Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[69Mustang]

Now all the fun is spoiled. So many media outlets get attention by Apple-bashing without waiting for the facts.

I wonder how many of them will post retractions as prominent as their accusations?

Just a curiosity, but which outlets were Apple bashing? Not that I read everything out there, but what I read was basically a rehash of the same info. None of it was bashing. All of it pointed to Apple and iCloud as a possible vector for the based on what the hackers supposedly said. I didn't see any bashing.

Half-ass reporting maybe, but bashing?

 

[jclo]

what about the recently fixed ibrute exploit on github?

I'm not trying to hang apple here, I just have a hard time believing all of these concurrent leaks were from social engineering alone

I think the leading theory is that these photos were acquired over a long period of time by multiple hackers and were shared among a group of people before they leaked -- so it's unlikely they were all the result of one attack. Apple specifically mentions that Find My iPhone wasn't involved.

http://gawker.com/everything-we-know-about-the-alleged-celeb-nude-tradin-1629340923

 

[arbitter]

Why don't they give a decent explanation about what happened? I mean ".. were compromised by a very targeted attack on user names, passwords and security questions .." isn't really that much of an explanation.

Did they just happen to guess the password? Or are security questions pure ******** (which they ofcourse are)? Did they bruteforce it somehow? Howhowhowhow?

I'm still betting my money on a bruteforce due to the "leak" in Find My iPhone that was fixed.

 

[mw360]

i had read it was a brute force method, but that it was also exploiting the fact that repeated login attempts to don't result in an account lockout. further there was some mention that apple did in fact patch this behaviour which ended further accounts being compromised.

of course its in apple's best interests to paint this as only a weak password issue, when in truth it was likely a combination of factors, including weak passwords, targets with lots of publicly accessible info that might be used in account security questions, and a system that was perhaps too lenient on repeated login attempts.

No, you read some people theorising that it was a brute force attack via a vulnerable API, but that theory doesn't match some of the claims.

 

[nia820]

People can't be bothered to remember 12 letter passwords and as a result this happens.

But I would also advise people not to back up nude photos to an icloud or any cloud account for that matter.

 

[4Apples]

Sounds more like Apple wants to pass the blame and wash their hands

 

[keysofanxiety]

Sadly, the same thing happened to my daughter (no pics, just account hacked) by two idiot teenagers being *******s. They were able to guess the answers to her security questions and changed her password. Then they used that to hack all her social media accounts.

With respect, your daughter didn't really get 'hacked' if the teenagers simply logged into their Facebook account.

 

[lewisd25]

So...when is the second Fappening?

 

[mozumder]

If you are vain enough to take nude photos,
Then you probably have an dumb password.

If you don't want nude photos in the world then never take them in the first place. No one on the list should be allowed to protest about pictures they took, no matter who they were intended for. If you don't mind your naked self then good on you and post em up where ever you want.

Nude selfies aren't a vanity item.

They're largely meant as intimate private messages to their boyfriends.

It's the sex appeal of the digital era. People are still going to work their sex appeal.

 

[Mike MA]

Sadly, the same thing happened to my daughter (no pics, just account hacked) by two idiot teenagers being *******s. They were able to guess the answers to her security questions and changed her password. Then they used that to hack all her social media accounts.

In our days we lost a front door key or wallet. It's hard for parents these days

 

[Trapezoid]

Sounds more like Apple wants to pass the blame and wash their hands

Sounds more like your password is "password"

 

[jav6454]

You bet I am. We are all the same. What makes them special? Nothing. If they used weak passwords, that's their fault.

I have to agree with this guy. Though I must also state that there is also responsibility on the hacker. Celebrities have a higher burden of security on themselves; hence they should take extra steps to safeguard their private life, not a company.

Both the victim and hacker share blame. Everyone is always advices and cautioned by sites to use strong passwords. Many give you a gauge to test how weak or strong your password is.

Rule of thumb is to use the following:

- At least one lower case letter
- At least one upper case letter
- At least one number
- At least on special character (if permitted)
- At least 8 characters in length

Also like a fellow poster just stated, don't answer security questions with the actual answer. If they ask for your high school, the answer shouldn't be something Google can give you an answer, it should be something unrelated like a phrase or a word (in this case the word "Chocolate" works as an answer).

 

[saving107]

If you are vain enough to take nude photos,
Then you probably have an dumb password.

If you don't want nude photos in the world then never take them in the first place. No one on the list should be allowed to protest about pictures they took, no matter who they were intended for. If you don't mind your naked self then good on you and post em up where ever you want.

This mentality is mind-boggling

I would hate to see your point of view on other subjects.

 

[John.B]

The fact that exceeding some maximum number of failed iCloud login attempts didn't lock out the account shows lax security infrastructure on the part of Apple:

http://thenextweb.com/apple/2014/09...aw-that-led-to-celebrity-photos-being-leaked/

 

[ineedamac]

This statement makes me feel mildly better about iCloud. A strong password goes a long way. I know it is easy to have the same password over and over and I'm guilty of it. I also took the time to change many passwords and account ids.

 

[AppleScruff1]

Funny how quiet this thread is as compared to the speculative one. Applescruff, you may have finally found your flip floppers, except they're not on the side you wanted them to be

I didn't pay much attention to the other thread, not much point until the facts come out. My only question, how many attempts were allowed to be made to hack each account? I find it hard to believe that the passwords and security questions were answered correctly in a couple of attempts. And if you reset a password, you have to provide an email address that was used with the account.

 

[Trapezoid]

The fact that iCloud login attempts weren't rate-limited (i.e. exceeding some maximum number of failed attempts locks out the account) shows lax security infrastructure on the part of Apple:

http://thenextweb.com/apple/2014/09...aw-that-led-to-celebrity-photos-being-leaked/

Except that's not what happened. Did you read this thread that you're commenting on?

 

[SgtPepper12]

Sure, using some stupid top 500 password definitely is one of the reasons, but I don't think Apple is innocent. There was a security breach and it was fixed shortly after this incident. I find it hard to believe that it has nothing to do with this. They messed this one up and I see no reason to defend them here.

 

[Ventilatedbrain]

You bet I am. We are all the same. What makes them special? Nothing. If they used weak passwords, that's their fault.

nothing makes them special, but come on!!! We are getting nervous just thinking about the NSA and now we blame victims for suffering the same consequences we are trying to avoid ?????

weak passwords or not, simple matter of fact is someone invaded someone else's privacy and used it for the entertainment of others, that has to be one of the lowest life forms in this universe.

 

[mozumder]

No, you read some people theorising that it was a brute force attack via a vulnerable API, but that theory doesn't match some of the claims.

If you look at the original hacker messages on anon-ib.com it's largely password guessing and/or resetting via security questions (they guess the security question answers, too).

 

[gotluck]

The fact that exceeding some maximum number of failed iCloud login attempts didn't lock out the account shows lax security infrastructure on the part of Apple:

http://thenextweb.com/apple/2014/09...aw-that-led-to-celebrity-photos-being-leaked/

Read post, then saw poster - I am in shock!

Cheers - I too agree there are multiple factors at play here.

 

[ineedamac]

Also like a fellow poster just stated, don't answer security questions with the actual answer. If they ask for your high school, the answer shouldn't be something Google can give you an answer, it should be something unrelated like a phrase or a word (in this case the word "Chocolate" works as an answer).

What a great idea.

 

[doelcm82]

So you're going to blame the victim?

I blame the careless celebrity for having a weak password.

If you're a celebrity and you have a weak password, and yet your photos weren't accessed, then I still blame you for having a weak password. It's a dumb thing for a celebrity (or anyone) to do, and if you've managed to get away with it so far, or if you've been hacked, I encourage you to make your password stronger.

Also, consider NOT storing compromising pictures or documents online.

I don't blame the victims for the actions of the criminals who hacked into their account. If you try to twist my words into saying I'm blaming the victim for what someone else did to them, then you are a word-twister.

It's a terrible thing, to be a word twister. Not as bad as being a hacker who steals private, confidential, personal photos and post them for the public to see, but still pretty low.

 

[Apple_Robert]

The accounts should have been locked when the first few password attempts failed.

Most systems lock you out if you try too many failed passwords, so hackers don't spend too much time trying to test every possible password in brute-force attacks. It looks like this was a flaw in Apple's iCloud system. Unfortunately, this was only fixed a couple of days ago.

If you look at the logs of people doing the ORIGINAL attacks at anon-ib.com/stol/ you can see they were doing this sort of brute-force password attacks for months, possibly years.

Sorry Apple, but this is the your flaw that caused this mess in the first place.

Really, the only long-term solution is to remove passwords from the authentication system entirely. Passwords are too easily guessable.

For some people, guessing passwords might be easy. Use a program like 1Password, where the password is 20+ mixed characters long, and it isn't so easy.

 

[keysofanxiety]

I'm still betting my money on a bruteforce due to the "leak" in Find My iPhone that was fixed.

What's more likely:

A) Apple's global iCloud system had a huge exploit, and hackers only targeted specific female celebrities with a brute-force attack, whilst leaving other high-value targets with potentially sensitive/saleable information unharmed

B) The people in question don't understand photostream, had poor passwords, and unwittingly had copies of the pictures distributed by their ex-boyfriends

But hey, you bet away on the bruteforce.