Apple flat-out denies that an iCloud security breach led to the trove of celebrity nudes that leaked over Labor Day weekend. “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone,” said the company in a statement.
Private photos of stars like Jennifer Lawrence were posted on the internet over the weekend, and initial reports pinned the hack on a flaw in iCloud’s login security.
The Next Web reported on a tool that allowed a hacker to attempt an unlimited number of “brute force” login attempts on an iCloud account. Apple quietly patched the flaw in a pretty short amount of time, but there’s been speculation that a similar technique was used to gain access to celebrities’ photos.
After investigating the issue, Apple has come to the conclusion that its security is not to blame. Instead, the company says the photos are a result of a “targeted attack” on celebrity user names and passwords. The FBI is investigating, and Apple is working with law enforcement to identify the hackers.
Two-step verification, a security measure Apple offers, likely would have prevented hackers from accessing the photos. The problem is that two-step verification is pretty complicated to enable, and it requires some digging to access that normal iCloud users won’t attempt.
Ensuring iCloud’s security to the public is incredibly important to Apple right now
In light of Apple’s HealthKit API and the proposition that iCloud will likely be storing personal health data in the near future, ensuring iCloud’s security to the public is incredibly important to Apple right now. Media scrutiny is high, and Apple can’t afford for iCloud to be labeled insecure ahead of its new hardware and software launches this fall.
Apple’s full statement:
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at https://support.apple.com/kb/ht4232.