Reacting to the hacking of iCloud accounts of numerous Hollywood celebrities that leaked private photos including naked photos of actresses, Apple has finally come out with a statement, where it acknowledged that certain accounts of celebrities were compromised by a “very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.” Apple maintains that there was no breach in Apple’s systems including iCloud or Find My iPhone. What Apple is essentially saying is individual accounts were targeted in this case.
Photos alleged to be that of Hunger Games actress Jennifer Lawrence and who’s who of Hollywood had leaked on the Internet over the weekend. The trove of images, many containing alleged nude photos of Jennifer Lawrence and other celebrities, first appeared on 4Chan with the anonymous poster claiming the photos were obtained after hacking into the iCloud accounts of celebrities. The hacker was selling these photos in exchange for Bitcoins.
A report yesterday suggested that the hackers were probably able to access the iCloud accounts of celebrities by employing a brute force attack. A Python script had emerged on GitHub that took advantage of a vulnerability that allowed hackers to make multiple attempts at guessing the password without kicking in security systems that lock the account after a certain number of wrong attempts.
Apple had reportedly patched the vulnerability soon after the photos leaked. However, Apple’s statement suggests that this vulnerability wasn’t used to get into the accounts of affected celebrities.
Here’s Apple’s statement in full:
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website athttp://support.apple.com/kb/ht4232.