Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack

“Apple said Monday it was ‘actively investigating’ the violation of several of its iCloud accounts, in which revealing photos and videos of prominent Hollywood actresses were taken and posted all over the Web,” Arik Hesseldahl reports for Re/coce.

“‘We take user privacy very seriously and are actively investigating this report,’ said Apple spokeswoman Natalie Kerris,” Hesseldahl reports. “Photos, some real, some said to be fakes, are said to have been taken from the iCloud accounts of several celebrities, such as actress Jennifer Lawrence.”

“Security experts said the hacking and theft of revealing pictures from the Apple iCloud accounts of a few celebrities might have been prevented if those affected had enabled two-factor authentication on their accounts,” Hesseldahl reports. “When enabled, two-factor authentication requires users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password. Since the number constantly changes, it makes it much more difficult for attackers to gain access the account, even if they know the password. Assuming the compromised accounts were running without the two-step option turned on, it would then have been relatively easy for the attacker to gain access to the accounts.”

Read more in the full article here.

MacDailyNews Take: As we wrote earlier today:

The problem is that too many people use one password for multiple services. The hackers guess it right once and than have access to all sorts of things: cloud storage, bank accounts, twitter, email, etc.

Regardless of the origination of these photo and videos, social engineering hacks can be thwarted, at least for iCloud. Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.

As we’ve written before: Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.

62 Comments

  1. Even if all of these pictures are from iCloud accounts (and I doubt they are because from what I have read there are Android phones in may of these pictures and some of them have tumblr in their image name (which seems a weird place to store your shiz), that still doesn’t make fact they aren’t using two-step verification okay.

    As an Apple fanboy I am disappointed in their apparent lack of security using the “we have not been hacked in the past so our security must be fine” approach to storing MILLIONS upon MILLIONS of peoples personal photos (along with GPS coordinates of said photos and other personal information).

    As pointed out by a security company on Re/Code Apple just today put a measure in place to limit the number of incorrect login attempts. Hello? That’s IT 101. As a web developer I put a limit on how many failed login attempts can be used per hour before either making the user wait or before locking the account and requiring them to reset their password.

    While this isn’t Apple’s fault because they didn’t take those pictures, Apple did indeed encourage people to feed their photos into the “cloud” “automatically”.

    The only “fault” here are the DB’s that hacked into the accounts and stole the pics in the first place. Apple is a victim in this crime, but a victim that could have provided some better security for their customers. The real victims of course are the customers who’s images were stolen and distributed online.

    Seems like Samsung will have a great ad about using “iCloud” for security and may even get some celebrity endorsements from those affected to use the Samsung phones in the future.

    Let’s hope Apple has some major improvements to security up their sleeves and does what they can (if indeed iCloud was the source of the images) to help rectify the situation with the victims.

      1. You read every comment of every article? Wow I’m impressed, but I doubt it, because I have been using MDN since 2006 when I got my first MacBook. I probably comment about once per week for the past several years. I challenge you to go back and prove me wrong.

        1. I apologize, I have not read the iTunes user agreement. I am sure that rule is in there somewhere thus proving me wrong and everyone else right. Next thing you know Tim Cook is going to show up at my house and sew my face to someone’s ass (Probably Arnold’s knowing my luck) to build a human centipad.

      2. Well it’s a good thing I don’t need validation from a comment thread on an article to consider my life successful or not. You can believe what you want and eat a d@#k while you are at it. I thought about posting links to several articles I have posted comments in to prove you wrong, but then I realized, you don’t matter. However, if you want to go and find it, the oldest comment I can find through my wordpress account is July 31 2013 article on MDN. Otherwise enjoy that d@#k you are eating.

          1. And for the record, Apple DID admit that there was a Find My Phone issue that did not lock accounts. THAT was what I was referring to in “unlimited login attempts”. They have since fixed it. Either way, I feel my iTunes password is secure and have not changed anything on my iPhone, iPad, or MacBook Air.

            The Find My Phone issue wasn’t part of the nude photos thing, but it still was an issue and I was addressing it separately.

    1. And BTW, if it turns out these “hacks” were just people knowing the passwords from the fact that 1.2 billion usernames and password were stolen earlier this month, then that is not Apple’s fault. People were warned to change their password, and in that case, it’s not a hack, it’s just simply logging in. (hence where MDN’s comment about Two-step authentication would have paid off).

        1. It is excellent news. I have been arguing with people all day who are trying to discredit iCloud and I am pointing to Apple’s release. I never said Apple was responsible Arnold, I said “If”, and I also said in the comment you replied to that it may just be people “logging in” (which I was exactly right on).

      1. Good point! It seems they may want to add two-step verification, at least an option, to logging in from a system you haven’t used before. A known apple id and weak password were still the biggest issues.

      2. In this case, it certainly would have worked. Ars Technica was pointing out you could compromise the two factor IF you had the user email, the user password, AND got a new blank iPhone that you had configured with the target’s registered texting emails and iPhone number to receive the second security factor code on. Tell me, exactly how would this hacker have afforded over one hundred iPhones, also gotten the celebrities’ cell phone numbers, just to troll for naked pictures? Nope, it would not have worked.

    2. Apple DOES have a lock-out after five wrong password attempts. . . but apparently it was not properly implemented in the API for the FindMyiPhone app. . . and someone discovered that vulnerability, wrote a simple script to brute force guess passwords using the list of 500 most commonly used passwords, and voilâ, they got in. . . or at least that’s the claim. The author of the script says the bug is present on many platforms.

    3. Despite what others have said I think that’s a fair comment well made.

      If Apple’s future for photos is cloud based they’d better make sure their security is top class first.

      Accidents, oversights and software bugs all happen and nothing is 100%, but Apple need to be seen to do more than most to prevent this.

  2. Apple is doomed right before the iPhone 6’s introduction. Oh, yeah… This would never have happened if Steve Jobs was alive. So, where can I see Jennifer Lawrence’s naughty bits because if I don’t see them, then the iCloud hack never happened.

    /s

    I saw a few mentions about how insecure Apple’s mobile payment initiative will be considering this iCloud hack as though they have some sort of vague connection.

    1. I purchased the original iPhone and have owned only iPhones (every single model) to date. I have also owned not one, not two, but THREE different iPads not to mention the 4 macs I own. I call myself an Apple fanboy proudly because the term does not offend me. I am a fan of apple. I won’t own, use or endorse or purchase any non-Apple phone, Tablet or Computer.

      There is no reason to get all butt-hurt just because someone speaks their mind about something that was just proven to be true. Relax. We are all on the same team. But we are allowed to have different opinions.

  3. Banks get hacked, retailers get hacked, US government agencies get hacked – and people still think it’s safe to store private photos on the web or with cloud services?

    Next story please.

    1. iCloud (and PhotoStream) are probably the best arguments for picking Apple over any other platform. No matter how you take your pictures (iPhone, iPad, webcam on your Mac, an ordinary digital camera, then imported into iPhoto), thanks to the PhotoStream on the iCloud, all your pictures will automatically be copied to all of your Apple devices. Turning this feature off because of some paranoid fear of “poor security” of the iCloud basically removes one of the most significant advantages of Apple’s ecosystem over all others.

      Apple’s security was NEVER breached here. If you give your password to somebody else (or someone guesses / figures out your password), it is NOT Apple’s fault!

      Nobody HACKED iCloud — they simply logged in and took what they found. Your pictures are as safe as you decide them to be — if you have a complex password, and especially if you do the two-step authentication, your pictures will remain only yours and nobody else’s.

      I’d venture a guess that less than 5% of iCloud users actually use two-step verification, because it is too much of a hassle. Well, it is their own fault. If Apple gives you a double-bolt lock, as well as an intelligent alarm system, but you don’t bother turning your alarm on because it requires you to punch in a long security code and then quickly close the door, and if you leave your key under the doormat, you cannot complain that you were robbed.

      1. Probably not using two-step verification because they either don’t know about it (case of blind faith in ‘it just works’), and/or it’s a bother (case of not fitting users’ concept of iOS ‘ease’ of use).

  4. I’m not sympathetic to a celebrity who puts nude pics online, uses a known apple id (email address), has a weak password, and doesn’t use two-step verification. Remove any of these elements and crisis averted.

    1. Didn’t they learn anything from Weiners weinergate? Why does one take nude pictures of themself? Get a Go Pro and keep your live action on an unconnected device. Or open a channel on a porn site and charge the voyeurs, if you are so vain.

    2. An article at Ars Technica about the stolen skin shots points out in its last paragraph:

      …As Ricky Gervais tweeted (and then deleted): “Celebrities, make it harder for hackers to get nude pics of you from your computer by not putting nude pics of yourself on your computer.” It’s not that it’s celebrities’ fault for being hacked; it’s just that they should arm themselves with the knowledge that the cloud is fundamentally insecure in the future.

      Or also likely:
      People Are A Problem.
      The entire point of Social engineering is to encourage
      Wetware Error.

  5. At The Moment: There is still disagreement as to how these birthday suit images were obtained. Here is what The Guardian is currently saying:

    Nude celebrity picture leak looks like phishing or email account hack
    Apple’s iCloud service may have been the source of the photos but security experts think password hacks are likely explanation

    The most headline-grabbing possibility for the source of the photos – a full-on frontal-assault ground-up hack of Apple’s iCloud service – is also the least likely. Large companies like Apple have dedicated in-house security teams who attempt to break into their own systems regularly.

    “A wide scale ‘hack’ of Apple’s iCloud is unlikely. Even the original poster is not claiming that,” noted Rik Ferguson, vice-president of security research at Trend Micro.

    As with the many celebrity hacks (and daily hacks that affect less famous people), the simpler and more likely explanation is the leak of an email and password combination, either through guesswork or “phishing”, when users are fooled by authentic-looking sites into entering their login details, which are then used against them.

    IOW: We’re still waiting for the first shoe to drop. It may not directly be Apple at all…

    1. I thought this was already well-known at least by the peeps that are here.

      My guess is that the Find My iPhone brute force vulnerability (fixed today) against known Apple IDs (email addresses) with weak passwords is how these were obtained.

      1. I’ve read through that theory and it’s possible. The security flaw in Find My iPhone has been known for about a month. But I’m waiting for something definitive. Meanwhile, I’m pointing out the other ongoing theories.

        1. The other theories of an outright hack or phishing don’t hold up very well. Too large of a scale happening simultaneously makes phishing a little skeptical. I suppose a phishing email targeting these people could be plausible.

          Too bad their assistants didn’t properly secure their accounts.

          1. I’ve given a number of talks to computer savvy folks about ongoing computer security crises. Even they find the ongoing flood of security problems beyond comprehension. The hacks are getting more detailed and complicated. The targets are literally everything. Even with savvy IT staff, it’s a stone wall trying to get company executives to get a basic clue about the network security of their own companies. The Target catastrophe is a great example whereby the IT staff knew the POS device attacks were coming and warned the executives. Then the attacks came, the malware detection alarms were sounded twice. The executives were told. They did nothing for a further two weeks thereafter. Not one customer account need have been stolen. Instead, 110,000 million accounts were stolen. And the POS security hole lives on in hundreds of devices around the world with new announcements of stolen accounts every week, over a full year after the hack method was first used and discovered in the wild.

            As I often say: The current complexity of coding is beyond the comprehension of any one person. We’re watching the consequences. Then there’s user security best practices comprehension…

            1. Yeah, hopefully some Target execs lost their jobs over that fiasco. What’s the point of having the sec people in place if you don’t listen to them.

              But it sounds like you are saying that using strong passwords against obscure ids with two-step verification is not enough.

            2. In May, Target’s CEP Gregg Stenhafel resigned due to the fallout over 110 million accounts being stolen.

              No, I’m not addressing passwords or two-factor verification. Of course, as MDN points out, don’t reuse passwords. Also don’t use passwords that can be guessed in a dictionary attack, including leet-speak and other trickery. Long truly random passwords are best, then store them encrypted somewhere on your Mac where you can access them as needed. I use both 1Password and duplicate master list I have on an encrypted Sparse Bundle image. This lets me remember only a couple passwords with which I can access my zillions of others. Adding two-factor authentication adds further security. – – The usual recommendations.

  6. On ABC World News tonight they talked about the celebrity hacks and had a few minute piece explaining why it is not a good idea to connect computers, smartphones, etc. to unsecure or unknown wi-fi. I would assume celebrities have security personnel/assistants that know this common knowledge and have directed technically inept celebrities in the proper direction, but if that’s true than why would ABC mention wi-fi as an easy way to steal someone’s files. They could of dwelled on iCloud for the entire piece, but did not.

      1. How so? Right before the piece on wifi they said the FBI is looking into the situation. Putting two and two together, my guess is this is the direction the FBI is leaning.

        1. I suppose this is possible if all of these celebrities were using compromised open wifi networks over a long period of time and whoever collected the passwords waited until this precise moment to post the pics.

            1. It was my understanding that when you connected to a public Wifi spot secured or otherwise you are still connected along with everyone else connected to that same access point. I suppose a secure connection when you are the only one logged into that access point would be relatively secure.

            2. https should secure the entire conversation between your browser/app and the server. Otherwise what is the point of using a secure vpn at such locations? Yeah everyone else connected can see your traffic but it’s the difference between clear and encrypted traffic.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.