Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[nosaj72]

Did anyone here actually read what Apple said?

"None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud(R) or Find my iPhone."

The brute force flaw was in Find my Iphone, and Apple is saying that they didn't use that. So they did not get the passwords using brute force. That is why Apple specifically mentions it.

They found they passwords using a method that could be used on ANY internet account. They only way to protect against it is 2 factor authentication.

 

[ValSalva]

This would never have happened under Ashton Kutcher.

 

[mw360]

The key phrase here for me is "and security questions". Most of those questions are biographical, and most celebrity biographies are well known.

I've always thought it was silly to say that the name of my high school was a security question-- there is nothing secure about that information.

When choosing a password use complex strings of mixed case letters, numerals and symbols. Never use personal details that can easily be guessed such as family birthdays or the name of your dog.

If you forget your password you can change it by answering a security question.

What is the name of your dog?

 

[Trapezoid]

I didn't pay much attention to the other thread, not much point until the facts come out. My only question, how many attempts were allowed to be made to hack each account? I find it hard to believe that the passwords and security questions were answered correctly in a couple of attempts. And if you reset a password, you have to provide an email address that was used with the account.

Of course you didn't pay attention to that one , everyone was bashing apple there!

And yes you bring up valid points, the complete facts will come out soon enough I'm sure. My response was a tongue in cheek response to all those people who swore up and down that it was brute force when that doesn't appear to be the case.

 

[A MacBook lover]

Just a curiosity, but which outlets were Apple bashing? Not that I read everything out there, but what I read was basically a rehash of the same info. None of it was bashing. All of it pointed to Apple and iCloud as a possible vector for the based on what the hackers supposedly said. I didn't see any bashing.

Half-ass reporting maybe, but bashing?

Umm yeah..

 

[Mackan]

if it was a breach (brute force), would apple actually admit it?

wouldn't a third party have to prove it was a breach for apple to admit it?

the same would hold true for any company, not just apple

why would any company take the heat if they didn't have to?

No they wouldn't. Corporations have no moral. Their obligation to the shareholders, which includes the executives and their stock options, comes first. We have seen this too many times throughout history.

 

[rickvanr]

Maybe they were hacked because of easy passwords, but how would the hacker find there user names?

 

[mozumder]

I blame the careless celebrity for having a weak password.

If you're a celebrity and you have a weak password, and yet your photos weren't accessed, then I still blame you for having a weak password. It's a dumb thing for a celebrity (or anyone) to do, and if you've managed to get away with it so far, or if you've been hacked, I encourage you to make your password stronger.

Also, consider NOT storing compromising pictures or documents online.

I don't blame the victims for the actions of the criminals who hacked into their account. If you try to twist my words into saying I'm blaming the victim for what someone else did to them, then you are a word-twister.

It's a terrible thing, to be a word twister. Not as bad as being a hacker who steals private, confidential, personal photos and post them for the public to see, but still pretty low.

I blame Apple for allowing a careless person to have a weak password.

A good engineer designs around user incompetence, because they own the system and are responsible for the end results of the system's use.

Apple really needs to remove passwords from their authentication system.

Passwords for authentication are terrible design.

 

[BornAgainMac]

So it was just the one celebrity that was comprised?

 

[samcraig]

You bet I am. We are all the same. What makes them special? Nothing. If they used weak passwords, that's their fault.

I have to agree with this guy. Though I must also state that there is also responsibility on the hacker. Celebrities have a higher burden of security on themselves; hence they should take extra steps to safeguard their private life, not a company.

Both the victim and hacker share blame. Everyone is always advices and cautioned by sites to use strong passwords. Many give you a gauge to test how weak or strong your password is.

Rule of thumb is to use the following:

- At least one lower case letter
- At least one upper case letter
- At least one number
- At least on special character (if permitted)
- At least 8 characters in length

Also like a fellow poster just stated, don't answer security questions with the actual answer. If they ask for your high school, the answer shouldn't be something Google can give you an answer, it should be something unrelated like a phrase or a word (in this case the word "Chocolate" works as an answer).

No. The victim is not to blame. I still can't believe the responses in this thread and the other one. A crime was committed against several individuals. Think about that.

 

[MrX8503]

1password ftw. All my account passwords are at least 12chars in length and unique. Enabled 2-step verification on Apple ID and email accounts.

My body is ready for 1password's Touch ID extensibility in iOS8.

 

[tmoerel]

Rule of thumb is to use the following:

- At least one lower case letter
- At least one upper case letter
- At least one number
- At least on special character (if permitted)
- At least 8 characters in length

This is used a lot but it is actually not based on real research. If you want to have a nice inside in password safety based on actual research have a look at this:

https://www.youtube.com/watch?v=0SkdP36wiAU

You might totally change the way you choose your passwords after!

 

[Apple_Robert]

Maybe they were hacked because of easy passwords, but how would the hacker find there user names?

Maybe those affected posted the information on the internet without thinking about what they were doing, or careless gave the information to a third party.

 

[jrswizzle]

Do any of the celebrities who were "hacked" even know what two-step verification means?

 

[jamezr]

if it was a breach (brute force), would apple actually admit it?

wouldn't a third party have to prove it was a breach for apple to admit it?

the same would hold true for any company, not just apple

why would any company take the heat if they didn't have to?

Exactly......why does the software allow for weak passwords to begin with?
Then blame the victim......

 

[TWSS37]

Two step authentication ftw

 

[Rogifan]

Umm yeah..
Image

Hey, the BBC changed their reporting so now the don't say "iCloud" they just say "Cloud".

 

[AppleScruff1]

Of course you didn't pay attention to that one , everyone was bashing apple there!

And yes you bring up valid points, the complete facts will come out soon enough I'm sure. My response was a tongue in cheek response to all those people who swore up and down that it was brute force when that doesn't appear to be the case.

At the time the other thread was posted, it wasn't even known if iCloud accounts were hacked or not. I was under the impression that some of the pics were taken with phones other than iPhones. When I looked at Kate Upton's pics, I somehow didn't notice what kind of phone she was using.

 

[yaxomoxay]

if hackers distribute pictures of an undressed me, the internet closes.

 

[ViperDesign]

Really amazing how sheepish some of you are on here. You think by apple making a statement saying it wasn't them means it wasn't them! How stupid are you?

Do you really believe all 11 or more people had weak passwords? Come on now, grow up and realize apple isn't all that and a bag of chips.

 

[HiRez]

What I do not see in Apple's statement is anything about whether their system was or was not rate-limiting login attempts. While these celebrities may have had crappy passwords, not rate-limiting login attempts in 2014 is absolutely inexcusable and is very much an Apple problem. That is the most basic cloud security. Rate-limiting login attempts would have stopped this attack cold, no? Apple has apparently patched this problem, but far too late, the damage was already done.

 

[carrrrrlos]

Last week tonight with John Oliver had a great list of simple passwords people would never put together, one of them was: AlanAldaasBatman
Much better than your pets name.

 

[Rogifan]

Really amazing how sheepish some of you are on here. You think by apple making a statement saying it wasn't them means it wasn't them! How stupid are you?

Do you really believe all 11 or more people had weak passwords? Come on now, grow up and realize apple isn't all that and a bag of chips.

Videos were stolen too. Where did they come from? Certainly not iCloud.

 

[AppleScruff1]

No. The victim is not to blame. I still can't believe the responses in this thread and the other one. A crime was committed against several individuals. Think about that.

You must be new here. Welcome!!

 

[gotluck]

Exactly......why does the software allow for weak passwords to begin with?
Then blame the victim......

indeed, I am surprised they were even allowed to choose a 'weak password' by the system. I thought icloud already implemented procedures to prevent 'weak passwords'