Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[DisMyMac]

I'm working too, Apple. Hope they were real criminals and not some FBI stooges on a publicity tear.

 

[apolloa]

Yes, all of them just as misinformed as you. This is why groups of apple haters never, ever, get their facts straight.

And that is EXACTLY how they are configured to do things. Today, yesterday, last year. That is exactly why what happened with find my phone was called a backdoor. It happens to every tech company out there at some point or another, but again...you aren't paying attention to the details of that specific crack.

You may think I'm defending Apple here, but this is simply injecting facts into your uninformed argument. Facts that pretty much make 90% of what you're whining about a moot point.

Apple hater? Now your being judgemental and stereotyping just because someone has a different opinion.

And as far as I know, they do.

So your both implying Apple was hacked even though Apple have stated no systems were 'breached' then? Because to me, the fact that they had a security hole, that they then patched, after celeb nude photos were leaked and announced to come from iCloud is all rather convenient.

So did this security patch block a security hole, or block anyone entering a password multiple times before they gain access? Because some on here are saying you can, you two are saying you can't.

 

[Rogifan]

I continue to be amazed at your unrelenting fervor for being Apples foremost sycophant.

Let's review your statement and apply even a smidgen of perspective; you'll be amazed at what happens when one isn't blinded by the big Apple. Rogifan, just to make sure, I want you to know I wasn't referencing the USA's largest city.

"This was a big media story" That's what the media does, for better or worse, break stories.

"it involved celebrities" Celebrities, stories, and dare I say nudity? Of course it had no chance of displacing other news (SARCASM, Rogifan)

"holiday weekend with not much other news" Other news or not, potential hack of celebrity nudity is not a run of the mill story.

"iCloud hack that wasn't" It may or may not have been an iCloud hack. If genuflecting at the Altar of Apple provides you with clairvoyance the rest of us don't have; please enlighten us. I, however, suspect that blind ignorance has iClouded your judgement (see what I did there?).

I gotta hand it to you though, you do provide me and others, with our daily cult-induced snicker (not the chocolate bar).

I stand by everything I said. The Daily Mail's of the world jumped on this because it was celebrities and nude photos. And hey, if they could blame it on Apple all the better because Apple + nude celebrity photos = the ultimate click bait and tons of page views.

 

[JAT]

"holiday weekend with not much other news" Other news or not, potential hack of celebrity nudity is not a run of the mill story.

LOL!! Yeah, it is. Maybe everyone is nicer in Canada.

 

[TMRJIJ]

Really amazing how sheepish some of you are on here. You think by apple making a statement saying it wasn't them means it wasn't them! How stupid are you?

Do you really believe all 11 or more people had weak passwords? Come on now, grow up and realize apple isn't all that and a bag of chips.

11 people? Dude there are over 40 million people with Apple IDs. A good 200,000 of those people have weak passwords.

 

[mozumder]

11 people? Dude there are over 40 million people with Apple IDs. A good 200,000 of those people have weak passwords.

It's more like 10-30% that's easily crackable..

 

[tbrinkma]

Even a weak password needs a lot of attempts to crack. So how did they do it if they can enter a password only 5 times? I think this press release is BS.

Essentially, it's a matter of crowd-sourced 'dumpster diving', where a bunch of people rummage through all aspects of someone's life, and work to come up with a 'short list' of likely passwords.

The first time I needed to work on my wife's computer while she wasn't around, I was able to guess her password in 2 tries. I've since (unsuccessfully) tried to convince her to change it to something more secure.

I haven't used a password under 12 characters in over a decade, except on the increasingly rare systems with a password length limit.

 

[2010mini]

This just might be the doomsday event hackers/sercurity experts have been yelling about, that finally gets everyone's attention.

 

[kevinof]

Couldn't agree more. It's a basic security measure and one that should be used everywhere. We run a cloud service and after 5 attempts you are locked out and you have to recover your password (ie get a new one). It also alerts us immediately and tracks that IP address to see if it tries with a different username or password combo. It's a simple way to catch a hack attempt. This is basic security 101.

I can not understand why Apple can't enable a simple lock out feature. Yes it can be a pain in the *** but you have to have security as the number 1 goal.

"Though this tool allowed for multiple attempts to enter a password without being locked out of an account, it appears that it was not a factor in the recent hacking of celebrity accounts due to Apple's statement that Find My iPhone was not involved."

Sorry, that doesn't absolve Apple of anything. A secure system should have thwarted repeated attacks. It was the repeated attack that gave away the weak passwords.

So how do you determine the weakness of the passwords? Number of attacks!

Bottom line, the account should have locked out after say 5 attempts preventing any brute force tool!

 

[macfacts]

If Apple says Apple is not guilty then that is all the evidence I need.

If Apple was able to determine that these victims used weak passwords, why did Apple let them sign up with a weak password?

 

[iBug2]

Beating yourself up over a mistake is not the same as millions of people victim blaming JLaw because her privacy was hacked. A true comparison would be the poster blaming himself for his mistake and also Jennifer Lawrence blaming herself for a mistake. And I use mistake for lack of a better term, being the victim of an illegal crime is not a mistake at all.

For example if I do something stupid and only 3 people blame me and someone else makes the same mistake and 4 people blame him, this is not comparable at all?

Really?

Even your example is not "true comparison" because different people behave differently. Maybe my blaming myself is much stronger than JLaw blaming herself.

Let's not get off the point here please.

The difference here is that people are slut-shaming her for taking nude pictures,

That's completely different and I don't think she's a slut for taking pictures of herself, but I think she's partly to blame to get them leaked if and only if she was careless about the account.

 

[tbrinkma]

Yes, it does. We all have our own opinions. If they used such a weak password, what do you expect. It's just pathetic, it really is.

Wow. Wonderful logic there.

I hope you have unbreakable windows, and a completely secure lock on your doors. Otherwise it'll be *your* fault when someone breaks in and steals your stuff.

Blaming the victim of a crime takes a 'special' level of stupidity.

 

[Trapezoid]

I didn't read ANY of that in their statement in this story. Please point to where APPLE have stated that in their press release.

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers' privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud(R) or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

I bolded where they said that in their statement. Here is their statement: http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html

Now I don't know why you didn't see "any of that in their statement in this story" other than you didn't read it and just wanted to continue apple bashing.

And they have still admitted it was their systems where the photos were stolen from, a point I do believe you stated was incorrect here:

I'm not trying to insult so please do not take offense and if you do I apologize in advance. I can see why other posters get frustrated talking with you; but is english not your first language? I did not say that the photos were not stolen from iCloud. In fact, I CLEARLY said that they very well might be. What I did say was that Kirsten Dunst saying "Thanks iCloud" doesn't make it Apple's fault. You used her tweet as proof that it was an apple hack, you started bashing apple talking about their poor security blah blah blah. The fact is, that's not what happened.

If english is not your first language, I'll give you the benefit of the doubt and not accuse you of being obtuse.

 

[iBug2]

Wow. Wonderful logic there.

I hope you have unbreakable windows, and a completely secure lock on your doors. Otherwise it'll be *your* fault when someone breaks in and steals your stuff.

Blaming the victim of a crime takes a 'special' level of stupidity.

No. Having unbreakable windows and complete security in your lock would not be the equivalent of the situation here. That would be having a 5 step verification with fingerprint retina and DNA scan every step of the way to access to your icloud.

Nobody is expected to go that far to protect a couple of nude pictures. The security has to match the value of the target.

 

[gnasher729]

How do they know if the passwords are weak or not?
I mean the passwords are stored as a Hash-Value in the database.

If there is news that photos of celebrity A, B, and C have been leaked, Apple could probably put one security person + one lawyer into a room, try out the passwords "1234", "password", "love", "dog", "cat", plus the name of wife/husband/boyfriend/girlfriend/son/daughter, and if they can enter the account, the account is unsafe. Try to enter an account through security questions and look up the correct answer on the internet. If that gives access to the account, it was weak.

Obviously in the presence of a lawyer who knows what can be done legally and what can't be done legally.

 

[JAT]

Beating yourself up over a mistake is not the same as millions of people victim blaming JLaw because her privacy was hacked. A true comparison would be the poster blaming himself for his mistake and also Jennifer Lawrence blaming herself for a mistake. And I use mistake for lack of a better term, being the victim of an illegal crime is not a mistake at all.

The difference here is that people are slut-shaming her for taking nude pictures, victim-blaming her for those pictures being hacked and released to the public, and calling her stupid for allegedly having an easy password/security question combo. Much different than a guy posting about how he was subject to identity fraud when we don't know how or why details.

If you can't parse through why this is a false equivalency, I have no faith in the public school system anymore.

First, $100 says none of these 11 women will ever read a single post in this thread at MR. So, none of this is direct attacks, no matter how many times that is stated or implied.

Second, most of the posters here are not grabbing pitchforks to the extent you imply. I mean, really. Get over yourself before telling others to. They are simply saying that people should have better security for their accounts. Yes, hackers are criminals. Doesn't mean we should just throw our hands up and quiver every time we step outside.

Third, if these people had easy passwords, that is stupid. That's the definition. Stating it in public is not a crime. Although, frankly, I'd probably "blame" their PR people more than the celeb women themselves. Why'd they allow such stupidity, isn't that what they get paid to do?

Fourth, you don't know what school I went to. (whew, that means you probably can't hack my account)

(I'm just going to stop numbering) there aren't even one million members of this forum. Your hyperbole is annoying.

I am doing my best to teach my kids not to make themselves victims. Sad that people think that is the best path.

Also, men LIKE women to be sluts. No foul on that word in my brain.

 

[tbrinkma]

You still have to have a username to do the security questions...How did they get those?

Do you *really* think it's all that hard to find out user names? Especially of celebrities?

 

[bpeeps]

For example if I do something stupid and only 3 people blame me and someone else makes the same mistake and 4 people blame him, this is not comparable at all?

Really?

Even your example is not "true comparison" because different people behave differently. Maybe my blaming myself is much stronger than JLaw blaming herself.

Let's not get off the point here please.

That's completely different and I don't think she's a slut for taking pictures of herself, but I think she's partly to blame to get them leaked if and only if she was careless about the account.

Edit: Nevermind, thought you were the person I was replying to. Your comprehension of victim blaming leaves much to be desired and until you educate yourself I have no interest in continuing a dialogue.

 

[simon48]

Couldn't agree more. It's a basic security measure and one that should be used everywhere. We run a cloud service and after 5 attempts you are locked out and you have to recover your password (ie get a new one). It also alerts us immediately and tracks that IP address to see if it tries with a different username or password combo. It's a simple way to catch a hack attempt. This is basic security 101.

I can not understand why Apple can't enable a simple lock out feature. Yes it can be a pain in the *** but you have to have security as the number 1 goal.

But it doesn't sound like this was a brute force attack, so that wouldn't matter. If the hackers are targeting security questions they're not really guessing.

 

[tbrinkma]

umm, so this statement is weird. They admit of no wrongdoing, but at the same time, they state that the stars were socially hacked by bruteforce etc their passwords. To know this they must have some proof of people access the stars accounts, how many tries, etc? What the tool did is bruteforce the password based on previous obtained information.

The question that didn't get answered in this statement is if said celebrities were affected by people trying 100+ of passwords on their accounts since the mechanism to block social hacking wasn't there. Of course they won't admit to this, because it would be a PR nightmare.

This wasn't an overnight job. The photos that were released were collected over the course of months or even years.

 

[JAT]

I haven't used a password under 12 characters in over a decade, except on the increasingly rare systems with a password length limit.

Amazing these still exist, isn't it? Really annoying when you are limited to 8.

 

[Doctor Q]

When Apple makes you use security questions which answers can be found on wikipedia for famous people, that is Apple's fault.

I agree that Apple and other vendors should offer make-up-your-own security questions, since that increases security a bit. But the problem will remain that many users use the default choices, ignore the advanced security options, and answer security questions honestly. And even if they make up their own security question, it'll probably be one that people who know them will be able to answer.

If people realize that they can give false answers, and find a way to keep track of them, then they don't need to make up their own questions.

Nobody ever said that these questions have to be answered truthfully. The problem is that most people seem to treat these security questions like quiz questions and don't consider for even a microsecond that they could actually give a made-up answer, as long as it's an answer they can easily remember.

For example, when asked for the name of your high school, you could answer "Hogwarts", and no amount of social engineering could ever allow anyone to guess that question (unless of course you are Daniel Radcliffe).

The trouble for most people is that they have to give honest answers in order to remember them, which defeats much of the security. Especially if their life story is public.

Until everyone uses 2-level security, a password manager, biometrics, or some other system that can't easily be hacked or bypassed, most online accounts are going to be vulnerable.

 

[milo]

I'm surprised nobody has mentioned Sarah Palin's email.

A college kid was able to get into her account by answering the security questions and resetting the password. All the answers were easily available given that she was a public figure. Locking the account after wrong password guesses wasn't an issue since he wasn't guessing at anything, he found the answers to the security questions and got right in.

That was one guy just typing the stuff in, no brute force needed. And he only tried it on one person and was successful, just imagine a number of people trying that with many targets.

Some news articles on this have also mentioned the fact that many people use the same username and password for all their accounts. If their account is hacked on another site that is less secure, the hacker just needs to try that username and password on a bunch of the most common accounts and they can get right in.

 

[iBug2]

Edit: Nevermind, thought you were the person I was replying to. Your comprehension of victim blaming leaves much to be desired and until you educate yourself I have no interest in continuing a dialogue.

Oh I did educate myself through the amazing wikipedia article already.

I can't believe how pompous people can be.

 

[tbrinkma]

Even if it is not legally the fault of the someone who get mugged on the street, the local police force crime prevention unit spends a lot of time educating the public on stupid things not to do, given current circumstances. There's a pretty strong hint there.

And, strangely enough, people get mugged (and hacked) even when they *do* follow all those suggestions.

There's a pretty strong hint there, too. It's that it's not the victim's fault.