Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[lusky]

It doesn't matter it isn't Apple's fault it is still a PR disaster. all people will see is iCloud accounts hacked. They won't notice that the celebs didn't use the available security. I feel for Apple here, it's little wonder Apple are known for limiting user choice in how they use iOS when users do this sort of thing

 

[SandboxGeneral]

Maybe this will get Apple to enforce 2FA for their iCloud account holders. It would go a long way in keeping private things private.

 

[tigerintank]

no reference to brute force attacks here but i have read that elsewhere.

if true then apple do bear some responsibility as most sites have blocked brute force for for some years now.

 

[HurtinMinorKey]

So this statement still doesn't absolve Apple, if the hackers were able to use brute force in combination with circumventing automatic lockouts for failed loggins.

 

[1member1]

if it was a breach, would apple actually admit it?

wouldn't a third party have to prove it was a breach for apple to admit it?

the same would hold true for any company, not just apple

why would any company take the heat if they didn't have to?

well this issue led to a lot of talk on iCloud security that could easily go get some congress man and his force to investigate it with apple. i tend to believe apple is not lying.

 

[alexgowers]

If you are vain enough to take nude photos,
Then you probably have an dumb password.

If you don't want nude photos in the world then never take them in the first place. No one on the list should be allowed to protest about pictures they took, no matter who they were intended for. If you don't mind your naked self then good on you and post em up where ever you want.

 

[b11051973]

Famous people are targets and should go extra lengths to stay secure. These people have big bucks. They should spend a few and have someone give them advice on things like this.

Also, if you take a naked picture on an internet connected device, just assume the world will see it eventually. If you don't want a nude picture on the internet, don't allow one to be taken. If one is taken, delete it immediately.

 

[JoEw]

if it was a breach (brute force), would apple actually admit it?

wouldn't a third party have to prove it was a breach for apple to admit it?

the same would hold true for any company, not just apple

why would any company take the heat if they didn't have to?

Most of the time hackers will leak the exploit if the company lies or does not respond/patch.

Responsible hackers will give the company time to patch before releasing it to general public.

 

[GenesisST]

Jennifer Lawrence's breasts should be used as a PSA for stronger password / two-step authorization.

 

[newyorksole]

It doesn't matter it isn't Apple's fault it is still a PR disaster. all people will see is iCloud accounts hacked. They won't notice that the celebs didn't use the available security. I feel for Apple here, it's little wonder Apple are known for limiting user choice in how they use iOS when users do this sort of thing

Honestly I have a feeling that a lot of people won't want to use Apple's mobile payment offering when it's revealed next week .

People aren't going to want to use iCloud or have personal information with Apple .

 

[SMIDG3T]

So you're going to blame the victim?

You bet I am. We are all the same. What makes them special? Nothing. If they used weak passwords, that's their fault.

 

[rictus007]

But what about those celebrities that can't enter a hard to guess password?

 

[xero9]

I don't know how true it is, but I heard it was due to the Find my iPhone API not slowing brute force attempts.

I have noticed some differences in logging in to different aspects of Apple. For example, I have two step authentication enabled, but it's not required for Bug Reporter, or the Developer section. Maybe the two step is only for iCloud specifically, but it does highlight the fact that not all logins are treated equally.

 

[gotluck]

Most of the time hackers will leak the exploit if the company lies or does not respond/patch.

Responsible hackers will give the company time to patch before releasing it to general public.

what about the recently fixed ibrute exploit on github?

I'm not trying to hang apple here, I just have a hard time believing all of these concurrent leaks were from social engineering alone

 

[Makosuke]

Well, that's unexciting, but honestly not at all surprising.

Particularly with the security questions, I can imagine that as a celebrity if you're not careful it's exceptionally easy for someone to figure out the information compared to an average user without such a huge public profile of personal information available. Even security conscious average users know that it's the best idea to use answers that simply have nothing to do with the questions, and that is ten times greater for a high-value target with a lot of public information on them available.

While it's disappointing (if unsurprising) that a lot of celebrities weren't more careful, this does not, of course, somehow negate the crime of accessing and distributing private information. I'm not ever willing to blame the victim when a crime is committed--you should be able to make your password "password" and still have the right to privacy, because stealing information is still, nominally anyway, a crime.

 

[179202]

If you are vain enough to take nude photos,
Then you probably have an dumb password.

If you don't want nude photos in the world then never take them in the first place. No one on the list should be allowed to protest about pictures they took, no matter who they were intended for. If you don't mind your naked self then good on you and post em up where ever you want.

Wait...so you think EVERY SINGLE PHOTO that anyone takes is fair game for anyone else to steal and look at? Seriously?!

 

[ghostface147]

Celeb passwords, I assume, are easy to crack. Security questions are basic ones that can be looked up if you're famous. Unless a security question is what street did you grow up on and you answer kitty cat.

 

[Rogifan]

Honestly I have a feeling that a lot of people won't want to use Apple's mobile payment offering when it's revealed next week .

People aren't going to want to use iCloud or have personal information with Apple .

Oh please. This was a big media story because it involved celebrities and came out over a holiday weekend with not much other news to report. Now Isis is back on the front page and this iCloud hack that wasn't will be forgotten.

 

[Trapezoid]

Funny how quiet this thread is as compared to the speculative one. Applescruff, you may have finally found your flip floppers, except they're not on the side you wanted them to be

 

[taptic]

Clearly only women use weak passwords

How about we stop victim-shaming people, celebrity or not?

I never said it was just celebrities that are that way, and I certainly never said guys always have brains...

 

[A MacBook lover]

It doesn't matter it isn't Apple's fault it is still a PR disaster. all people will see is iCloud accounts hacked. They won't notice that the celebs didn't use the available security. I feel for Apple here, it's little wonder Apple are known for limiting user choice in how they use iOS when users do this sort of thing

It's comical how many Apple haters are disguised in this forum. Still trying to peddle the conspiracy of an "iCloud" breach.

Sorry the PR stunt didn't work. September 9th here we come.

 

[mozumder]

The accounts should have been locked when the first few password attempts failed.

Most systems lock you out if you try too many failed passwords, so hackers don't spend too much time trying to test every possible password in brute-force attacks. It looks like this was a flaw in Apple's iCloud system. Unfortunately, this was only fixed a couple of days ago.

If you look at the logs of people doing the ORIGINAL attacks at anon-ib.com/stol/ you can see they were doing this sort of brute-force password attacks for months, possibly years.

Sorry Apple, but this is the your flaw that caused this mess in the first place.

Really, the only long-term solution is to remove passwords from the authentication system entirely. Passwords are too easily guessable.

 

[alexwlchan]

If it was a breach (brute force), would Apple actually admit it? […] Why would any company take the heat if they didn't have to?

Credibility. If they directly lie or mislead on security issues, and are later found to be lying, then any future statements about security would be ignored. Transparency and truth lead to trust.

 

[stevemiller]

i had read it was a brute force method, but that it was also exploiting the fact that repeated login attempts to don't result in an account lockout. further there was some mention that apple did in fact patch this behaviour which ended further accounts being compromised.

of course its in apple's best interests to paint this as only a weak password issue, when in truth it was likely a combination of factors, including weak passwords, targets with lots of publicly accessible info that might be used in account security questions, and a system that was perhaps too lenient on repeated login attempts.

 

[Makosuke]

You bet I am. We are all the same. What makes them special? Nothing. If they used weak passwords, that's their fault.

I wouldn't condone the crime against you if you used a weak password any more than I would with a celebrity (whom I honestly have zero respect for in most cases--I don't even recognize most of the names mentioned in conjunction with this).

If a system has a wide-open back door and it gets exploited, you can certainly give the system owner a hard time for being stupid (see: Target), but that doesn't negate the crime any more than forgetting to lock your door makes it okay for someone to steal your TV.

The nature of this particular crime is also notable, in that it's not just a reparable or ignorable theft but an irrevocable violation of privacy.