Apple Friday denied the details of yesterday’s report that an Australian schoolboy broke into its servers last year, downloaded 90GB of data and accessed customer accounts.
Reuters quoted an Apple spokesperson as saying:
Apple’s information security personnel discovered the unauthorized access, contained it and reported the incident to law enforcement. We want to assure our customers that at no point during this incident was their personal data compromised.
As we reported yesterday, Australian newspaper The Age said that the boy, whose name can’t be revealed for legal reasons because he was a juvenile offender, has managed to obtain “authorized keys” that grant log-in access to users.
He was able to download about 90GB of “secure files”.
The newspaper claimed the boy accessed customer accounts as part of his offending. The boy plead guilty to hacking into the company’s servers after an FBI raid on his family home had revealed downloaded files on his computer along with a folder that contained a wealth of tools and documents for hacking.
The folder was amusingly named “hacky hack hack”. The report added that the boy had boasted about his activities on the mobile messaging service WhatsApp. He reportedly justified his actions by telling investigators he had “dreamed of” working for Apple.
In my comment to the original story, I wrote that I didn’t think the teenager actually hacked his way into Apple’s servers by circumventing Apple’s protections or got hold of the encryption keys. Instead, I argued, he probably gained access to user names and passwords of a few iCloud accounts via social engineering, phishing attacks or other methods.
He would then probably set up an offending iCloud account on his own device and restore an unsuspecting user’s data like photos, messages, contacts and more (that is, download 90GB of “secure files”).
This whole story sounds to me a lot like one of those hacks involving iCloud phishing to steal nude pics from celebrities. Indeed, the original report stated that the boy got his hands on “authorized keys” (access credentials for individual iCloud accounts).
Thoughts?