Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[TWSS37]

If you are vain enough to take nude photos,
Then you probably have an dumb password.

If you don't want nude photos in the world then never take them in the first place. No one on the list should be allowed to protest about pictures they took, no matter who they were intended for. If you don't mind your naked self then good on you and post em up where ever you want.

smh... what an interesting way to live life.

 

[John.B]

Except that's not what happened. Did you read this thread that you're commenting on?

I did read the thread that said this was probably a social engineering problem.

And iCloud did allow an unlimited number of consecutive failed login attempts, until very early this morning.

The first problem did not excuse the second one.

 

[Blake10]

samsung

Always like to think outside the box on cases like this. I'm not a lunatic conspiracy theorist, but it healthy to have questions.... My question: Is it inconceivable a rival such as Samsung facilitated this attack to negatively affect Apple's reputation?

With new details emerging, probably not but would you put it past Samsung in the future?

 

[Trapezoid]

I did read the thread that said this was probably a social engineering problem.

And iCloud did allow an unlimited number of consecutive failed login attempts, until very early this morning.

The first problem did not excuse the second one.

I never excused the second one either. The point is the second one had nothing to do with the hack.

 

[AppleScruff1]

What I do not see in Apple's statement is anything about whether their system was or was not rate-limiting login attempts. While these celebrities may have had crappy passwords, not rate-limiting login attempts in 2014 is absolutely inexcusable and is very much an Apple problem. That is the most basic cloud security. Rate-limiting login attempts would have stopped this attack cold, no?

That's what I think too. Were the login attempts limited? If not, why not?

 

[mw360]

Really amazing how sheepish some of you are on here. You think by apple making a statement saying it wasn't them means it wasn't them! How stupid are you?

Do you really believe all 11 or more people had weak passwords? Come on now, grow up and realize apple isn't all that and a bag of chips.

11 female celebrities out of... all of them. Those are pretty good odds for finding weak passwords.

 

[mozumder]

I never excused the second one either. The point is the second one had nothing to do with the hack.

Incorrect.

 

[Trapezoid]

Incorrect.

Based on what?

 

[tymaster50]

But we all won in a way, due to this mess

By we, i mean us horny guys that wanted to see some celebrity breasts.

 

[Nik]

Even a weak password needs a lot of attempts to crack. So how did they do it if they can enter a password only 5 times? I think this press release is BS.

 

[yaxomoxay]

Both the victim and hacker share blame.

Share blame my ass.
Victim overlooked some extra security steps.
Hacker willfully planned an attack, going against local, state, federal and international laws (if outside of US) in order to obtain private information.

There's a lot of difference there.

 

[mozumder]

Based on what?

They were guessing passwords.

A rate-limit would have stopped a lot of that.

 

[Menel]

Videos were stolen too. Where did they come from? Certainly not iCloud.

ICloud backup stores video.

 

[yaxomoxay]

Even a weak password needs a lot of attempts to crack. So how did they do it if they can enter a password only 5 times? I think this press release is BS.

Read security question: "What is your favorite pet?"

Check Wikipedia: "Paris Hilton's dog is called Justin Bieber".

Account Hacked.

 

[chukronos]

Even a weak password needs a lot of attempts to crack. So how did they do it if they can enter a password only 5 times? I think this press release is BS.

Agree. All of these celebrities have easy passwords? uh-huh. give me a break.

 

[JoEw]

what about the recently fixed ibrute exploit on github?

I'm not trying to hang apple here, I just have a hard time believing all of these concurrent leaks were from social engineering alone

You are correct we should skeptical, but Apple is laying an awful lot of credibility at risk if this release is a blatant lie but they could very well be leaving valuable information out.

I would criticize Apple for 1, not requiring people with simple passwords to update them to more complex ones. 2. Not requiring 2 step authentication for every log in from unrecognized device/web and 3. not requiring payment verification for access such as a CSV or requiring iCloud accounts with a 5s connected to use TouchID for authentication from other devices..

I feel like iCloud security has not kept up with how valuable the information in it has become and becoming, someones life really can get ruined in a real way if this account is compromised.

 

[John.B]

Read post, then saw poster - I am in shock!

Cheers - I too agree there are multiple factors at play here.

Hey, I'm an Apple user too! Security issues have the potential to affect all of us.

 

[iBug2]

Do you really believe all 11 or more people had weak passwords?

Out of thousands of celebrities which may have been targeted, statistically 11 of them having weak passwords is highly likely actually.

 

[SMIDG3T]

No. The victim is not to blame. I still can't believe the responses in this thread and the other one. A crime was committed against several individuals. Think about that.

Yep, I've thought about it. Still stupid to have such a simple password. If they were stupid to take naked pictures of themselves, then they were stupid enough to have a weak password.

 

[apolloa]

Nope still blame Apple partly, because it magically patched a security hole and THEN announced it was nothing to do with a security hole...

Anyway, it is their fault entirely for not blocking accounts after the wrong password was used so many times. That is inexcusable IMO.

 

[Tanegashima]

So you're going to blame the victim?

The victim was Apple's name.

Got blamed in the press because some people were reckless.


It's like blaming Ferrari because they make fast cars.

 

[SMIDG3T]

No it doesn't. Why relish in something bad happening to someone just because they're a celebrity.

Yes, it does. We all have our own opinions. If they used such a weak password, what do you expect. It's just pathetic, it really is.

 

[Nik]

What a "breach" is depends on Apple's definition as it seems. The "Find my iPhone" bug certainly does not count as a breach according to Apple PR.

With only 5 attempts you would not be able to crack so many passwords! Apple takes us for fools.

 

[gotluck]

Apple has no duty to prevent people from using weak passwords?

Thats interesting, because my far less important company has that duty

 

[mozumder]

Yes, it does. We all have our own opinions. If they used such a weak password, what do you expect. It's just pathetic, it really is.

It's Apple's system. They designed it. They own it.

Blame Apple for having such a bad authentication system that allows weak passwords.

It really is 100% Apple's fault.