Apple confirms celeb photo leak was the result of a “very targeted attack,” not an iCloud breach

By , Sep 2, 2014

apple hq headquarters

In a statement this afternoon, Apple provided an update for its ongoing investigation into the alleged iCloud hack that resulted in a massive leak of hundreds of revealing celebrity photos. The company says it has determined the scandal was not the result of a breach in iCloud or any subsequent services.

Instead, Apple says it discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice  that “has become all too common on the Internet.” The firm says it continues to work with law enforcement to help identify the attackers.

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

On Sunday, several photos showing prominent celebrities either nude or scantily clothed surfaced on the Internet. The trove is said to have originated on a 4chan forum, with someone claiming to have stolen them via an iCloud attack, and looking to trade them for Bitcoin and other forms of digital currency.

Apple said yesterday that it was investigating the situation, and it was reported that a recently-patched Find My iPhone vulnerability played a part in the attack, but those rumors were obviously put to bed today. A search is ongoing for the individual(s) responsible, but so far no arrests have been made.

[Apple]

  • Share:
  • Follow:

We Recommend

  • No Related Post
  • Unicorn Drank

    Guess ill be switching to Windows Phone from now on.

    • Lordrootman

      From bad to worse

    • Kenny NL

      Because you have top secret photos on your phone? If any hacker wants mine, they’ll just have to ask.

    • Kenan

      Everything is hackable.

      • Jonathan

        Even my pants?

      • Domodo

        Smooth.

      • http://www.eazycomputers.com/ PhoneTechJay

        Using the correct female algorithm.. Yes.

      • benny001

        Lolllll haha

      • DIesel

        / possibly male..

      • Guest

        ??

      • Domodo

        You think this is Facebook? No to picture comments…just no. Unless they’re wallpapers

      • Kenan

        Of course not. You are a virgin.

    • Unicorn Drank

      it was just a joke guy its was just a joke!!.. now I feel like I’m the one being attacked lol.. also Kenny NL you never know what kind of work a random stranger does on the internet :)

    • Tobias9413

      Or maybe just don’t have easy simple stupid passwords and answers for your security questions. That’s how they got “hacked” they basically guessed their passwords and what not. More like phishing not hacking. And they more than likely first “hacked” the celebrities emails and used that to “hack” iCloud. So may want to switch emails too.

    • DIesel

      I think the point of the story was you should only worry if you’re a sexy female celebrity..

      But enjoy windows bud

    • jack

      same thing will happen if you keep dumb

  • https://twitter.com/aidanharris1 Aidan Harris

    It would seem that not for the first time the Apple haters were wrong. Let’s just hope this doesn’t affect the image of Apple and iCloud too much. That’s be the last thing they won’t before such a huge event.

    • benny001

      Dude ur ignorant. I dont care/favor any comp. but if there is a computer there is a hack. Very simple. No one is completely walled off from threat.

      • https://twitter.com/aidanharris1 Aidan Harris

        Please do explain to me how I’m any of the following:

        1 lacking knowledge or awareness in general; uneducated or unsophisticated: he was told constantly that he was ignorant and stupid.• [ predic. ] lacking knowledge, information, or awareness about something in particular: I was largely ignorant ofthe effects of radiotherapy.
        2 informal discourteous or rude: this ignorant, pin-brained receptionist.
        3 black English easily angered: I is an ignorant man—even police don’t meddle with me.

        You have no idea who I am. You can make as much predictions and assumptions as you want but the fact of the matter is that you don’t know me. For you to even begin to declare that I am “ignorant” is so ostentatious it’s just beyond belief.

      • Kr00

        Anyone who starts a conversation with, “dude”, then follows up with a “ur”, you know you’re not chatting with a genius. He pretty much exposed his own ignorance right there.

    • Maxim∑

      This is why I wish the media waited before saying “iCloud was hacked’ because it wasn’t…..

      • Domodo

        Technically, it was.

      • Maxim∑

        A targeted brute force attack does not equal Apple servers being compromised. Because that’s what the cloud/iCloud is..

        Hacking iCloud would be someone gaining access to a server administrator accounts and downloading peoples photos directly from the server or planting malware internally w/e…

      • Domodo

        Apple’s servers were compromised… by a brute force attack.

      • https://twitter.com/MrElectrifyer MrElectrifyer

        He’s actually right; it wasn’t an iCloud hack, it was an iCloud account hack.

      • Kr00

        Why don’t you just give up. You’re wrong.

      • Your Mother

        hacked is hacked regardless of how it happened.

      • Leo

        Hey, I’ve got your password, I’m now going to hack into your account my typing your password into the password box ^^ YAY for hacking! Woooo~

      • Kr00

        No. Individual accounts were accessed. Your suggestion implies that the whole cloud service was hacked. It wasn’t.

    • Domodo

      Apple haters were wrong? Don’t you mean realistic people were correct when they said how this was an attack on Apple, iCloud.

      How about we start hating on Apple for keeping photos on their servers, despite the fact users delete(d) them? Yeah, how about that?

      • https://twitter.com/aidanharris1 Aidan Harris

        This is exactly what I meant. As for your comment regarding deleted photos being kept I assume you know that practically all online services keep deleted content for a certain period for legal reasons. In addition to this if you delete a photo it is still going to be present in older backups so all a hacker whose compromised an iCloud account would have to do is restore an older backup to an iOS device and they could get deleted photos that way.

    • toortoor

      I have to disagree with you, first of all you classify anyone who was concerned as “apple haters”, then you assume with 100% certainty what apple has said was the truth.

      when have you ever seen a company or etc admit fault and take responsibility for something the public doesn’t know is their fault?

      the max they would admit is what is already known, which in this case is taking advantage of weak passwords through brute-force and security questions.
      which I find it unlikely, because as far as I remember apple does enforce a relatively strong password (>8 char + Upper + Lower + number), which makes it difficult for a hacker to target these many people and be successful (maybe he is working for intelligence ;) )

      anyways,
      one can not be 100% certain, but considering this and also the matter of deleted photos kept by apple (which you can’t get them by simply knowing the user/pass, because you don’t have access to your deleted photos), I would say, there is a likely-hood that iCloud was indeed hacked,

      but apple will never admit (why would they?, when it damages their reputation, and there is no proof out there to suggest otherwise), and you will never know,
      unless the hacker (or somebody else) decides to release the proof.

      so saying “well, apple said xx so, so that settles it”, you are either very naive or biased.

      I just hope they found it and patched it ;)

      • https://twitter.com/aidanharris1 Aidan Harris

        You should read this. It explains what happened better than any other site I’ve read so far and the author is in the security business:
        http://www.zdziarski.com/blog/?p=3783

      • toortoor

        it doesn’t change my point,

        the only thing that matters there, is that it suggests the deleted photos could have been from backups, which is possible, no argument there.

        but let me tell you, brute-force may sound simple, but it is not (from someone who has in the past written something in that regard),

        check out tools like this: lastbit[.]com/pswcalc.asp

        you will find out how many requests are needed to be break a password with apple’s min security requirement in a short amount time, ( and even that, is for a local file).

        imagine lets say only 500,000 request / per s,
        that means the hackers computer should be able to initiate that many requests, and apple’s servers should respond to that many requests (per second), now think about the actual number of requests needed and the time that would take for apple’s servers to respond to each request without causing ddos ….

        you see……,
        it is possible with brute-force,
        but I find it unlikely this was done by brute-force, specially considering the number of people involved.

        and they all happened to magically use weak passwords, with the password policy in place :),

      • https://twitter.com/aidanharris1 Aidan Harris

        It’s still possible to have weak passwords. I think the password Password123 is accepted for example since it’s of a certain length, has a capital letter and numbers yet is so obviously insecure. I used the calculator to figure out approximately how long it’d take to brute force my password (or rather the maximum amount the tool allows to calculate which is 20 since my password is longer than 20 digits) and it came back with this:

        Brute Force Attack will take up to 2.8420938392451627e+26 years

        This leads me to conclude that either they had weak passwords or didn’t have two-step authentication enabled meaning hackers could guess there security questions. Either way I don’t think Apple has been hacked. If they can keep a product like the iWatch safe from prying eyes I’m pretty sure they can keep our data stored securely on their servers…

        I think as you say a brute force attack might be on the cards but because of the scope of the attack something else is likely at fault…

    • Rowan09

      I understand what you mean, I was reading the other comments prior to this article. I asked for people to wait before casting judgment, but anytime the news says something we all know it’s right (sarcasm).

  • Riley Freeman

    Uh oh. Here comes the internet memes and a ton of overreaction and paranoia.

    • Domodo

      Paranoia is good when it comes to this type of thing. (nudes, that is…)

  • Domodo

    But wait a second… Weren’t people on this very blog, in the comments section, talking about how this could be a hoax by Samsung because they, believe it or not, saw Samsung devices in the leaked images?

    How will the fanboys sleep tonight?

    • https://twitter.com/aidanharris1 Aidan Harris

      Lol. There will always be people with tinfoil hats on and bits of string trying to connect the dots and come up with theories about why things have happened. Although as wild as the theory that Samsung did this is, you have to admit that it’s definitely feasible for them to do such a thing…

  • ISo

    FYI this leak did not originate on 4chan, it originated on Anon-IB.

  • Xee

    Who cares?

  • Franklin Richards

    If hackers want something enough they will find a way to get it. It just so happens what they wanted was on the iCloud. Honestly though whoever thought your photos and sensitive info is safe on the cloud has to rethink security practices. Hacks most likely won’t happen to you unless you are someone important. If you’re just some average schmo you don’t really have anything to worry about.

  • n0ahcruz3

    Apple apologist in 3.. 2.. 1.. Lol

    • Kr00

      Who needs to apologise for anything? Not the fault of any cloud services if you use known ID’s and easy to crack passwords. Like someone stated, “It doesn’t matter if you have the world safest vault in the world if you don’t know how to keep your keys safe”.

      • n0ahcruz3

        Apple security sucks i know lol

  • n0ahcruz3

    Apple devices àre FIPS certified and this happens… Oh wait lol

  • becoolyolanda

    this will have absolutely zero effect on the iphone6

  • http://twitter.com/int3nsive Int3nsive

    Analogy for the people who know nothing about security.

    “It doesn’t matter if you have the world safest vault in the world if you don’t know how to keep your keys safe”.

  • http://www.truffol.com Truffol

    You bet all celebrities are ditching icloud this week. the female ones at least as male celebrities don’t really ever get targeted

  • https://twitter.com/MrElectrifyer MrElectrifyer

    Yeah, it wasn’t an iCloud hack, it was a successful brute-force attack on certain iCloud accounts due to the lack of a limit to number of failed log-in attempts allowed…people are mistaking iCloud account hack for iCloud hack.

    • Kr00

      All cloud services work the same way. Photo bucket had the same thing happen with thousands of accounts. Apple do encourage users to activate the two step verification system. These celebs used publicly known emails addresses as their Apple ID. Dumb. Taking multiple nude pics of themselves, even dumber.

      • https://twitter.com/MrElectrifyer MrElectrifyer

        “All cloud services work the same way”

        Nope. Try entering your password wrong multiple times on OneDrive and see what happens. Whichever cloud service provider does this is being negligent. There should be a limit to number of allowed failed attempts, simple as that, and accounts won’t be prone to this brute force attack.

        “Apple do encourage users to activate the two step verification system.”

        They do encourage, and I have my reasons (http://bit ly/1x2MONM) for turning such feature off in the case of Apple…funny thing is, they used this “there’s a limit to number of allowed failed log-in attempts” excuse to defend the account lock, yet as the headlines prove, that wasn’t even implemented in the first place…such capitalist liars.

        “These celebs used publicly known emails addresses as their Apple ID. Dumb. Taking multiple nude pics of themselves, even dumber.”

        Couldn’t agree more. It’s partly their fault and partly Apple’s fault.

      • Alamo Fan

        People using their credit cards at Home Depot to buy stuff – Even dumber. This is an invasion of privacy and a digital sexual assault. Quit the victim shaming.

      • Kr00

        Geez, you think? Same thing if someone breaks into your house and steals sex videos you make. You obviously partake in the selfie indulgence yourself, defending such idiotic behaviour. Just my opinion. Quit opinion shanimng.

  • Thee Tommy Gunz

    It’s only “criminal” when the government isn’t doing it right?