FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos

“Apple Inc, which is poised to unveil new iPhones next week, and the FBI are probing reports hackers used the company’s iCloud service to illegally access nude photos of actress Jennifer Lawrence and other celebrities,” Duane D. Stanford reports for Bloomberg. “Hackers posted the nude photos on the anonymous image-sharing website 4chan, the Telegraph in London reported. The photos targeting more than 100 U.S. and U.K. celebrities were allegedly obtained by breaking into iCloud accounts, the newspaper said. Apple has fixed a bug in its ‘Find My iPhone’ software that may have allowed hackers to access celebrity iCloud accounts through so-called brute-force attacks that try multiple passwords, the Engadget technology website reported, citing developers.”

“The U.S. Federal Bureau of Investigation released a statement yesterday saying the agency is aware of the allegations ‘concerning computer intrusions and the unlawful release of material involving high profile individuals.’ The agency is ‘addressing the matter,’ Laura Eimiller, an FBI spokeswoman in Los Angeles, said by e-mail,” Stanford reports. “The risk to iCloud users will depend on whether the breach happened within Apple’s security or within the celebrities’ personal accounts, said Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security. Either way, some users may not understand when and how they are using such services, especially during the set-up.”

“One plausible explanation for a wide breach of private photos is by way of a password-retrieval system, said Woodrow Hartzog, who teaches privacy at the Cumberland School of Law at Samford University in Birmingham, Alabama,” Stanford reports. “Customers generally recover forgotten passwords by providing information or answering questions about themselves. Celebrities are particularly vulnerable to hacks of these programs because so much of their life history, such as where they were born, is available in biographies, news stories and websites like Wikipedia.”

Read more in the full article here.

MacDailyNews Take: Bad, bad, bad optics. In fact, it’s tough to imagine worse optics for Apple if they do indeed hope to debut a mobile payment system in a week. Yes, these celebrities should have used two-step verification for Apple ID if they wanted to keep their accounts secure, but there are no two ways about it: Failing to prevent brute-force iCloud password attacks long ago was a tremendous oversight for the world’s most valuable company. Apple needs to be equated with security and privacy. Today, they are not. Today, in the minds of the general public, Apple is insecure and nothing is private on Apple devices. Right or wrong, it’s doesn’t matter: These days, perception is everything. Once the narrative is out there, it’s very difficult to change (see: Apple Maps). Apple’s rather dysfunctional and often too-slow-to-react PR department has a challenge to rival Antennagate on their plates, one week ahead of the company’s most important events ever. Good luck, Apple!

Public Service Announcement: The problem is that too many people use one password for multiple services. The hackers guess it right once and than have access to all sorts of things: cloud storage, bank accounts, twitter, email, etc.

Regardless of the origination of these photo and videos, social engineering hacks can be thwarted, at least for iCloud. Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.

As we’ve written before: Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.

Related articles:
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014

39 Comments

  1. Could of, should have, is irrelavant, While the blame routinely falls on the company, its the user with crappy lame passwords and posting things that they know they don’t want seen in places where they could eventually be found.

    1. I don’t want to sound like a “blame the victim” type, but the fact of the matter is that the only way to be sure that naked pictures of you don’t appear on the internet is not to take any in the first place. And if you do, for crying out loud, don’t put them on the internet yourself!

      I’m only concerned about this if it reveals a vulnerability that could result in damage greater that stealing naughty pictures, say, if access to your credit account could be stolen.

      ——RM

      1. The culprit was able to obtain user name / password for the iCloud account of these people. This seems difficult at first, but if we think how most password reset systems ask personal questions, then it might be rather plausible that someone was able to answer even the most personal questions for a celebrity by simply looking it up in Wikipedia…

        These pictures were NEVER shared. They were probably sitting in the “My Photo Stream” section of the iCloud, which is used to make sure every picture you snap with any of your Apple devices automatically gets transferred to every other Apple device you own. None of this is shared unless you set it up for sharing — the “My Photo Stream” library is PRIVATE and protected with your iCloud authentication system. It is as safe as you make it (which is why there is the two-step process).

        1. Understood. That’s why I try only to set security questions where the answers can’t be determined by research because they’re based on personal memories. For example, someone researching me might be able to find the make and model of my first car, but I doubt they’d learn the nickname I had for it.

          Some sites only ask stupid questions with public info as the answer. Some people get around this by answering with gibberish, but then that just becomes another set of passwords you have to remember.

    1. This is the biggest hit to Apple in years. How can they ask people to trust them with payments, much less iCloud photos, documents, etc. That’s why it’s being covered so comprehensively and well by MDN.

      1. One very big thing in your “etc”, which ranks above photos and unspecified documents, and unlike iWallet is not a merely rumour: HEALTH INFORMATION.

        Apple claims this info is only ever stored on the device itself, same as fingerprints. But apps clearly will have access to it, and since Apple revised its app policies to require developers NOT sell any health-related info, it seems clear that apps can send some aspect of this health data off-device.

  2. MDN has nailed it! Nailed it!

    “Today, in the minds of the general public, Apple is insecure and nothing is private on Apple devices. Apple’s rather dysfunctional and often too-slow-to-react PR department has a challenge to rival Antennagate on their plates, one week ahead of the company’s most important events ever. Good luck, Apple!”

      1. Jay Morrison is a well-known troll on this site, but by sheer accident, he is correct. But of course, not on his own — the entirety of his post is a quote of MDN’s take, which is unfortunately correct.

        While we all know that Apple security was never breached here (if you hide they keys to your house under the mat, you can’t complain to the police about the thieves breaking in).

        1. What? If someone gets into your house and steals something or vandalizes it in any way – whether or not you left your door wide open or not – they are still commiting a crime.

          The real issue here is people thinking any kind of internet usage can be totally private and 100% secure.

    1. Rumors, FUD, and propaganda pass for “news” these days. The truth does not matter, rather it’s who says what first and with what sort of energy that carries the day. This is caused by intellectual laziness – it takes energy and determination to dig through the detritus to uncover / discover reality.

    2. True. It has yet to be determined whether it was a hack of iCloud itself or whether it was a social engineering hack over several years. Some of the images posted are supposedly several years old (according to the person herself) that she claims have been deleted from ALL media of which she is aware, including never having been on iCloud.

      But, to some extent MDN is correct. Whether iCloud was hacked or not, the general perception of the public is that iCloud has been hacked and that Apple’s security is terrible. Unless Apple very, very rapidly gets out in front of this, it WILL come up in future articles about using Apple devices for payments or health data. Such negative articles will make moving forward by Apple for such things extremely difficult.

      Just for example, people are still blaming the “Find my Phone” hack as a likely culprit for this hack without thinking for one moment that this specific hack has already been closed by Apple!

      Apple needs to get to the bottom of this FAST — like within the next two or three days at most. Then Apple needs to disclose what happened AND Apple’s implementations to absolutely minimize the chance of it ever happening again.

      1. Those in the don’t know are throwing out the “hacked the iCloud account” phrase, got news for you…. True or not.., Apple lost a bit of its security clout with this whole incident. Not the type of publicity when you’re trying to make your clientele more cloud reliant.

  3. “Use two-step verification for Apple ID to keep your personal information as secure as possible.”

    Absolutely not. Two step security is NOT “as secure as possible”.

    Apple needs to offer two FACTOR, not just two STEP, security for those who want it. Three factor would be even better.

    For those that want to use simple two step security, then fine. Let them get hacked. Hacking two step sometimes is not significantly more difficult than single step. Hacking two factor (or three factor) security is *significantly* more difficult than single or two step security.

    I am not saying that Apple should *require* two factor security (though I would not complain if they did). Apple just needs to do an elegant integration of two (or three) factor security and offer it to those who feel they need it.

    1. You seem to be trying to say something but the way you’re saying it comes out the same (two-step / two-factor security is bad, two-step / two-factor security is much better). To an ordinary person the two (two-step, or two-factor) mean exactly the same.

      Could you provide examples, so that we can get the idea of the difference (if there is any)?

    2. Apple’s two-step authentication is two factor:

      1 – Your user name/password combination (something you know)
      2 – An access code is sent to a single, trusted Apple device in your possession (something you have)

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.