Apple: No iCloud breach in celebrity nude photos leak

Apple has released a “media advisory” as follows, verbatim:

Update to Celebrity Photo Investigation

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

Source: Apple Inc.

MacDailyNews Note: Apple’s relatively quick response is a good and welcome sign.

Once again:

The problem is that too many people use one password for multiple services. The hackers guess it right once and than have access to all sorts of things: cloud storage, bank accounts, twitter, email, etc.

Regardless of the origination of these photo and videos, social engineering hacks can be thwarted, at least for iCloud. Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.

As we’ve written before: Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.

Related articles:
FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos – September 2, 2014
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014

46 Comments

  1. Suck it Fandroids. This was a targeted attack on people who don’t use strong enough passwords or two-step verification, not a flaw in iCloud, iOS or Find my iPhone.

    Please graciously eat crow. I hear it goes fantastically well with malware, which you’re used to.

    1. i just learned something new today. you can share your photos that are in your photo stream on a public website that apple runs. I didn’t even realize this was a feature. It made me wonder if somehow these people who got their pics leaked didn’t realize a photo folder was being shared!

      you can read about it here:
      http://support.apple.com/kb/HT5902
      http://help.apple.com/icloud/#/mmc0cd7e99

      a persons photos would be viewable at the following address. only thing that would be different for each person is the unique code at the end of URL

      https://www.icloud.com/photostream/#########

  2. You have to wonder just what some of those Passwords were that were being used by folks who are letting their nude images get uploaded to their cloud accounts. Notice I did not say iCloud, as there were leaks from various Cloud sources.

  3. What a fun job: we have looked into every nude celebrity photo on our iCloud servers, and we can report that none of them have yet to emerge. Excuse us while we take a spa break to, um, recover from the grueling weekend.

    1. Touch ID is largely based upon AuthenTec technology, which Apple bought, broke up, stripped of IP and then shut down. Mavericks broke Software support and Apple essentially euthanized the HW/SW since it was for Macs and not the beloved iOS.

      I have a number of the Eikon fingerprint scanners and they are useless thanks to Apple. A nice Fuck You to AuthenTec customers who happened to also be Macintosh owners, courtesy of Tim Cook.

      Apple should release an integrated Fingerprint reader into laptops and include it with Apple keyboards.

  4. Perhaps one should wait before putting their foot in their mouths

    jeph
    Tuesday, September 2, 2014 – 11:38 am ·
    This is really a problem for Apple, aren’t they planning to do away with iPhoto and Aperture in lieu of cloud storage? How can they convince anyone this is more secure!!

    Jay Morrison
    Tuesday, September 2, 2014 – 10:45 am ·
    MDN has nailed it! Nailed it!
    “Today, in the minds of the general public, Apple is insecure and nothing is private on Apple devices. Apple’s rather dysfunctional and often too-slow-to-react PR department has a challenge to rival Antennagate on their plates, one week ahead of the company’s most important events ever. Good luck, Apple!”

    Ben Eckenroed
    Monday, September 1, 2014 – 7:45 pm ·
    As an Apple fanboy I am disappointed in their apparent lack of security using the “we have not been hacked in the past so our security must be fine” approach to storing MILLIONS upon MILLIONS of peoples personal photos (along with GPS coordinates of said photos and other personal information).

    Deancourt Design
    Tuesday, September 2, 2014 – 4:36 am · Reply
    If Apple’s future for photos is cloud based they’d better make sure their security is top class first.
    Accidents, oversights and software bugs all happen and nothing is 100%, but Apple need to be seen to do more than most to prevent this.

    Anon
    Tuesday, September 2, 2014 – 11:09 am · Reply
    This is the biggest hit to Apple in years. How can they ask people to trust them with payments, much less iCloud photos, documents, etc. That’s why it’s being covered so comprehensively and well by MDN.

    1. Nahhhh! Why would they care when click bait is so much more attractive than not jumping to the wrong conclusions or waiting until Apple commented.

      Its like watching three year olds eating pixie sticks… incomprehensible, high energy babbling that has no meaning once they’re finished.

      1. It’s the classic “Apple-Bad” headline. They know it always gets clicks.

        Like if there’s a problem at a factory that makes parts for 10 different companies, and maybe a minuscule number for Apple, the headline will always read “Apple Supplier Exploits Children” or some such. It’s so goddamned stupid.

    2. I think this reaction comes from Apple neophytes, who are still having to defend themselves to friends using Android or Wintel computers. They are easily embarrassed and rush to prove that “they are no Apple fanboys.” When you’ve lived in the Apple world for 30-40 years like many of us, you’ll realize that a large segment of the press loves to spin Apple stories in the worst possible way. And the 24/7 news cycle demands snap reporting, even before anyone with expertise has examined the facts behind the story.

    3. Well md8mac l’ll just sit back and wait for all the media talking heads to retract their stories on the iCloud hack!! I realize you are the voice of mac reason, but unfortunately reason doesn’t exist in the world of public opinion. Apple is trying to entice a consumer that is having its trust shaken daily… The point I was making is that an incident like this doesn’t make it any easier to attain that trust.

  5. I am glad Apple has implemented a limit of 5 attempts to guess a password (not sure why it did not go for 3 as is customary). I would have liked also notification email sent to account holder informing them of the ip-address where attempts was made, date/time, and even the passwords that were attempted and failed. This will very quickly allow people to take action. I get notified for every purchase I make on my amex. Apple should go beyond what is customary today. I would be happy to link the 2nd authentication with the iPhone 5s fingerprint sensor.

    Current 2nd stage authentication is not convenient enough. I am hoping Apple will do something new as they introduce iPay, etc…

      1. Apple does a great job with purchases and plenty of notification. I was referring to the importance of keeping the users notified when authentications fails. I used Amex example to demonstrate a system where my amex interaction happens in realtime and I can decide if I need to take action.

        I have every intention of moving all my cloud data from other vendors to iCloud because I trust Apple more than I trust others and the new iCloud (when the promises come true) make it a no brainer.

        I believe Apple has done what most would expect but Apple is not Google or Amex. I want Apple to go beyond the obvious. I want some of Ivy magic here specially when someone has all Apple devices then I am sure Ivy can come up with a much more secure while at the same time keeping it usable.

        I and 100s of millions like me would continue to buy Apple products as well as invest in its stock. Apple has managed to spoil us and we are asking more and more and security is ever more critical with the new kits (Health, Home, Car, Pay, more to follow) in the pipeline.

        We all know if anyone can do it is Apple’s mindset for perfection.

  6. For buddying securitologists [sic]:

    http://en.wikipedia.org/wiki/Authentication

    Security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified. The three factors (classes) and some of elements of each factor are:

    the knowledge factors: Something the user knows (e.g., a password, pass phrase, or personal identification number (PIN), challenge response (the user must answer a question), pattern)

    the ownership factors: Something the user has (e.g., wrist band, ID card, security token, cell phone with built-in hardware token, software token, or cell phone holding a software token)

    the inherence factors: Something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other biometric identifier).

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.