Apple 'Actively Investigating' Possible Hacking of Celebrity iCloud Accounts

[iamMacPerson]

I enabled 2-step on my Google accounts earlier this year, and last night did the same with my Apple ID. I'm still thinking that this might not be a vulnerability in iCloud, however I am not as sure as I was last night when a friend asked about it. Now I'm a bit concerned.

 

[Xenc]

That's a pretty big vulnerability they left open. I wonder if Apple will now force people to use 2 step authentication. As annoying as it is, it works.

I'm uncomfortable with dancing to login.

 

[Glassed Silver]

The hack is perfectly in time for Photos in the Cloud.

In future, there will be leaks of whole LIVES of photos and videos.

We can talk about who to blame all we want, but it's a sure thing Apple WILL get flak for this, I'm admiring their confidence to face these kinds of scenarios.

Me personally, I will avoid Photos in the Cloud like the plague.
It's one thing to have a month's worth of Photo Stream copied from you, it's another thing to have all your life's personal recordings copied from you.

Glassed Silver:mac

 

[PhiLLoW]

This is by far the worst PR they could have before launching their HealthCare service....


Can't wait for the leaks of celebrity diseases though...

 

[Rogifan]

Apple said it was "actively investigating" the violation of several of its iCloud accounts, in which revealing photos and videos of prominent Hollywood actresses were taken and posted all over the Web.

"We take user privacy very seriously and are actively investigating this report," said Apple spokeswoman Natalie Kerris.

I'm confused. The first paragraph makes it sound like there was an iCloud security breach and Apple is investigating it. The actual quote sounds like Apple is investigating the allegations to determine if there was a breach. Which is it?

 

[Aiwaz418]

This was not only an iCloud breach, as several of those involved have clearly stated.

 

[Sonmi451]

The hack is perfectly in time for Photos in the Cloud.

In future, there will be leaks of whole LIVES of photos and videos.

We can talk about who to blame all we want, but it's a sure thing Apple WILL get flak for this, I'm admiring their confidence to face these kinds of scenarios.

Me personally, I will avoid Photos in the Cloud like the plague.
It's one thing to have a month's worth of Photo Stream copied from you, it's another thing to have all your life's personal recordings copied from you.

Glassed Silver:mac

The difference is, people don't care about your media. If you have a hot wife, well you better keep those nudes somewhere else.

 

[ghostface147]

Chances are that celeb password security questions are ones that have answers you can find on Lougle.

 

[FreeState]

I'm confused. The first paragraph makes it sound like there was an iCloud security breach and Apple is investigating it. The actual quote sounds like Apple is investigating the allegations to determine if there was a breach. Which is it?

Probably both.

 

[pedromcm.pm]

That's a pretty big vulnerability they left open. I wonder if Apple will now force people to use 2 step authentication. As annoying as it is, it works.

Maybe I am wrong, nut it wasn't a "big vulnerability" at all. Basically, it was just random guessing attempts, and many cloud services were the targets.

Many of those pics come from Android.

If you have "1234" as password, than its your problem, not Apple's, not Google's.

The thing is: Apple should warn the user when someone fails to guess the password. I agree with that.

Why is "icloud" taking the heat? Clicks. No one gives a **** about Google or Microsoft.

 

[lewisd25]

Apple may be a fault for the breach, but those celebs should have known better than to keep nude photos/videos of themselves on a cell phone. I hope the general public learns a lesson from this.

 

[irnchriz]

Seeing as some pictures were taken on android phones and also some videos it is more likely that these came from multiple sources and potentially iDevice backups ( in the case of videos).

Gotta wonder if the stolen twitter account details played into this?

 

[Mr. Retrofire]

...it's possible that a Python script shared on Github a few days ago also may have allowed hackers to exploit a vulnerability in Find My iPhone.

As described by The Next Web, the tool allowed hackers to repeatedly guess passwords without being locked out of an iCloud/Apple ID account, brute forcing their way into accounts.
...

That happens, if you do not hire the black hats.

 

[Sonmi451]

Maybe I am wrong, nut it wasn't a "big vulnerability" at all. Basically, it was just random guessing attempts, and many cloud services were the targets.

Many of those pics come from Android.

If you have "1234" as password, than its your problem, not Apple's, not Google's.

The thing is: Apple should warn the user when someone fails to guess the password. I agree with that.

Why is "icloud" taking the heat? Clicks. No one gives a **** about Google or Microsoft.

This is my opinion:
1. It's a pretty bad vulnerability that should have never existed.
2. If celebs had easy passwords, they were asking to get hacked.
3. If the pics came from android, maybe it wasn't an iCloud problem after all.
4. I do feel bad that some of these women had their lives exposed and I am not blaming the victim here.

 

[Jimrod]

Apple may be a fault for the breach, but those celebs should have known better than to keep nude photos/videos of themselves on a cell phone. I hope the general public learns a lesson from this.

I think the lesson most people will learn is not to trust cloud systems being forever promoted as the way forward. Putting all your personal information somewhere "out there" and in someone else's hands has always worried a lot of people and this will confirm those fears.

 

[designaholic]

Apparently some photos were "deleted a long time ago". The were probably taken from Photostream, if iCloud was the source.

Yeah, seems very plausible.

If it turns out that Apple may have been lax and left a fairly easy exploit open, that's one thing. But people using their devices to snap risqué images, which connect to any cloud sever, should really know more about what is going on with their content.

It's easy to dump images from Photostream, but I doubt Jenbo et al even knew this. Knowledge is power.

 

[Rogifan]

This was not only an iCloud breach, as several of those involved have clearly stated.

That's not how the media is reporting it. And since it's a slow news weekend because of the holiday (and the story involves celebrities and nude photos) this is getting a lot of attention. Apple PR better be on top of it.

 

[jclo]

I'm confused. The first paragraph makes it sound like there was an iCloud security breach and Apple is investigating it. The actual quote sounds like Apple is investigating the allegations to determine if there was a breach. Which is it?

I tweaked the first paragraph a bit to make it clear that Apple is investigating a possible breach. Wording on the Re/code article suggests there was actually a breach, but the spokesperson's statement is a bit more murky.

 

[FreeState]

According to AppleInsiders report:

"Rumors of an iCloud security breach began circulating as soon as the first photos hit the web on Sunday, though there remains scant evidence to support the claims. The original poster of the images on web forum 4chan indicated that the shots had been collected from Apple's online service, but also admitted to having gathered the photos from others, making it unlikely that they are privy to the technical details of the leaks.

The fact that many of the celebrities were shown taking "selfies" with Android or Blackberry handsets cast even more doubt on iCloud's role. Other services, including Snapchat and Dropbox, have also been implicated at various times with similarly nonexistent levels of evidence."

http://forums.appleinsider.com/t/18...ty-photo-leaks-for-possible-icloud-connection

 

[Keirasplace]

There's no indication at all that the Github tool was used to access the photos (as mentioned in the post), but there's a lot of speculation leaning that way given the timing of Apple's patch.

I've also seen theories that these photos were collected over a very long period of time. Even if the Find My iPhone exploit wasn't used to gather the photos, it looks like some of them did come from hackers getting access to iCloud accounts (likely through phishing scams).

Not allowing anyone to be able to brute force attack a password is the base of the base in security. Every authentification mechanism on earth usually locks up after X attempts to get in. X being quite low. I find it improbable that its the case for that reason. But, not impossible.

I have a lot of trouble believing Apple wouldn't notice millions of attempts to log into one account. So, the passwords would have to be easily guessable too for this to happen. Was it possible to send a batch of name/passwords to be checked, checking them one by one also seems improbable (a high amount of log in transations from one IP) if the passwords were complex? The whole thing seems improbable as described.

If anything happened, it seems that this bug just obsfuscates the the real way (social engineering) they got in. A malware to collect a password from an unrelated site and then use it on Icloud, is a lot less sexy and doesn't implicate apple in the same way. That's a much easier way to go about, but gets you less kudos, than cracking an Apple password.

 

[A MacBook lover]

***READ****

This is not an iCloud hack, breach, or brute. This story has been spun to (my guess) take away from the big event September 9th.

There isn't a single leak or a single hacker. These images originate from a small celebrity nude ring on the darknet. They typically require people to "buy-in" with an original image.

Considering that celebrities almost all use an iPhone, putting iCloud hack in the headline is sure to grab attention and make some people actually believe it.

 

[r03dz]

They script is available on Github. They brute forced using 500 of the top used passwords. A normal brute force would have taken forever. This isn't a normal type of brute force.

 

[Rogifan]

Apparently some photos were "deleted a long time ago". The were probably taken from Photostream, if iCloud was the source.

I've read that some of these were deleted before Photostream even existed.

 

[Sonmi451]

I think the lesson most people will learn is not to trust cloud systems being forever promoted as the way forward. Putting all your personal information somewhere "out there" and in someone else's hands has always worried a lot of people and this will confirm those fears.

That's a little defeatist I think. You should learn not to keep things in the cloud that you don't want other people seeing. Let's be honest, 99% of our documents nobody cares about. But that 1% can be some juicy stuff. Notice none of Jennifer Lawrence's emails or documents were leaked. At least not that I know of.

 

[iolinux333]

Took you long enough to post MacRumors. This has been reported by over 50% of the tech websites hours ago.
I guess unconfirmed Apple news from unconfirmed sources are more important to post before something that actually happened.

As the most widely read Apple news site, the delay was necessary to allow Apple sufficient time to begin developing their PR spin and to carefully approve the wording of this article. It is taking longer than usual to finalize the PR strategy because of the holiday. Likely an acceptable final version of the spin will be posted up here by early tomorrow afternoon - shortly after the lunchtime slide presentation.