“Apple Inc, which is poised to unveil new iPhones next week, and the FBI are probing reports hackers used the company’s iCloud service to illegally access nude photos of actress Jennifer Lawrence and other celebrities,” Duane D. Stanford reports for Bloomberg. “Hackers posted the nude photos on the anonymous image-sharing website 4chan, the Telegraph in London reported. The photos targeting more than 100 U.S. and U.K. celebrities were allegedly obtained by breaking into iCloud accounts, the newspaper said. Apple has fixed a bug in its ‘Find My iPhone’ software that may have allowed hackers to access celebrity iCloud accounts through so-called brute-force attacks that try multiple passwords, the Engadget technology website reported, citing developers.”
“The U.S. Federal Bureau of Investigation released a statement yesterday saying the agency is aware of the allegations ‘concerning computer intrusions and the unlawful release of material involving high profile individuals.’ The agency is ‘addressing the matter,’ Laura Eimiller, an FBI spokeswoman in Los Angeles, said by e-mail,” Stanford reports. “The risk to iCloud users will depend on whether the breach happened within Apple’s security or within the celebrities’ personal accounts, said Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security. Either way, some users may not understand when and how they are using such services, especially during the set-up.”
“One plausible explanation for a wide breach of private photos is by way of a password-retrieval system, said Woodrow Hartzog, who teaches privacy at the Cumberland School of Law at Samford University in Birmingham, Alabama,” Stanford reports. “Customers generally recover forgotten passwords by providing information or answering questions about themselves. Celebrities are particularly vulnerable to hacks of these programs because so much of their life history, such as where they were born, is available in biographies, news stories and websites like Wikipedia.”
Read more in the full article here.
MacDailyNews Take: Bad, bad, bad optics. In fact, it’s tough to imagine worse optics for Apple if they do indeed hope to debut a mobile payment system in a week. Yes, these celebrities should have used two-step verification for Apple ID if they wanted to keep their accounts secure, but there are no two ways about it: Failing to prevent brute-force iCloud password attacks long ago was a tremendous oversight for the world’s most valuable company. Apple needs to be equated with security and privacy. Today, they are not. Today, in the minds of the general public, Apple is insecure and nothing is private on Apple devices. Right or wrong, it’s doesn’t matter: These days, perception is everything. Once the narrative is out there, it’s very difficult to change (see: Apple Maps). Apple’s rather dysfunctional and often too-slow-to-react PR department has a challenge to rival Antennagate on their plates, one week ahead of the company’s most important events ever. Good luck, Apple!
Public Service Announcement: The problem is that too many people use one password for multiple services. The hackers guess it right once and than have access to all sorts of things: cloud storage, bank accounts, twitter, email, etc.
Regardless of the origination of these photo and videos, social engineering hacks can be thwarted, at least for iCloud. Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.
As we’ve written before: Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.
Related articles:
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014
Could of, should have, is irrelavant, While the blame routinely falls on the company, its the user with crappy lame passwords and posting things that they know they don’t want seen in places where they could eventually be found.
I don’t want to sound like a “blame the victim” type, but the fact of the matter is that the only way to be sure that naked pictures of you don’t appear on the internet is not to take any in the first place. And if you do, for crying out loud, don’t put them on the internet yourself!
I’m only concerned about this if it reveals a vulnerability that could result in damage greater that stealing naughty pictures, say, if access to your credit account could be stolen.
——RM
The culprit was able to obtain user name / password for the iCloud account of these people. This seems difficult at first, but if we think how most password reset systems ask personal questions, then it might be rather plausible that someone was able to answer even the most personal questions for a celebrity by simply looking it up in Wikipedia…
These pictures were NEVER shared. They were probably sitting in the “My Photo Stream” section of the iCloud, which is used to make sure every picture you snap with any of your Apple devices automatically gets transferred to every other Apple device you own. None of this is shared unless you set it up for sharing — the “My Photo Stream” library is PRIVATE and protected with your iCloud authentication system. It is as safe as you make it (which is why there is the two-step process).
Understood. That’s why I try only to set security questions where the answers can’t be determined by research because they’re based on personal memories. For example, someone researching me might be able to find the make and model of my first car, but I doubt they’d learn the nickname I had for it.
Some sites only ask stupid questions with public info as the answer. Some people get around this by answering with gibberish, but then that just becomes another set of passwords you have to remember.
What is up with these nude posts lately? Is today’s theme “Sexy images that manage to NOT involve Marissa Meyer”? MDN, you are freakin’ me out right now.
This is the biggest hit to Apple in years. How can they ask people to trust them with payments, much less iCloud photos, documents, etc. That’s why it’s being covered so comprehensively and well by MDN.
One very big thing in your “etc”, which ranks above photos and unspecified documents, and unlike iWallet is not a merely rumour: HEALTH INFORMATION.
Apple claims this info is only ever stored on the device itself, same as fingerprints. But apps clearly will have access to it, and since Apple revised its app policies to require developers NOT sell any health-related info, it seems clear that apps can send some aspect of this health data off-device.
MDN has nailed it! Nailed it!
“Today, in the minds of the general public, Apple is insecure and nothing is private on Apple devices. Apple’s rather dysfunctional and often too-slow-to-react PR department has a challenge to rival Antennagate on their plates, one week ahead of the company’s most important events ever. Good luck, Apple!”
Is this more Apple FUD? We all know how pro-Sammy you are in these parts. (And no, I’m not talking about Sega-Sammy, but they still are guilty for ruining a beloved game company.)
Jay Morrison is a well-known troll on this site, but by sheer accident, he is correct. But of course, not on his own — the entirety of his post is a quote of MDN’s take, which is unfortunately correct.
While we all know that Apple security was never breached here (if you hide they keys to your house under the mat, you can’t complain to the police about the thieves breaking in).
So ol’ Jimmy here is Right, but for the Wrong Reasons? Makes sense.
What? If someone gets into your house and steals something or vandalizes it in any way – whether or not you left your door wide open or not – they are still commiting a crime.
The real issue here is people thinking any kind of internet usage can be totally private and 100% secure.
Troll or not I could not care less.
The accuracy or not of words is my only concern.
Sorry Apple fanboy, he nailed it this time.
Good to read you agree.
That story on MDN a few days ago said — “Apple PR department is best in the world.” Riiiiiiiiiiight.
“Today, in the minds of the general public,…”
And WHEN was that survey done?
A few pictures of specific people were stolen by hackers. Big deal. The NSA steals ALL the pictures.
I’m going to need more nude pics to determine if a crime indeed took place.
What FUD nonsense. There is no evidence that this was a hack of Apple itself. Get some standards.
When was it confirmed that this was an iCloud or fine my phone hack? Rush to judgement much MDN?
Rumors, FUD, and propaganda pass for “news” these days. The truth does not matter, rather it’s who says what first and with what sort of energy that carries the day. This is caused by intellectual laziness – it takes energy and determination to dig through the detritus to uncover / discover reality.
True. It has yet to be determined whether it was a hack of iCloud itself or whether it was a social engineering hack over several years. Some of the images posted are supposedly several years old (according to the person herself) that she claims have been deleted from ALL media of which she is aware, including never having been on iCloud.
But, to some extent MDN is correct. Whether iCloud was hacked or not, the general perception of the public is that iCloud has been hacked and that Apple’s security is terrible. Unless Apple very, very rapidly gets out in front of this, it WILL come up in future articles about using Apple devices for payments or health data. Such negative articles will make moving forward by Apple for such things extremely difficult.
Just for example, people are still blaming the “Find my Phone” hack as a likely culprit for this hack without thinking for one moment that this specific hack has already been closed by Apple!
Apple needs to get to the bottom of this FAST — like within the next two or three days at most. Then Apple needs to disclose what happened AND Apple’s implementations to absolutely minimize the chance of it ever happening again.
It never was, and in fact, Apple just announced iCloud was NOT hacked.
See my previous comment about “Rumors, FUD….”
This is really a problem for Apple, aren’t they planning to do away with iPhoto and Aperture in lieu of cloud storage? How can they convince anyone this is more secure!!
Firstly, who says that it isn’t?
Secondly, why would they make such a claim at all. They never had before.
Those in the don’t know are throwing out the “hacked the iCloud account” phrase, got news for you…. True or not.., Apple lost a bit of its security clout with this whole incident. Not the type of publicity when you’re trying to make your clientele more cloud reliant.
I’m sure glad the hackers didn’t post pictures of my dog, she doesn’t wear clothing either, although lots if hair.
“Use two-step verification for Apple ID to keep your personal information as secure as possible.”
Absolutely not. Two step security is NOT “as secure as possible”.
Apple needs to offer two FACTOR, not just two STEP, security for those who want it. Three factor would be even better.
For those that want to use simple two step security, then fine. Let them get hacked. Hacking two step sometimes is not significantly more difficult than single step. Hacking two factor (or three factor) security is *significantly* more difficult than single or two step security.
I am not saying that Apple should *require* two factor security (though I would not complain if they did). Apple just needs to do an elegant integration of two (or three) factor security and offer it to those who feel they need it.
You seem to be trying to say something but the way you’re saying it comes out the same (two-step / two-factor security is bad, two-step / two-factor security is much better). To an ordinary person the two (two-step, or two-factor) mean exactly the same.
Could you provide examples, so that we can get the idea of the difference (if there is any)?
Apple’s two-step authentication is two factor:
1 – Your user name/password combination (something you know)
2 – An access code is sent to a single, trusted Apple device in your possession (something you have)
“The problem is that too many people use one password for multiple services. The hackers guess it right once and than have access to all sorts of things: cloud storage, bank accounts, twitter, email, etc.…”
Apple has been saying as much since they introduced Appletalk.
Trying to do what is best to maintain privacy is as much of a success telling people (>20%) not to their house keys under a mat, planter, or to give a copy to a neighbour (~50%)
Interesting that we accept the media which gets most of their news from bloggers and then defines their editorials and opinions by publishing what is more provocative.
As they say: What looks like shit, smells like shit, is most likely shit.
I never use real information for password recovery, and I’m not even a celebrity.
I would stop calling it a hack. It was probably weak password, anyone can do it.
More leaks today of Jennifer Lawrence, and that Gymnast girl..Looks like they’re going to release more everyday until the 9th. Maybe Samsung is behind this.
The FBI got involved in less than 24 hours. They couldn’t find the time to interview folks for the IRS scandal, can’t find Lois Lerner’s emails, no witness interviews for Benghazi, Fast and Furious, the NSA fiasco – oh wait, these are Odumbo’s donors; better get on this ASAP!!!
Frankly I’m quite tired of all this news. Analysts putting their two cents in, amateurs doing the same, celebs blaming Apple and Icloud and no conclusive info….yet. I posted the other day that I have never been hacked, used keychain and the Safari password generator. I started using the 2 step verification system two months ago. Never a problem. I am willing to give Apple the benefit of doubt until all is sorted out. There are simply too many rumors out there from possible Dropbox hacks to others. None of us truly know as what’s going on period. As far as these celebrities being hacked are concerned frankly I don’t care. If they or others are too stupid and keep crap anywhere too bad. Read the fine print and if you can’t read find someone to do it for you.I’m more concerned about protecting my financial data and more important things than a bunch of nude chicks.
My cousin encouraged I’ll like that web site social networking site. This individual once were fully appropriate. The following upload actually designed my day. You are unable to consider merely the fact that lot moment I’d put in just for this facts! Appreciate it!
I really do look at all of the concepts you may have announced inside your write-up. These are seriously genuine and might definitely work. Nonetheless, the particular discussions are extremely limited for starters. May you want increase these slightly coming from subsequent moment? Information publish gölcük.
Superb difficulties entirely, you may gained a new logo innovative visitor. What could you actually propose regarding the release for you to created a couple of days in past times? Almost any particular?