“One week before Apple Inc. plans to show off its new iPhone, the company is battling to preserve its reputation for protecting users, following the leak of nude photos of celebrities from its online services,” Daisuke Wakabayashi and Danny Yadron report for The Wall Street Journal. “Apple on Tuesday denied that its online systems had been breached, deepening the mystery of how the private photos leaked onto the Internet. Apple said certain celebrity accounts were compromised by ‘a very targeted attack on user names, passwords and security questions.'”
MacDailyNews Take: The photos weren’t “leaked,” they were stolen.
“Apple moved Tuesday to address reports that surfaced over the weekend that the leaks of the photos could stem from a bug in its iCloud storage service that allowed potential hackers to try an unlimited number of passwords until they stumbled upon the correct one,” Wakabayashi and Yadron report. “Apple said there is a limit on the number of incorrect passwords an iCloud user can enter before its system locks the account. The company declined to specify the exact number of incorrect attempts that would trigger an account lockdown. ‘None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud,’ Apple said in its statement.”
Wakabayashi and Yadron report, “Apple suggested that users make sure they have a strong password and they enable two-step verification—a security feature that requires users to first type a password and then perform a second step, such as typing in a code received by text message.”
Read more in the full article here.
See how far they got in the full article here.
MacDailyNews Note: Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.
Always use unique passwords, do not reuse passwords for different services, and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, this system works like a dream.
Related articles:
How easy is it to crack into an Apple iCloud account? We tried to find out – September 3, 2014
Celeb nudes: Comprehensive review of forum posts reveals no mention of ‘Find My iPhone’ brute force technique – September 2, 2014
Apple’s iCloud is secure; weak passwords and gullible users are not – September 2, 2014
Apple: No iCloud breach in celebrity nude photos leak – September 2, 2014
FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos – September 2, 2014
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014
Apple is right there were no iCloud breach but sadly the security model of Apple allowed hackers to get access to a few lazy but famous people.
Apple should invest some Ivy’s time to innovate their security and notification. I saw an article in a UK paper were someone was able to guess passwords 12 times before the account was locked for 8 hours. It should be fewer times with shorter lockout period.
More importantly, notify the damn user that their account failed to authenticate, the ip address, tracerout the device that made the attempts, the browser used, etc…
Next, provide a way for the actual owner to lock their account for access from an unknown device or unknown geographical locations (say allow access only from NYC) otherwise I have to go through extended say 2-step verification.
I use the same devices 99% of the time and I would be happy to go through 2 step authentication for other devices.
Apple’s culpability in this matter is nearly insignificant. What matters is that every time an article or news segment on TV about iWallet will be produced the issue of this breach will come up and create FUD in the minds of any consumer who considers using the device for that purpose. Apple needs to find a way to go on the offensive about this. Enable 2 factor ID by default and allow you to create your own questions … etc. Taking the “you’re holding it wrong” approach on this issue (even if in this case that may very well be true) is not neutralizing this issue. It’s actually adding fuel to it.
I was going to post the MDN and Apple’s advice on my FB page, then realized that for most people it would sound like a pain in the butt. Especially celebrities. Great idea- guided setup.
It should not be this easy to steal this many separate accounts.
They’re releasing more each day. People will think twice about uploading their sensitive documents/photos to the cloud.
Give me your real name and I’m sure I could find enough information posted online to break into one of your accounts.
We live in a world where it’s OK to have PII information posted for the world to see, THAT is the security threat. How many people that do NOT have a significant social media presence has gotten hacked?
The answer is simple – 2 step verification by default with no option to turn it off.
How do I set up two-step verification?
Go to My Apple ID.
https://appleid.apple.com
Select Manage your Apple ID and sign in.
Select Password and Security.
Under Two-Step Verification, select Get Started and follow the onscreen instructions.
More Details here.
http://support.apple.com/kb/ht5570
Don’t Panic 🙂
I would bet money that scared Samscum is behind this hack to cast doubt on Apple’s unbeatable security record, with the main objective of discouraging massive forthcoming fanfare for the new iPhone 6 NFC electronic wallet payment system and it’s strong alliances, by trying to create an Apple is not secure scare…
Apple’s gonna disrupt again !
Breach definition….
Did the photos come from iCloud ?
If iCloud was not breached, then where did the photos come from ?
Is Apple splitting hairs ?
By my definition, obtaining data after logging on with a correct ID and password is not “hacking into a server.” The user has the primary responsibility for keeping that information secure. Famous people face extra challenges, since anybody can find their birthdate and security question answers on Wikipedia. It isn’t Apple’s fault if Roy Rogers uses royrogers@gmail.com with password: trigger. My guess is that these folks made a mistake that simple.
How many of the people howling about this cheerfully hand their credit card to a waiter who hauls it off to do anything he wants with it in the back room of a restaurant. Next step, if you’re lucky like I was, is Bank of America calling to check if you just bought a stereo system in Brazil.
Not sure, but when restoring an iPhone or IPad from the Cloud, do you need 2-way authentication?
I love this…information and someone else’s private pictures and information are free for you to take and distribute as threat and intimidation unless you get paid for your effort in discovering how to do it. Ethics 101
https://www.coursera.org/course/techethics