Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[mw360]

Don't you just HATE women? I mean, they're just so STU-- oh crap, sorry, we're not supposed to have our misogyny meetings in public.

I think you completely missed the point of my post.

One poster thinks that if 11 celebrities accounts were compromised then it couldn't be just weak passwords. I'm explaining that 11 account out of the entire pool of female celebrities isn't a high enough success rate to rule out anything.

 

[GeneralChang]

As long as you know the question being answered you can answer anything you like. E.g. Place of birth. Answer: Helen mirren banana hammock

No one is going to get that out of you through phishing LOL.

I love that answer.

 

[zioxide]

Not all photos, but some were stolen from the iCloud accounts, reading Apples statement. I think the hackers posted that they used a script? That they then posted on github? Sure you can call it bogus, but hackers tend to love to gloat about their attacks and how they did it. It makes them feel special I guess?

The guy who wrote the iBrute script and posted it on GitHub was not one of the hackers though.

You are right that (at least) some of the photos were stolen from iCloud, but it appears it was due to weak security questions/answers & passwords, not iBrute.

 

[TsMkLg068426]

Let me guess they all used GOD or Sexy69 as their passwords

 

[StyxMaker]

Nobody is saying that the hacker should receive less of a punishment if the passwords were easy to guess.

No, they said

"If you don't lock your doors, you're to blame just as much as the thief who walks in the unlocked door."

 

[iBug2]

I think you completely missed the point of my post.

One poster thinks that if 11 celebrities accounts were compromised then it couldn't be just weak passwords. I'm explaining that 11 account out of the entire pool of female celebrities isn't a high enough success rate to rule out anything.

And I bet that there are thousands of more photos like these waiting to be sold some day, like these ones.

11 is too small a number. These rings collect a lot of celeb photos through all kinds of methods.

 

[nostaws]

Just because they ask about your high school doesn't mean you have to use your real high school.

I never use my real birthplace for my "birth place" question. I use a location that only I know.

Also just because of my paranoia I don't use my real birth date when filling out most online stuff. I use a combination of day, year, and month from other people close to me.

Granted I don't make up a new birth date, and location every time I sign up for something, but I use the same fake ones - depending on the level of security I need.

BTW I do feel like these celebs are victims. They don't deserve this. Unfortunately, it is the world we live in and we need to try to change it.

The key phrase here for me is "and security questions". Most of those questions are biographical, and most celebrity biographies are well known.

I've always thought it was silly to say that the name of my high school was a security question-- there is nothing secure about that information.

 

[iBug2]

No, they said

"If you don't lock your doors, you're to blame just as much as the thief who walks in the unlocked door."

Yes you are to blame, that doesn't mean you get jail time or the thief would get less jailtime. Don't confuse blame with punishment.

 

[cdmoore74]

I doubt Jennifer and Kate will take this news "laying down"!

Sorry but I had to do it.

 

[Trapezoid]

I am bashing Apple for it's poor security,
something you seem to choose to ignore? I don't know why you are.

Do you see why I asked you if English is your first language? Not only did I not ignore their poor security, I have stated MULTIPLE times that if they had a security breach they are 100% to blame. Again, are you ignoring what I'm saying or being purposely obtuse?? Its incredibly frustrating to go back and forth with you when you dont a) read articles and comment on them and b) ignore things people say completely and make things up that they didn't say.

But I refuse to simply post comments in a love and hug style, about every single thing Apple does that is reported on in a news story here, anyone who does isn't very smart.

I refuse to also. Not sure why you're telling me this.

You implied the tweet made by Kirsten Dunst was no proof that her iCloud account was accessed and the photos taken from there, somehow implying you knew better than Kirsten herself.

Wrong. I stated that her simply stating that is not proof that it was an iCloud hack. How many times must I say the same thing? Trust me when/if this hacker goes on trial, the prosecution is not going to present Kirsten Dunst's tweet as proof that he hacked iCloud. If you chose to extrapolate (incorrectly) what I meant, that's your issue. Her tweet is not proof that iCloud was hacked. Nothing more, nothing less.

That is how your post came across, also as Apple has stated in this press release, several celebrity accounts were accessed.

For instance:

We wanted to provide an update to our investigation into the theft of photos of certain celebrities.

Therefore Apple are implying they are performing an investigation into photographs being stolen, and we don't need to guess who's photos or what their content is.

Who denied this? Not me.

They then state:

After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions

Thereby confirming they have had celebrity accounts illegally accessed, and considering the first sentence they made, we are to presume the attackers stole the celebrity's photographs from their iCloud accounts, because Apple did not deny it.

Who denied this? Not me.

And it is a very big and convenient coincidence that they patch the very security hole the hackers claim they used, the same time this story breaks.

So you're saying Apple lied? Do you know how completely idiotic it would be for a major corporation to lie about something like this? I can't argue with someone who believes they would lie because it's completely pointless to even discuss anything reasonable with you if you believe that.

And I have never once in any of my comments on this matter stated ALL the photos were obtained from Apple, that goes for anyone else proclaiming I did.

Neither did I. Not sure why you're telling me this.

 

[StyxMaker]

Yes you are to blame, that doesn't mean you get jail time or the thief would get less jailtime. Don't confuse blame with punishment.

And, thus the continued charges of victim blaming.

 

[TsMkLg068426]

So where is The Fapenning links please

 

[The Barron]

This for the win

But what about those celebrities that can't enter a hard to guess password?

Too funny - probably true in many cases.

 

[zioxide]

Well this really sucks. I try to log in to my Apple ID and Apple won't let me do it without changing my password. "Your password is too easy to guess". I suppose this is fallout from the celeb hacking scandal.

My password is 8 random letters that do not form a dictionary word or words strung together. So, essentially impossible to guess.

Essentially impossible to guess for a human, but not for a computer.

8 random lowercase letters = 31.6 bits of entropy

Decently secure, but not great. A supercomputer at 1000 guesses per second could crack that in ~37 days.

Add 4 more lowercase letters and you're up to 47.8 bits of entropy. A supercomputer at 1000 guesses per second would need over 2.8 million days to crack that one.

And, thus the continued charges of victim blaming.

As opposed to the continuous stream of people who are claiming that nobody should have any personal responsibility whatsoever anymore?

 

[iBug2]

And, thus the continued charges of victim blaming.

Tell that to the insurance companies really.

 

[Carlanga]

This wasn't an overnight job. The photos that were released were collected over the course of months or even years.

Yes and did you know just because something gets patched after an announcement or a leak it doesn't mean that it was the only day it was vulnerable… ever since iCloud was up this could have been happening.

 

[apolloa]

The guy who wrote the iBrute script and posted it on GitHub was not one of the hackers though.

You are right that (at least) some of the photos were stolen from iCloud, but it appears it was due to weak security questions/answers & passwords, not iBrute.

I was going by this:

and it's also possible that a Python script shared on Github a few days ago may have allowed hackers to exploit a vulnerability in Find My iPhone.

From this story:

https://www.macrumors.com/2014/09/01/apple-investigating-celebrity-hacking/

So it was one possible avenue used. Where did you see the information on the guy who posted on github not being one of the hackers?

 

[firewood]

"If you don't lock your doors, you're to blame just as much as the thief who walks in the unlocked door."

If you don't lock your doors, your next years insurance rates could end up being very very different than if you had had locked deadbolts on all the doors plus an activated security system, but still got burglarized.

 

[IGregory]

if it was a breach (brute force), would apple actually admit it?

wouldn't a third party have to prove it was a breach for apple to admit it?

the same would hold true for any company, not just apple

why would any company take the heat if they didn't have to?

I believe Apple...to much to lose if they got caught lying. Apple's reputation means everything to it. I'm sure Apple investigators have interviewed the victims and they know exactly what happen.

 

[The Barron]

That's why 1 Password is simply the best out there.

we humans are often the weakest link..
who wants to type a: VtkbWIKYwrÅrLNö2C8VZ-LCb'o password on their iPhone??

Better check this out & pronto!

1 Password handles all this typing for you. All you have to do is remember the master password. Oh, if you make that "celebrity easy" yer screwed!

 

[KALLT]

Still doesn’t absolve Apple from providing more protection. If your customers don’t want to use better passwords, then impose some rules or adopt other means of security. Two-step verification is more and more implemented and Apple is slow on this one. Apple kicks back the ball to its customers while claiming ‘Our customers' privacy and security are of utmost importance to us’.

 

[itsmemuffins]

Has anyone read this?

http://www.wired.com/2014/09/eppb-icloud

Would two step verification even protect you?

 

[iBug2]

Still doesn’t absolve Apple from providing more protection. If your customers don’t want to use better passwords, then impose some rules or adopt other means of security. Two-step verification is more and more implemented and Apple is slow on this one. Apple kicks back the ball to its customers while claiming ‘Our customers' privacy and security are of utmost importance to us’.

Show me one cloud service that forces 2 step verification.

 

[saintforlife]

The guy who wrote the iBrute script and posted it on GitHub was not one of the hackers though.

You are right that (at least) some of the photos were stolen from iCloud, but it appears it was due to weak security questions/answers & passwords, not iBrute.

Social engineering of some sort was used to obtain the IDs but a flaw in find my iPhone allowed for the brute force attempts to occur. Apple should have locked the IDs after multiple failed tries but it did not.

 

[zioxide]

I was going by this:

and it's also possible that a Python script shared on Github a few days ago may have allowed hackers to exploit a vulnerability in Find My iPhone.

From this story:

https://www.macrumors.com/2014/09/01/apple-investigating-celebrity-hacking/

So it was one possible avenue used.

That article is from yesterday before we had more details though. Apple stated today that after investigating they've determiend that Find My iPhone wasn't used in this breach.

Where did you see the information on the guy who posted on github not being one of the hackers?

It was on reddit last night. I don't have a link but you probably could find it by searching.

Social engineering of some sort was used to obtain the IDs but a flaw in find my iPhone allowed for the brute force attempts to occur. Apple should have locked the IDs after multiple failed tries but it did not.

Not according to Apple. The Find My iPhone apparently wasn't involved.

The timeframe doesn't work either. iBrute was uploaded 3 (4?) days ago to GitHub? Unless these celebs all had passwords like 1234, even through brute force they wouldn't have all been cracked in that timeframe.