“The week before a crucial launch of its new iPhone, Apple Inc said intimate photos of celebrities including Oscar-winner Jennifer Lawrence were leaked online through the apparent hacking of individual iCloud accounts,” Edwin Chan and Christina Farr report for Reuters.
“Apple rushed to restore confidence in its systems’ security, saying the celebrity photo scandal that also ensnared swimsuit model Kate Upton, actress Kirsten Dunst and possibly dozens more was the result of targeted attacks on accounts storing personal data and not a direct breach of Apple systems,” Chan and Farr report. “‘We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,’ Apple said in a statement. ‘None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find My iPhone.'”
Thank you iCloud🍕💩
— Kirsten Dunst (@kirstendunst) September 1, 2014
“The celebrity hacking that came to light over the long Labor Day weekend nevertheless ranks among the highest-profile public fiascos for Apple in recent years. Regardless of how the leaking of nude celebrity photos actually happened, the timing could not have been worse for Apple as it prepares to launch a new iPhone next week,” Chan and Farr report. “Cybersecurity experts say the perpetrators possibly gleaned the celebrities’ email addresses and mounted a long-term phishing attempt – a relatively straightforward attack through which hackers gain access to users’ accounts by getting them to click on a compromised URL or Internet link.”
Read more in the full article here.
MacDailyNews Take: The problem, beyond those who click links in emails willy-nilly, is that too many people use one password for multiple services and weak passwords at that. Once hackers guess it, they then have access to all sorts of things: cloud storage, bank accounts, Facebook, Twitter, email, etc.
Regardless of the origination of these photo and videos, social engineering hacks can be thwarted, at least for iCloud. Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.
As we’ve written before: Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.
Related articles:
Apple: No iCloud breach in celebrity nude photos leak – September 2, 2014
FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos – September 2, 2014
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014
How can I use two-step verification, when I’m only using Macs and no mobile devices?
You have a phone number right?
Yes, but I can’t receive SMS.
This is supposed to change with OS X Yosemite, at least from my understanding. Theoretically, you can run SMS on a Yosemite Mac. But I want to check it out before I state it as fact.
Doesn’t sound plausible. Your SIM must receive the SMS. You can receive the SMS only on your Mac because the new iMessage will use BTLE technology to relay your iMessage messages (including SMS) from your phone to the desktop.
Thanks James!
Currently, you have to provide at least one SMS capable phone number. You could use a close trusted relative or friend.
I’m not terribly security conscious, but even I know to keep my passwords unique. And I have separate email address for personal life and ones I give to companies that sell me stuff, and no-one (except my wife and Apple) knows our iCloud email address. Oh. And any naked pictures we may (or may not) have made aren’t backed up on the cloud 🙂
I appreciate the lesson Jennifer Lawrence had to learn.
I guess this will be the shook up the world-wake up call to think about security, privacy and about passwords algorithms and of what to share and what not BUT most of it:
How secure is your password ?
Does it contain at least one symbol / special character, upper AND lower case letters and numbers as well?
Here is one litte advice
Don’t choose simple passwords like “1qaz+wsy”
or “jenny123”
To be safer think different:
Example, choose every first letter of each word of this easy to remember sentence:
“The first movie I got an Oscar for was the Hunger Games” =
TfmIgaOfwcTHG would not be too bad, right?
To make it even more safe you make some changes here:
TfmIga04wc”THG”
thats pretty easy to remember and much safer!
Go another step further like:
Tfm>Iga04<wc"THG"
Pretty hard to hack, if you are not Jennifer Lawrence, because this password sentence itself is too obvious on her account 😉 So Jenny, how about:
"When the world is running down, you make the best of whats still around"
I guess we will see Jennifer very soon in another blockbuster movie and of course not only the guys will love her still very much as an outstanding beauty an actress !
Another good advice is:
Do not use your iCloud password somewhere else !
your smartphone has become an important part of your privacy and this has to be protected well, don't you forget it !
Thank you for your excellent and helpful post. I’ve read a lot of chuckling at the victims of these attacks because they are celebrities. But they are victims, regardless of whether they used strong, unique passwords and two-factor authentication – or not.
The point here, one you made so well, is that all of us should learn from these attacks. My hunch is that the celebrities were victims of a targeted spear phishing attack. Sadly, these are becoming more sophisticated, and are often used by foreign intelligence agencies or high level hackers to gain access to corporate and government networks through carefully crafted emails with links. It could happen to all of us.
Your suggestions are ones we should re-read, regardless of whether we practice them or not. Criminals are crafty and motivated. We have to stay a step ahead. I’m disgusted that the victims of this hack were all women, likely the target of a basement-dwelling script kiddie loser.
Karma works slowly, but eventually, it will.
Password security is a good answer, but the elephant in the room is “How stupid can you be to take nude photos of yourself when you’re a public figure?” Duhhh…
I know what you mean, but don’t you think she just wants to be an average person doing stupid things from time to time, especially when you feel safe with Apples ecosystem ?
She’s got curves man, and you know what? I would take naked selfies the whole day if I where in her shoes!
And you would at least be consistent, having sex with yourself….
BTW: Has anyone seen “Sex Tape” yet, starring Cameron Diaz ?
Is she naked?
browsing the web the pundits are STILL trying to twist it as apple’s fault (as they were bashing apple all through the weekend based on fact-less Apple hate suppositions ). Apple bashing gets more page hits than a bland: ‘not apple’s fault’.
If Apple came up with a device easily used by the BLIND , pundits will headline “With New Product Apple Again IGNORES the DEAF!”.
Yeah, already I’ve seen quite a number of “Why would I deal with Apple mobile payments after iCloud has been hacked.” Stupid for two reasons. One is that iCloud was not hacked and mobile payments using a fingerprint and a AX Secure Enclave processor would be a huge difference. No matter. If people are looking for reasons to fault Apple and can’t find them, then they’ll just make up some reasons of their own.
The news media grabs an article and then repeats it endlessly without ever checking the facts. All of them busting their asses to get attention. If Apple says they’re not at fault, then there will be some articles saying Apple is simply trying to cover up their breach. That’s how it is.
‘Hollywood Celebs’ isn’t that synonymous for “Gullible Users”?!?
Phishing attacks are a part of the problem, and they are getting worse. While I can spot phishing pages, they can look identical to log in pages, that I don’t one has to be totally gullible to type their password into one.
“hackers gain access to users’ accounts by getting them to click on a compromised URL or Internet link.”
Yea, celebrities are dumb enough to do that.
Look at MDN trying to tow the Apple line. Of course icloud was compromised. I’d expect nothing less from the Tim “the steward” Cook’s rotting Apple. That’s right blame the users. It is never Apple’s fault. They are blameless and innocent and can never be blamed for anything.
Two step verification is being used to deflect the blame. The celebs are idiots for taking the photos in the first place.
However, All vendors including Apple need to take privacy and notifying users of a potential hack seriously. I have never received an email when I typed the wrong password. How hard is it to give users the option to receive text and or email on every failed login attempt or an arbitrary number chosen by the user within a given time period selected by the user.
Users are too trusting and do not take security seriously which I think is dumb but more importantly those who just blame users or recommend using complicated methods are self-promoting hacks who do not live in the real world.
It is very simple to keep users informed and empowered to take the right action.
Apple is the only company I trust to finally take this on and I bet Apple has been working on this to make sure iPay or whatever pay service is called will be world class secure.
1- Storing anything of value on a 3rd party server she you really do not need to is kind of stupid IMHO.
2- My iCloud account and my Apple ID are completely different. Makes things a touch more complex to set up, but works better in the end.
3- I will NOT be using Apple mobile payments any time in the near future until I am sure the style over substance crowd in Cupertino have finally done their homework. Apple’s track record of effed up web services is long and undistinguished.
4- Isolate your bank accounts from internet accounts with a 3rd party service where you can insulate your exposure. Does not have to be Pay Pal, but it is an option. The new AmEx Serve looks promising at $1/ month as a place to put money as an intermediary between bank and internet commerce.
If you are a movie star and can get extra dollars for doing nudity, why would you put crappy iPhone pix up on a cloud server? Jennifer Lawrence has now done nudity and she didn’t get paid for it. Anyone who wanted to see her nips has by now.
My dad always says if one man makes it, another man can break into it.
This is exactly what happened here.
I would never put nude selfies or anything else that personal on any cloud storage service. Because then you’re placing your privacy in the hands of a computer and the corporation that runs it.
Now the guy who was able to ‘hack’ iCloud is to blame here, but so are the celebrities themselves in part for even having those kinds of images on there. Perhaps now people will learn just how dangerous putting stuff like that on a cloud server, or anywhere on the internet for that matter, can be.
Perhaps a compromise could be made in 2-factor authorization to only require such steps when using devices on ‘untrusted’/new access points. Sort of how my bank and credit card sites will have me authenticate myself using 2 or 3 means when I access their site from an unrecognized IP address (or maybe other device identifier).
The headline is a contradiction.
“Apple’s iCloud is secure; ” + “weak passwords and gullible users are not”
How is iCloud secure, if it’s protecting gullible user’s accounts through their weak passwords?
Not saying I know an easy solution – but at least I can identify the point of failure: the reliance on password.
Many of you are pointing to two-step authentication. If that’s really the answer, then it should completely replace the password system that’s proven insecure too many times already. However, I have lingering doubts about two-factor. It’s not practical yet to expect everyone to have a phone and have it charged all the time – and even when I do have it, all those text message still annoy me for some reason. There’s got to be a better way…
Secure passwords are great, but also a catch 22. People tend to forget them easily, so what do they do? They write them down on a post it. Bad practice. Happens all the time.
Security is there and sufficient for any user that cares about security, nothing more really needs to be done.
If you care: In a reasonable priority order
1) Enable long passwords on IOS (for your iPhone)
2) Enable 2 step verification
3) Have at least a 9 digit upper, lower, number and letter random password unique to iCloud.
Now you can store moderately confidential data on iCloud
Have very confidential data for the cloud, like dropbox
Create a 256 bit encrypted file with Truecrypt (don’t worry about the alleged and totally unproven true crypt back door unless your a terrorist etc., no one will get through a properly encrypted Truecrypt folder see your stuff. Store that file with it’s encrypted content on the cloud with a password as described above.
Theres really no excuse, if you have data you want protected take the time to learn how to do it correctly………
I’m impressed… Really.
I know people on MDN are fanatics but since this story of leaked pics came out it has reached a new level. Not a word about Apple’s failure but just stupid jokes and insults for the hacked celebrities. I can only smile when I imagine what the comments would have been if the same had happened with a Google service.
I just want to remember you a few things…
Apple products are designed to be easily used by everyone with no IT knowledge (I think nobody here contests that.). In short they are designed for people who don’t understand what a 2 step verification is and don’t give a shit about it.
Many other services that are used on a daily basis don’t need a 2 step verification and are considered as decently secure (getting money from an ATM for example). How can these “non-technical users” guess that Apple hasn’t the same level of security?
How is it possible to avoid that a non 2 step verification keeps secure? Simply by avoiding to use too stupid passwords on user side AND DETECTING A BRUTE FORCE ATTACK ON SERVER SIDE.
So yes… If the technical aware user understood the absence of a brute force attack detection mechanism on server side it is his fault not to implement the 2 step verification process, but NO… Apple can’t hide behind that and say its services are secure and the user “should have known”.
Apple is responsible for not having implemented a decent mechanism to detect a brute force attack. This is just a simple fact that no insult or stupid joke will change. Apple should correct this ASAP.
dude you are another clueless troll.
Apple already stated NONE of the people compromised was due to Apple security being breached. None were due to “Find My iPhone”.
” AND DETECTING A BRUTE FORCE ATTACK ON SERVER SIDE.”
wow all caps emphasis! I’m impressed… WELL:
APPLE LOCKS ID AFTER FIVE UNSUCCESSFUL PASSWORD ATTEMPTS.
if an idiot makes password that can be breached under that is apple to be blamed? Like ONE try? slip your finger and you get locked out?
How many tries do you suggest to stop so called ‘brute force’ attempts?
“are considered as decently secure (getting money from an ATM for example)”
are you trying deliberately to to be funny and ‘act’ stupid are you really just stupid?
Dude there have been countless cases where LOST atm cards have been compromised (if the owner users a password like 1234) , fake cards (they place fake scanners at locations to pick up ATM passwords and then make their own cards. they are so common they have a name for them: ATM skimmers ) ETC ETC have been known.
article:
“a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution. This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM”
Gizmodo:
“When it comes to new and creative ways of pilfering personal financial data, ATM crime is enjoying something of a renaissance here in the US. In the past year alone, devices like skimmers have been found on POS machines, inside gas pumps, on ticket vending machines, and affixed to ATMs throughout Northern California and the rest of the country. In some cases, thieves have successfully made off with tens of thousands in cash and/or personal card data before anyone was the wiser.”
Yeah yeah yeah…
You hear something you don’t like and … Oh surprise… Insults again.
I didn’t explain it but it seemed obvious that if ONE Apple service can be compromised like this, with users habit to use the same password everywhere other services are at risk… But anyway… Read this:
http://www.iphonehacks.com/2014/09/celebrity-photo-leaks-attributed-vulnerability-icloud-service.html
The interesting part here is:
“The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.”
== wow all caps emphasis! I’m impressed
Looks like it worked well as you read only what was in upper case… So here the FULL sentence again (please ALSO read the first part):
Simply by avoiding to use too stupid passwords on user side AND DETECTING A BRUTE FORCE ATTACK ON SERVER SIDE.
Have you seen the little part about “stupid passwords”??
I specifically targeted passwords like the “1234” you’ve mentioned which BTW are the only password that can be brute force cracked with an automatic lockout policy in place.
And please… Don’t become (even more) silly… I mentioned the example of the ATM to show that the password itself can’t be craked easily by brute force. We all know about skimming and fishing but this has nothing to do with the subject discuss here.
Grow up please and learn to have a decent talk. Being polite is also possible without being hidden behind a screen. Or you respond as an “educated” adult or you’ll be talking to an empty chair
like I said are you REALLY stupid or pretending to be?
that article is GUESSING from BEFORE apple did their investigation.
your link says “the vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method””
BUT:
As apple has released today in an official statement after doing their checks:
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”
(and I ALREADY told you this in my first post!!!)
“Grow up please and learn to have a decent talk. ”
wow…. like numerous fallacies, lack of comprehension and knowledge (about ATm cards etc) , didn’t do research like READ Apple’s statement and you say ‘grow up”
lol.
You’re a joke… A sad one but hey… It’s better than nothing.
– The article tries to guess what happen but the flaws that were shown are real ones. And these flaws are a failure on Apple’s side. Like it or not… I don’t care. If Apple doesn’t fix its security problems then they are at risk of facing one scandal after the other… Not sure this is what you would want for your beloved brand.
– Apple’s PR is not “the word of God”. Investigations (real ones) are still on their way… So let’s wait for the result to know exactly how these pics has been accessed.
– It’s funny you talk about my “lack of knowledge”. It’s more than 15 years now I work to improve complexe infrastructure with sensible Data (like banks and hospitals)… What’s your CV? Writing angry rants on fanboy sites?
And oh… Yes… I’m not interested in your pissing contest. So no more answer from me. Have a nice day
after I caught you in numerous, NUMEROUS errors and showed you DID NOT EVEN READ APPLE’S STATEMENT ON THE INVESTIGATION before you started trolling — so rushed you were to jump on the hate, slavering at the mouth that words rushed out BEFORE passing through the cerebral cortex (what little there is).
… (hey checking apple’s statement that’s KINDERGARTEN, nay nursery day care! level research!) : that no ‘brute force’ “Find My iPhone” flaw was involved in the celeb leaks you come back with a pitiful PITIFUL… attempt to weasel out (LOL!) of your idiotic oversights of it by arguing (although it’s shown it did NOT happen) .. “The article tries to guess what happen but the flaws that were shown are real ones….
“Guess” is the key word! A guess which was proven wrong and EASILY shown by rudimentary research like READING the MDN article a posted before this that had the Apple statement! which you didn’t do but posted hate anyways…
(hey have some GUTS dude and ADMIT you made an oversight by not reading apple’s statement , at least I’ll say even without brains you have some honour! but no.. weasel… weasel… )
and any flaws that were there have been promptly patched.
and people wonder why we shake our heads at apple hater trolls. sad.
I forgot to address this earlier, another of your stupidities
you say “Apple products are designed to be easily used by everyone with no IT knowledge”
every new technology requires some investment in learning it, not doing so isn’t the fault of apple.
it’s like the first automobiles, will you argue the same way if the first users smashed their cars and said ” I don’t freaking want to learn how to use brakes!! my HORSE didn’t have brakes! ”
If the auto was BUILT by APPLE you’ll argue “the drivers are right!, automobiles should be used by people with none, not a smidgin, nada mechanical knowledge. It’s all apple’s fault, they should design it so that people needn’t learn something new like brakes. shame on that fruit company”.
see how dumb your arguments are?
Where is the proof, that these photos came from iCloud?
Did you realize the photos were taken with Android devices as well, which are NOT connected to iCloud in any way at all?
It is again bashing, because jealous users of less secure and cheaper shit need to troll a lot.
Of course the iCloud isn’t 100% secure, but where is the proof these images are taken from iCloud? Tell me, come on.
Pointing your finger is very easy. And when we point our fingers on Google, it is because they are selling our data, which we did not allow AND we struggle to avoid that Google collects them when we are surfing.
If you are not capable of understand the differences here, you got a lot to learn.
A long secure password and preventing brute force attack on the server side are both completely useless at stopping a phishing attack.
So that’s a problem – your suggestion is utterly ineffective against one of the most common methods of hijacking an account.
I don’t conclusively know if these photos were stolen using phishing, but that is likely given what’s known about the incident.
(ATM’s are a good example of two-factor authentication, by the way, requiring both a memorized pin and a physical ATM card to verify an identity)
It appears this access to the celeb’s photo account in iCloud occurred in the background pipeline between the user’s computer and the iCloud photo server.
Basically, every time the photo app on the iOS device or Mac/PC contacts the iCloud photo server to transfer a photo, it authenticates in the background using the credentials stored on the user’s device. The fault on Apple’s part was in not implementing the same threshold failure limit on its background authentication process that it places on direct user authentication, where three failed attempts usually locks you out.
So, once the hackers had the Apple IDs of the targeted users, and the Apple server names/IP addresses of the iCloud photo servers, all they had to do was set up a computer to run the script pretending to be a user’s computer trying to login to transfer photos. The easier the user’s password, the fewer iterations needed to get the correct one to login.
So, technically no security breach occurred, since real credentials were used, but Apple still messed up by not setting a threshold failure limit on its background authentication process.
That’s very interesting.
Thank you for the update
No, they did not use the photo system. They literally changed the users passwords by researching the celebrities backgrounds and answering their security questions. Once they changed the passwords, they had access to download the photographs and videos. Simple. Security questions that are obscure information for average citizens are fodder for fanzine biographies. “What was your first car?” and “Where did you go to high school?” are easily learned about famous actors but not so easy about nobodies. . . some fanzines will even list their childhood pet’s name. That’s how the breech was accomplished.
for simple security questions like high school, i either use a fake name or if I think I’ll forget, I use the real name but add a code like 242424 attached to the name (same numbers all the time easy to remember). Not full proof but better than nothing and I think sufficient for denial due to wrong password to kick in.
Hey stupid Androids, I just took some shots of my naked girlfriend (she is super hot, looks like Chloe Moretz, more curves!) with my iPhone and synced it to the iCloud.
Could you trolls do me a favor, HACK IT PLEASE and post them on Facebook or here or …. and you get 100k$ for sure…
Otherwise you proofed that you do not believe everything that is written on the internet 😉
Being compromised does not mean that everybody else is, being stupid does not mean the whole world is stupid AND being a Celeb does not mean you are not human or do things you might regret.
But outlining the weaknesses of others, if those weaknesses are not really infringing somebody else, is just a proof of your own despair.
Think different, get a life, do some good, enjoy life while you can.
And maybe you begin to help sick and starving people instead of bashing Apple.
The one thing I love about the tech industry is the accepted practice of blaming the victim, err, I mean user.
A case for taking the painful steps to update ALL your passwords with unique, randomly generated, complex ones and add two factor authentication to everything that offers it.
Perhaps a password system that I remember reading in a sci-fi story ages ago would work.. Basically it would recognize that you enter the same ‘wrong’ password/password sequence before entering the ‘right’ one. For example: Enter login name and wrong password-1 then on second attempt enter wrong password-2, finally enter the correct password on the third attempt. This would prevent access to an account knowing ONLY the right password. You would have to know the ‘wrong’ ones to enter first to actually gain access.