Apple Store New York City

Anthony Quintano for Re/code

Security


Apple said attackers broke into the individual accounts belonging to celebrities including the actress Jennifer Lawrence and not its iCloud system in a breach that led to the spreading of stolen nude photographs across the Web.

The company on Tuesday said “certain celebrity accounts” were compromised in what it called a “very targeted attack.” It said that after 40 hours of investigation, it has determined that the iCloud system itself wasn’t breached.

The early results of the ongoing investigation by Apple appeared to rule out the possibility of a system-wide compromise of its services at a critical moment. Apple is expected to introduce electronic payment and health services at a launch event in San Francisco next week, when it is also expected to introduce the next generation iPhone and show off a new wearable device.

Apple’s statement raises the possibility that the people affected were hit by some sort of phishing attack that gave the perpetrators some information they could work with to carry out the scheme, and then guess passwords using brute-force methods, essentially guessing passwords over and over until you get the right one.

Here is Apple’s statement:

“We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

Word of the disclosure of private photographs said to be taken from the accounts of the actress Jennifer Lawrence and the model Kate Upton among numerous other celebrities surfaced over the weekend.




7 comments
abetancort
abetancort

Now, next time some one tells you he uses a 30 digit password (with all up case, numbers, symbols, lowercase and letters) and also 2 step authentication (token) and nothing is written anywhere, and his iPhone has a complex password of 10 digits... And that every key, but the master of the master keys that is 60 digits and it has never been used and it's not even associated with him but with an email used solely for recovery recovery if everything else fails, rotates every 3 months (discarded)... And that he never shares a password used and expired or still working with anyone... Not even his closest... "No secret shall continue to be if more than two or more knows about it".

You will know that he or her isn't just paranoid but rather aware of the risk.... Most of the time the Weakest Link in a Security Protocol is a Person, being the user, some helping customer support representative...

You can blame Apple or whom ever you want.... But learn how to use a key and lock too.

But if you keep leaving your keys and alarm card under the rug... Sooner than later some one will be taking a stride thru your house. And yes, you can probably blame the locksmith and the security company, they could have thought about it and prevented it by using your retina as a key and to shutdown the security system... But then it would have been kind of an annoyance to get one of your eyeballs surgically removed and put into a formaldehyde filled sphere so you could put it under the rug, wouldn't it be?

bytehead
bytehead

Allowing people to keep guessing the password over and over again may not be technically a breach on Apple's side, but it IS an Apple problem, regardless of what they are trying to say.

mwuk
mwuk

The headline in the html title and social media links is misleading and contradictory to Apple's statement, which you've even reported here.


"Apple says it was the individual accounts belonging to celebrities, but not its systems that were breached" - Hence iCloud was not hacked, and while the victims themselves may have been, even then that isn't known and it may have been a phishing scheme or similar (i.e., not hacking).

mknopp
mknopp

@bytehead Where is your proof that this is what happened?


My daughter's facebook account was hacked a few weeks ago. So, we changed all of her passwords on all of her accounts. When we changed the password for iCloud we forgot to update the password on her iPad. After a few days she couldn't get access to her iCloud account anywhere. It was locked out. Our only guess is that her iPad sent to old password too many times and locked out her account. I have also had iCloud lock me out of my parent's iCloud account when I was typing in their password and forgot that the right shift key was broken so when I thought I was typing a capitol letter I wasn't.

My point being, you are stating that Apple allows a person to guess a password over and over again until they guess it. My experience is that this isn't allowed.

JMWJMW
JMWJMW

@bytehead  The yarn above (as intended by Apple for its stenographers in the press) is grossly misleading.


The skinny is that celebrity Apple email accounts were hacked.  The first phase involved trying to discern the email address, then brute force on the passwords.


Neither of the above is something within the power of customers to change or even detect.  Apple is blaming its customers for Apple bad engineering (again.)


Apple might be outraged, but the celebrities will get the last word on this one.  "Loss of reputation" "negligent infliction of emotional distress" and similar words will be bandied about.  And Apple will pay and pay, because it's their reputation at risk.


Were Apple a well-managed company, they will remove any mention of payments and health in next week's announcements.  Ya' see, the only way a non idiot would work with Apple on those is if APPLE TAKES FULL RESPONSIBILITY FOR THIS AND PREVIOUS ATTACKS.


Try blaming the customer when their health information is disclosed due to a combination of guessing email addresses and brute-force attack on Apple servers.

JMWJMW
JMWJMW

@mknopp This confusion is because you don't understand exactly what happened here.  Yes, Apple limits how many times users (using the front door) can guess their password.  I note that you also address the fact her iPad didn't recognize a valid password.


But, there is another way to do this; the "Find My Iphone" APPLICATION PROGRAMMING INTERFACE (API) which you don't know how to use, but computer programmers do know how to use.


The problem here is that Apple limited how many times you can guess a password ('security theater') but forgot or didn't care to put any such limits on how many times a programmer's code could attempt to guess passwords.


Apple is lying.  Apple will end up paying.  This is pure negligence, and much, much worse.  Apple will have to stop talking and wait for the lawsuits now because they are only digging a deeper hole.

Follow

Get every new post delivered to your Inbox.

Join 309,265 other followers