Apple has released a “media advisory” as follows, verbatim:
Update to Celebrity Photo Investigation
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
Source: Apple Inc.
MacDailyNews Note: Apple’s relatively quick response is a good and welcome sign.
Once again:
The problem is that too many people use one password for multiple services. The hackers guess it right once and than have access to all sorts of things: cloud storage, bank accounts, twitter, email, etc.
Regardless of the origination of these photo and videos, social engineering hacks can be thwarted, at least for iCloud. Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.
As we’ve written before: Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.
Related articles:
FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos – September 2, 2014
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014
Suck it Fandroids. This was a targeted attack on people who don’t use strong enough passwords or two-step verification, not a flaw in iCloud, iOS or Find my iPhone.
Please graciously eat crow. I hear it goes fantastically well with malware, which you’re used to.
i just learned something new today. you can share your photos that are in your photo stream on a public website that apple runs. I didn’t even realize this was a feature. It made me wonder if somehow these people who got their pics leaked didn’t realize a photo folder was being shared!
you can read about it here:
http://support.apple.com/kb/HT5902
http://help.apple.com/icloud/#/mmc0cd7e99
a persons photos would be viewable at the following address. only thing that would be different for each person is the unique code at the end of URL
https://www.icloud.com/photostream/#########
You have to wonder just what some of those Passwords were that were being used by folks who are letting their nude images get uploaded to their cloud accounts. Notice I did not say iCloud, as there were leaks from various Cloud sources.
Dropbox?
Jump Box – http://www.jumpbox.com/
I think most of them were syncing with NudeCelebrityGlobalSharingCloudBox.com
Probably such ironclad passwords as “1234567” or “ABCDEFG.” 🙂
What a fun job: we have looked into every nude celebrity photo on our iCloud servers, and we can report that none of them have yet to emerge. Excuse us while we take a spa break to, um, recover from the grueling weekend.
OK, MDN, we’re waiting for you to blast Apple again like in previous articles.
Apple PR has improved!
quick response.
a few years ago like with mike Daisey there would there would have been no response…
Apple needs to incorporate Touch ID into iCloud security.
They probably want to, but there are too many iDevices without TouchID in service to make this a required step.
Touch ID is largely based upon AuthenTec technology, which Apple bought, broke up, stripped of IP and then shut down. Mavericks broke Software support and Apple essentially euthanized the HW/SW since it was for Macs and not the beloved iOS.
I have a number of the Eikon fingerprint scanners and they are useless thanks to Apple. A nice Fuck You to AuthenTec customers who happened to also be Macintosh owners, courtesy of Tim Cook.
Apple should release an integrated Fingerprint reader into laptops and include it with Apple keyboards.
Oh, it’s only you.
Yeah, I feel your pain. I was pissed when Microsoft bought Bungie and killed Marathon.
They didn’t kill Marathon. They killed Halo.
Perhaps one should wait before putting their foot in their mouths
jeph
Tuesday, September 2, 2014 – 11:38 am ·
This is really a problem for Apple, aren’t they planning to do away with iPhoto and Aperture in lieu of cloud storage? How can they convince anyone this is more secure!!
Jay Morrison
Tuesday, September 2, 2014 – 10:45 am ·
MDN has nailed it! Nailed it!
“Today, in the minds of the general public, Apple is insecure and nothing is private on Apple devices. Apple’s rather dysfunctional and often too-slow-to-react PR department has a challenge to rival Antennagate on their plates, one week ahead of the company’s most important events ever. Good luck, Apple!”
Ben Eckenroed
Monday, September 1, 2014 – 7:45 pm ·
As an Apple fanboy I am disappointed in their apparent lack of security using the “we have not been hacked in the past so our security must be fine” approach to storing MILLIONS upon MILLIONS of peoples personal photos (along with GPS coordinates of said photos and other personal information).
Deancourt Design
Tuesday, September 2, 2014 – 4:36 am · Reply
If Apple’s future for photos is cloud based they’d better make sure their security is top class first.
Accidents, oversights and software bugs all happen and nothing is 100%, but Apple need to be seen to do more than most to prevent this.
Anon
Tuesday, September 2, 2014 – 11:09 am · Reply
This is the biggest hit to Apple in years. How can they ask people to trust them with payments, much less iCloud photos, documents, etc. That’s why it’s being covered so comprehensively and well by MDN.
Nahhhh! Why would they care when click bait is so much more attractive than not jumping to the wrong conclusions or waiting until Apple commented.
Its like watching three year olds eating pixie sticks… incomprehensible, high energy babbling that has no meaning once they’re finished.
It’s the classic “Apple-Bad” headline. They know it always gets clicks.
Like if there’s a problem at a factory that makes parts for 10 different companies, and maybe a minuscule number for Apple, the headline will always read “Apple Supplier Exploits Children” or some such. It’s so goddamned stupid.
Hey, md8mac,
I owe you one. Thanks for compiling posts from the gun jumpers.
From the usual trolls is what you really mean.
I think this reaction comes from Apple neophytes, who are still having to defend themselves to friends using Android or Wintel computers. They are easily embarrassed and rush to prove that “they are no Apple fanboys.” When you’ve lived in the Apple world for 30-40 years like many of us, you’ll realize that a large segment of the press loves to spin Apple stories in the worst possible way. And the 24/7 news cycle demands snap reporting, even before anyone with expertise has examined the facts behind the story.
Well md8mac l’ll just sit back and wait for all the media talking heads to retract their stories on the iCloud hack!! I realize you are the voice of mac reason, but unfortunately reason doesn’t exist in the world of public opinion. Apple is trying to entice a consumer that is having its trust shaken daily… The point I was making is that an incident like this doesn’t make it any easier to attain that trust.
Hey md8mac 6 hours of everything “I” being down, another confidence builder….
I am glad Apple has implemented a limit of 5 attempts to guess a password (not sure why it did not go for 3 as is customary). I would have liked also notification email sent to account holder informing them of the ip-address where attempts was made, date/time, and even the passwords that were attempted and failed. This will very quickly allow people to take action. I get notified for every purchase I make on my amex. Apple should go beyond what is customary today. I would be happy to link the 2nd authentication with the iPhone 5s fingerprint sensor.
Current 2nd stage authentication is not convenient enough. I am hoping Apple will do something new as they introduce iPay, etc…
“I get notified for every purchase I make on my amex.”
You get notification every time you make a purchase from any of Apple’s App Store. No matter what card you used to pay for it.
Apple does a great job with purchases and plenty of notification. I was referring to the importance of keeping the users notified when authentications fails. I used Amex example to demonstrate a system where my amex interaction happens in realtime and I can decide if I need to take action.
I have every intention of moving all my cloud data from other vendors to iCloud because I trust Apple more than I trust others and the new iCloud (when the promises come true) make it a no brainer.
I believe Apple has done what most would expect but Apple is not Google or Amex. I want Apple to go beyond the obvious. I want some of Ivy magic here specially when someone has all Apple devices then I am sure Ivy can come up with a much more secure while at the same time keeping it usable.
I and 100s of millions like me would continue to buy Apple products as well as invest in its stock. Apple has managed to spoil us and we are asking more and more and security is ever more critical with the new kits (Health, Home, Car, Pay, more to follow) in the pipeline.
We all know if anyone can do it is Apple’s mindset for perfection.
For buddying securitologists [sic]:
http://en.wikipedia.org/wiki/Authentication
Security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified. The three factors (classes) and some of elements of each factor are:
the knowledge factors: Something the user knows (e.g., a password, pass phrase, or personal identification number (PIN), challenge response (the user must answer a question), pattern)
the ownership factors: Something the user has (e.g., wrist band, ID card, security token, cell phone with built-in hardware token, software token, or cell phone holding a software token)
the inherence factors: Something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other biometric identifier).
Bad spelling day, eh? BUDDING securitologists [sic]. 😯
@morons suggesting fingerprint
Easier to obtain than a god damn password, also once you have it, it never changes. Fuck off morons.
Someone needs to take a chill pill!
I think I have 2 step on, but I am going to double check. If not, I am going to turn it on. I am no celebrity, but I value my privacy and want to – not simply protect myself but – forgo all the hassle that goes along with a breach of any kind.
What did I say that was so bad?
Now I remember why I didn’t use 2 factor authentication.
It was the key they assign to you. You are screwed if you loose it.
Me too. But at least I had my 15 minutes of fame, at least I think I did. It was at a Doors concert in San Diego in 1968; can’t remember much.
Awesome job by Apple investigating and being open with result. Now those Journalist that quickly put the blame on Apple…STFU!
I notified some of them of my displeasure at their calumny, but as usual they ignored me, in the same way that the river rats and skunks ignore my entreaties to leave my fruit trees alone.