords are checked against a predefined list of passwords it’s very easy to protect yourself.

      The advice as always is enable two-step authentication if it’s available and use long complex passwords made up of symbols and alphanumerics.

      • Donovan

        Everything online is hackable. Bugs are, and will be, around forever. And as long that there are bugs, nothing is 100% secure.

      • https://twitter.com/aidanharris1 Aidan Harris

        If data is encrypted to make use of it you need to decrypt it. Sure it’d look bad if someone got hold of encrypted data from iCloud but without a way to decrypt it’s still safe. I’m not suggesting iCloud is unhackable, of course it is, every site is but what I am saying is even if you managed to gain access to data on iCloud it would be useless unless you could decrypt it.

      • Donovan

        Yea I know, it’s still impressive that he/she/they did what they did. I just ment that you shouldn’t think your data is safe, no matter what. And people already watch celebs’ every move, they should be extra carefull. Pretty sad if you ask me.

      • https://twitter.com/aidanharris1 Aidan Harris

        I can see what you’re saying and for the most part your probably right. I’m willing to bet that most celebrities despite their high profiles aren’t very tech savvy and don’t employ good security practices. Really the only answer to such attacks is education as I’m willing to bet anything that if Apple hadn’t patched the flaw and I used the tool responsible for this (which is on GitHub as a proof of concept by the way) it wouldn’t find my greater than ten digits password…

      • Donovan

        True indeed. I agree.

  • Lol

    RIP Apple Cloud Payments System. Dead before birth.

  • That Guy

    Can’t remember who it was but I saw a pic of one of the celebs licking her boyfriend’s butthole.

    • Jesus Walks

      I need to find this picture.

      • http://mezcudi.tumblr.com/ Mezcudi

        same

      • benny001

        Ur sick, as Jesus said; what an adultreous generation you are.

      • Rowan09

        If your a man why would you want to see a woman licking a guys A-hole (unless you’re into those things)?

      • Dan

        I think you answered your own question

      • Rowan09

        I guess.

    • Tommy

      Kate Upton.

  • http://mezcudi.tumblr.com/ Mezcudi

    To be honest I don’t care about the hacking, I’m just happy I got to see Jlaw’s tits. Kate Upton shouldn’t even be bothered by that, she modeled nude before.
    I do agree with some that this incident came at a wrong time, since Sept. 9th is around the corner.

    • Rowan09

      I saw her pics too and it’s wasn’t that crazy.

      • Tommy

        Totally. If anything, i’d give it a rate of 5.0 outta 10. It’s just meh.

      • Rowan09

        I agree.

  • highNiggaPie

    this is one of the most amazing things to ever happen, apparently there was a celeb nude pic trading ring on the deep web and the only way to get in was with your own collection to contribute and theres hundreds more coming out this week WOOOHOOOO and womp womp to the apple fan boys that are gonna deny that iCloud was hacked

    • http://mezcudi.tumblr.com/ Mezcudi

      I love enthusiasm kid. lol

    • https://twitter.com/aidanharris1 Aidan Harris

      First of all congratulations on such a stupendous troll comment. You sir deserve a gold medal and a degree in trolling from [Insert Prestigious University Here] (or do you already have such things?).

      Again, to clarify, thanks for an amazing comment, it’s such a real eye opener to your opinion and most definitely contributes to the conversation of this article.

      /Sarcasm

      • highNiggaPie

        lol fanboy located…im not trolling don’t be so butthurt apple got hacked and nudes of the hottest celebrities are out go fap or go to sleep

      • https://twitter.com/aidanharris1 Aidan Harris

        1. Yes I’m an Apple fanboy
        2. Apple didn’t get hacked
        3. Going to sleep might not be such a bad suggestion, thanks.

      • highNiggaPie

        lol are u serious? apple did get hacked they wouldn’t even release a single statement if it had nothing to do with them get over it

      • https://twitter.com/aidanharris1 Aidan Harris

        Apple is investigating what has happened and haven’t said anything as the investigation is likely still ongoing. This is a standard policy of Apples that they’ve employed in the past when security breaches have occurred.

      • highNiggaPie

        ok so where did all the pics come from? almost all of them had iPhones and apple is saying they fixed a findmyiphone loophole that allowed them to brute force the accounts and gain access to the passwords either way apple stuff was hacked into no matter which way you cut it just face it your beloved company got screwed

      • https://twitter.com/aidanharris1 Aidan Harris

        1. I don’t know where the pictures came from and neither does Apple (hence the investigation to see if iCloud is involved) 2. Another site such as Dropbox or Flickr or really any other site that allows photographs to be uploaded could be to blame for this. 3. A dictionary attack is equivalent to you typing into a browser the entire dictionary and all of its possible permutations. This isn’t an Apple, or iCloud security breach at all and shouldn’t even work if you have a strong password.

      • highNiggaPie

        lmao so all 150-200 celebrities happened to upload their nude pics to dropbox? no they took them on their iPhone and they didn’t realize that they had iCloud turned on and that the pics also get uploaded to iCloud photo stream and deleted them from the camera roll not knowing they were still there….face it

      • https://twitter.com/aidanharris1 Aidan Harris

        iCloud doesn’t even keep all of your photos unless you save them to a separate photostreams. At least learn about about the technology you’re attacking before making wild sporadic claims about said technology…

      • highNiggaPie

        it keeps all of the photos you take with the camera app you’re wrong kiddo go take 100 pictures and then wait 10 minutes and delete them from the camera roll and try to tell me all 100 pics aren’t still in your photo stream

      • https://twitter.com/aidanharris1 Aidan Harris

        No, iCloud Isn’t Backing Them All Up: How to Manage Photos on Your iPhone or iPad – http://www.howtogeek.com/175416/no-icloud-isnt-backing-them-all-up-how-to-manage-photos-on-your-iphone-or-ipad/

      • highNiggaPie

        but they’ll still be in iCloud until you delete them i know for a fact because whenever i jailbreak someones phone and tell them to backup their pics they realize they have photo stream and ask me why they still have pics in it from years ago that they deleted….get over it

      • https://twitter.com/aidanharris1 Aidan Harris

        You clearly didn’t read the article and I’m not going to engage in debate with you anymore for today since it’s obvious you aren’t interested in holding a constructive conversation and no this is not because “I’m an Apple fanboy” or because “Apple was hacked” (which it wasn’t) or whatever other nonsensical rubbish your reply to this comment May or may not be.

      • highNiggaPie

        1-yours the biggest butt hurt fanboy I’ve ever encountered
        2- apples iCloud was hacked along with MAYBE dropbox
        3- pictures get saved to iCloud after you take them if photo stream is enabled i don’t need to read an article on something i already know, like i said take 100 pics with photo stream enabled wait 10 min then delete them from camera roll check back in a week and see if they’re still there

      • Rowan09

        Photo stream will back up your pictures if you select the opinion, but once you turn it off it doesn’t. We don’t know what happened yet so assuming is the wrong thing to do. Anyways anything can be hacked and will be hacked, Anonymous showed us during their run.

      • peterbreis

        Who needs to hack anything?

        Just post any old offer, of any Cloud service on the Net and get people to sign up for it.

        All secured by their credit card number and details.

      • https://twitter.com/MrElectrifyer MrElectrifyer

        You really should learn stuff before telling others to do so…you’re just sounding like a hypocrite when you do that. As shown in the attached image (if you can read), having PhotoStream enabled will automatically upload ALL photos you take (after enabling it), to iCloud.

      • https://twitter.com/aidanharris1 Aidan Harris

        From the linked article I posted:

        1000 Photos: Photo Stream only backs up the latest 1000 photos. Do you have 1500 photos in your Camera Roll folder on your phone? If so, only the latest 1000 photos are stored in your iCloud account online. If you don’t have those photos backed up elsewhere, you’ll lose them when you lose your phone. If you have 1000 photos and take one more, the oldest photo will be removed from your iCloud Photo Stream. 30 Days: Apple also states that photos in your Photo Stream will be automatically deleted after 30 days “to give your devices plenty of time to connect and download them.” Some people report photos aren’t deleted after 30 days, but it’s clear you shouldn’t rely on iCloud for more than 30 days of storage. iCloud Storage Limits: Apple only gives you 5 GB of iCloud storage space for free, and this is shared between backups, documents, and all other iCloud data. This 5 GB can fill up pretty quickly. If your iCloud storage is full and you haven’t purchased any more storage more from Apple, your photos aren’t being backed up. Videos Aren’t Included: Photo Stream doesn’t include videos, so any videos you take aren’t automatically backed up.

        You’d think celebrities with their busy lives would easily end up reaching one of the above limits.

      • peterbreis

        Apple never got hacked the last time either, and that was why they released security fixes!

        I am sure we will see security updates for this not-being-hacked in due time.

      • Scripted

        Lol. Why you so salty? Raging hard on for Apple

      • https://twitter.com/aidanharris1 Aidan Harris

        I was trying to fight fire with fire and as a famous person once said “Please, don’t feed the trolls”. This famous quote still holds true today…

  • Andrew

    Definitely gonna hurt iphone 6 sales

    • Felix

      how?

      • https://twitter.com/aidanharris1 Aidan Harris

        Because a relatively small brute forcing attack on iCloud = “OMG, How could Apple let this happen, I need to overreact a little more because surely they’re doomed to sell a single iPhone 6 now”

      • highNiggaPie

        ahhaahah why so butt hurt? i bet you love your phone more than some cheeks

      • https://twitter.com/aidanharris1 Aidan Harris

        Just stating the truth. Nothing more, nothing less…

      • highNiggaPie

        naaaa ur just hating

      • https://twitter.com/aidanharris1 Aidan Harris

        If you say so. You’re entitled to express yourself and entitled to your own opinion even if I know such an opinion to be false, I’m not going to withhold that opinion from you.

      • 空白

        Some pictures of cheeks*

        Get a girlfriend and don’t be a creep bro.

      • highNiggaPie

        i wasn’t referring to the pictures i was referring to actual cheeks and i have a girlfriend and most definitely get more tush than you could imagine

      • 空白

        Let’s see some pics.

      • highNiggaPie

        just cause im a nigga that won’t talk shit unless im gonna back it up

    • coLin

      how? you know you can use the iPhone without iCloud. There are so many cloud services for baking up your data, contacts etc

  • TechLove

    I wonder if Samsung, Google will take this opportunity and do a phone chat with those celebrities and tell’em to switch on to their ecosystems!
    It would be a huge boost for samsung marketing team, as every high profile celebrity would then have a samsung!
    And what if samsung took to the streets and slam apple for this like they did with the maps.app!?

    • http://mezcudi.tumblr.com/ Mezcudi

      I thought about that too.
      They’re probably working on an Ad right now

    • Rowan09

      Gmail, YouTube, etc gets hacked all the time and it wasn’t just IOS devices that got hacked in this leak.

  • https://twitter.com/MrElectrifyer MrElectrifyer

    Typical Apple; ignore all the complaints until it makes headlines…

    • https://twitter.com/aidanharris1 Aidan Harris

      Yes it’s totally Apples fault that users have weak passwords…

      • https://twitter.com/MrElectrifyer MrElectrifyer

        Haha, such butt hurt fanboy. This is Apple’s fault for not implementing a limit on the number of failed logon attempts…guess they were thinking different in that case too.

      • https://twitter.com/aidanharris1 Aidan Harris

        It shouldn’t matter if such limit is present or not. If you have a strong password a brute force attack is not going to reveal your password. The blame as always lies with the user for not utilising two-step authentication and making use of strong passwords. In addition to this users shouldn’t even store sensitive information in iCloud. Sensitive information needs to be stored offline in a secure manner and under your control if you truly want such information to remain secure…

      • https://twitter.com/MrElectrifyer MrElectrifyer

        Right, it shouldn’t matter ’cause some die-hard Apple fanboys says it shouldn’t…listen dude, a GPU (not CPU) can crack any password using bruteforce methodology within a few hours (http://bit ly/1CkobMQ) due to it’s hundreds of computing cores. If your system ain’t smart enough to limit number of allowed failed attempts, you’ll always be vulnerable to such brute-force attacks…

      • https://twitter.com/aidanharris1 Aidan Harris

        Not if you use long complex passwords

        Stop using MrElectrifyer123 as your password and employ 10, 20, or even 30 or greater digit passwords that make use of symbols and alphanumerics. A password manager can help greatly in this regard.
        As for your comments on the GPU you still need to ask iCloud “Is this the password” and iCloud needs to respond “Yes” or “No”. So your naturally limited by the length it takes iCloud to respond to you. Even with this limit I find a hard time believing that anything but a supercomputer or botnet could crack long complex passwords and even if they could would such an attempt not be futile if the user had just enabled two-step authentication?

      • https://twitter.com/MrElectrifyer MrElectrifyer

        “Not if you use long complex passwords”

        Keep telling yourself that, despite the clear evidence being just a google away.

        “So your naturally limited by the length it takes iCloud to respond to you.”

        Uhm, computers are smart enough to detect when a page has finished loading…welcome to the 21st century.

      • Maxim∑

        are you denying a brute force can be unsuccessful with a more complex password?

        the rainbow tables only cover common ones and are usually 6GB in size, normal computer can do 10,000 passwords a second.

        These celebs are most likely uneducated on this and there passwords were pretty simple.

      • https://twitter.com/MrElectrifyer MrElectrifyer

        “are you denying a brute force can be unsuccessful with a more complex password?”

        I think the longer your password, the longer it will take to crack it via the brute force methodology.

        “the rainbow tables only cover common ones and are usually 6GB in size”

        Uhm, according to Wikipedia (http://bit ly/1tpIANI), rainbow tables are precomputed lookup tables of hashes, and they’re used in order save time, at the cost of space. In the case of a brute force method, a hash is calculated on every attempt, which takes more processing time but less storage than a simple lookup table.

        So, while a rainbow table methodology would be fast but limited to a precomputed set of hashes, a brute force methodology is boundless but slower and can crack any password in a few hours or days if there’s no limits on number of attempts.

        I’m not questioning the celebs being uneducated, just saying that it’s partly Apple’s fault for not putting a limit on the number of failed attempts allowed.

      • 空白

        Kinda have to disagree. Apple should def. have a limit when it comes to password attempts. I’m there with you though and don’t think you’re a ‘butt hurt fanboy’. Nothing has been proven. The Apple is doomed boys are more amped about this than anyone.

      • https://twitter.com/aidanharris1 Aidan Harris

        For the record, I do think a limit should be present I just don’t think the limit is to blame. It’s obvious poor security is to blame for this and as you say anyone saying otherwise is clearly gunning for the position of president of the “Apple is doomed fan club”.

      • ishyg

        “fault for not implementing a limit on the number of failed logon attempts”

        I thought there was. I can’t log in after several failed attempts.

      • https://twitter.com/MrElectrifyer MrElectrifyer

        Guess they partially implemented it, ’cause if it was present on all login pages, a brute-force attack wouldn’t have worked…I recall reading that it was on the Find My iPhone login page that the brute force attack was performed.

  • Sean Clark

    I remember when I accidentally sent nude photos to everyone on my contact list. I spent so much money on postage stamps.

  • TechLove

    I have seen majority of the leaked pics and i can conform this is not ‘just’ an iCloud leak.
    There are dozens of pics where the celebs are holding an android device, there was even a screenshot of dropbox contents of a celeb…
    So if we conclude something, its not totally apple’s fault, but rather those stupid celebs who set some weak passwords!
    Edit: @aidan harris, you have some valid points bro!

    • http://www.eazycomputers.com/ PhoneTechJay

      I definitely sure its not just iCloud. Even if there were some taken from the cloud a majority of these photos are from the celebs devices android and iOS.. Im pretty sure its just an email address hack..

    • Domodo

      Right. Because in this Universe it is impossible to transfer content to another Apple device, such as a Mac, iPhone or iPad.

    • Chun-Li aka ThunderThighs

      Mhm because people can’t transfer photos to their idevice mhm right.

  • Steven Honey

    The NSA is the original uploader. what did you think they were doing with all that info? That they were actually fighting terrorism??? lol.

  • jack

    MEANWHILE…… thepiratebay.(se)/torrent/10942405/09.01.2014_Celebrity_Nude_Photo_Hack_Collection_-__fappening

  • jack

    one of the celebs said she uses android… I’m sure by now Apple knows what’s going on, since they have REACT under their payroll

  • Gary LE

    So someone hacked into celebrities I could accounts? Not ours right?

  • n0ahcruz3

    Oh yeah JLaw pics were awesome lol

  • Bryan James Bassett

    could easily see this being samsung’s work

  • z1n

    Still nothing concrete on how this happened? All I can find are speculations. Seems this is more a PR issue than anything else.

  • Dmaez

    Man this is not good PR for Apple a week or so before the iPhone 6 announcement :/

  • mlee19841

    where are these pics posted. what website…so many of them what specific website. -mac voice.

  • http://amslv.com/ Jason Simms

    I wonder why they were completely unable to sense something wrong was going to happen! Not even a hint? If big guys like Apple can’t keep their customers’ identity safe, who else on this planet can? One more such event and all aware customers will switch their brand.