Apple’s iCloud is secure; weak passwords and gullible users are not

“The week before a crucial launch of its new iPhone, Apple Inc said intimate photos of celebrities including Oscar-winner Jennifer Lawrence were leaked online through the apparent hacking of individual iCloud accounts,” Edwin Chan and Christina Farr report for Reuters.

“Apple rushed to restore confidence in its systems’ security, saying the celebrity photo scandal that also ensnared swimsuit model Kate Upton, actress Kirsten Dunst and possibly dozens more was the result of targeted attacks on accounts storing personal data and not a direct breach of Apple systems,” Chan and Farr report. “‘We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,’ Apple said in a statement. ‘None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find My iPhone.'”

“The celebrity hacking that came to light over the long Labor Day weekend nevertheless ranks among the highest-profile public fiascos for Apple in recent years. Regardless of how the leaking of nude celebrity photos actually happened, the timing could not have been worse for Apple as it prepares to launch a new iPhone next week,” Chan and Farr report. “Cybersecurity experts say the perpetrators possibly gleaned the celebrities’ email addresses and mounted a long-term phishing attempt – a relatively straightforward attack through which hackers gain access to users’ accounts by getting them to click on a compromised URL or Internet link.”

Read more in the full article here.

MacDailyNews Take: The problem, beyond those who click links in emails willy-nilly, is that too many people use one password for multiple services and weak passwords at that. Once hackers guess it, they then have access to all sorts of things: cloud storage, bank accounts, Facebook, Twitter, email, etc.

Regardless of the origination of these photo and videos, social engineering hacks can be thwarted, at least for iCloud. Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.

As we’ve written before: Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.

Related articles:
Apple: No iCloud breach in celebrity nude photos leak – September 2, 2014
FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos – September 2, 2014
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014

45 Comments

          1. Doesn’t sound plausible. Your SIM must receive the SMS. You can receive the SMS only on your Mac because the new iMessage will use BTLE technology to relay your iMessage messages (including SMS) from your phone to the desktop.

  1. I’m not terribly security conscious, but even I know to keep my passwords unique. And I have separate email address for personal life and ones I give to companies that sell me stuff, and no-one (except my wife and Apple) knows our iCloud email address. Oh. And any naked pictures we may (or may not) have made aren’t backed up on the cloud 🙂

  2. I appreciate the lesson Jennifer Lawrence had to learn.
    I guess this will be the shook up the world-wake up call to think about security, privacy and about passwords algorithms and of what to share and what not BUT most of it:

    How secure is your password ?

    Does it contain at least one symbol / special character, upper AND lower case letters and numbers as well?

    Here is one litte advice

    Don’t choose simple passwords like “1qaz+wsy”
    or “jenny123”

    To be safer think different:
    Example, choose every first letter of each word of this easy to remember sentence:
    “The first movie I got an Oscar for was the Hunger Games” =
    TfmIgaOfwcTHG would not be too bad, right?

    To make it even more safe you make some changes here:
    TfmIga04wc”THG”

    thats pretty easy to remember and much safer!

    Go another step further like:

    Tfm>Iga04<wc"THG"

    Pretty hard to hack, if you are not Jennifer Lawrence, because this password sentence itself is too obvious on her account 😉 So Jenny, how about:

    "When the world is running down, you make the best of whats still around"
    I guess we will see Jennifer very soon in another blockbuster movie and of course not only the guys will love her still very much as an outstanding beauty an actress !

    Another good advice is:
    Do not use your iCloud password somewhere else !

    your smartphone has become an important part of your privacy and this has to be protected well, don't you forget it !

    1. Thank you for your excellent and helpful post. I’ve read a lot of chuckling at the victims of these attacks because they are celebrities. But they are victims, regardless of whether they used strong, unique passwords and two-factor authentication – or not.

      The point here, one you made so well, is that all of us should learn from these attacks. My hunch is that the celebrities were victims of a targeted spear phishing attack. Sadly, these are becoming more sophisticated, and are often used by foreign intelligence agencies or high level hackers to gain access to corporate and government networks through carefully crafted emails with links. It could happen to all of us.

      Your suggestions are ones we should re-read, regardless of whether we practice them or not. Criminals are crafty and motivated. We have to stay a step ahead. I’m disgusted that the victims of this hack were all women, likely the target of a basement-dwelling script kiddie loser.

      Karma works slowly, but eventually, it will.

  3. Password security is a good answer, but the elephant in the room is “How stupid can you be to take nude photos of yourself when you’re a public figure?” Duhhh…

    1. I know what you mean, but don’t you think she just wants to be an average person doing stupid things from time to time, especially when you feel safe with Apples ecosystem ?

      She’s got curves man, and you know what? I would take naked selfies the whole day if I where in her shoes!

  4. browsing the web the pundits are STILL trying to twist it as apple’s fault (as they were bashing apple all through the weekend based on fact-less Apple hate suppositions ). Apple bashing gets more page hits than a bland: ‘not apple’s fault’.

    If Apple came up with a device easily used by the BLIND , pundits will headline “With New Product Apple Again IGNORES the DEAF!”.

    1. Yeah, already I’ve seen quite a number of “Why would I deal with Apple mobile payments after iCloud has been hacked.” Stupid for two reasons. One is that iCloud was not hacked and mobile payments using a fingerprint and a AX Secure Enclave processor would be a huge difference. No matter. If people are looking for reasons to fault Apple and can’t find them, then they’ll just make up some reasons of their own.

      The news media grabs an article and then repeats it endlessly without ever checking the facts. All of them busting their asses to get attention. If Apple says they’re not at fault, then there will be some articles saying Apple is simply trying to cover up their breach. That’s how it is.

  5. Phishing attacks are a part of the problem, and they are getting worse. While I can spot phishing pages, they can look identical to log in pages, that I don’t one has to be totally gullible to type their password into one.

  6. Look at MDN trying to tow the Apple line. Of course icloud was compromised. I’d expect nothing less from the Tim “the steward” Cook’s rotting Apple. That’s right blame the users. It is never Apple’s fault. They are blameless and innocent and can never be blamed for anything.

  7. Two step verification is being used to deflect the blame. The celebs are idiots for taking the photos in the first place.

    However, All vendors including Apple need to take privacy and notifying users of a potential hack seriously. I have never received an email when I typed the wrong password. How hard is it to give users the option to receive text and or email on every failed login attempt or an arbitrary number chosen by the user within a given time period selected by the user.

    Users are too trusting and do not take security seriously which I think is dumb but more importantly those who just blame users or recommend using complicated methods are self-promoting hacks who do not live in the real world.

    It is very simple to keep users informed and empowered to take the right action.

    Apple is the only company I trust to finally take this on and I bet Apple has been working on this to make sure iPay or whatever pay service is called will be world class secure.

  8. 1- Storing anything of value on a 3rd party server she you really do not need to is kind of stupid IMHO.
    2- My iCloud account and my Apple ID are completely different. Makes things a touch more complex to set up, but works better in the end.
    3- I will NOT be using Apple mobile payments any time in the near future until I am sure the style over substance crowd in Cupertino have finally done their homework. Apple’s track record of effed up web services is long and undistinguished.
    4- Isolate your bank accounts from internet accounts with a 3rd party service where you can insulate your exposure. Does not have to be Pay Pal, but it is an option. The new AmEx Serve looks promising at $1/ month as a place to put money as an intermediary between bank and internet commerce.

    If you are a movie star and can get extra dollars for doing nudity, why would you put crappy iPhone pix up on a cloud server? Jennifer Lawrence has now done nudity and she didn’t get paid for it. Anyone who wanted to see her nips has by now.

  9. My dad always says if one man makes it, another man can break into it.

    This is exactly what happened here.

    I would never put nude selfies or anything else that personal on any cloud storage service. Because then you’re placing your privacy in the hands of a computer and the corporation that runs it.

    Now the guy who was able to ‘hack’ iCloud is to blame here, but so are the celebrities themselves in part for even having those kinds of images on there. Perhaps now people will learn just how dangerous putting stuff like that on a cloud server, or anywhere on the internet for that matter, can be.

  10. Perhaps a compromise could be made in 2-factor authorization to only require such steps when using devices on ‘untrusted’/new access points. Sort of how my bank and credit card sites will have me authenticate myself using 2 or 3 means when I access their site from an unrecognized IP address (or maybe other device identifier).

  11. The headline is a contradiction.
    “Apple’s iCloud is secure; ” + “weak passwords and gullible users are not”

    How is iCloud secure, if it’s protecting gullible user’s accounts through their weak passwords?

    Not saying I know an easy solution – but at least I can identify the point of failure: the reliance on password.

    Many of you are pointing to two-step authentication. If that’s really the answer, then it should completely replace the password system that’s proven insecure too many times already. However, I have lingering doubts about two-factor. It’s not practical yet to expect everyone to have a phone and have it charged all the time – and even when I do have it, all those text message still annoy me for some reason. There’s got to be a better way…

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.