Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[A MacBook lover]

Always like to think outside the box on cases like this. I'm not a lunatic conspiracy theorist, but it healthy to have questions.... My question: Is it inconceivable a rival such as Samsung facilitated this attack to negatively affect Apple's reputation?

With new details emerging, probably not but would you put it past Samsung in the future?

This would be akin to South Korea launching a cyber attack on America. While I love conspiracies, I don't think Samsung is trying to invoke war

Samsung has done some pretty shady things, like paying people to create forum accounts and downplay it's competitors, including Apple.

I wouldn't be surprised if they are here right now trying to pettle this iCloud "breach"

 

[Carlanga]

e have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud(R) or Find my iPhone

umm, so this statement is weird. They admit of no wrongdoing, but at the same time, they state that the stars were socially hacked by bruteforce etc their passwords. To know this they must have some proof of people access the stars accounts, how many tries, etc? What the tool did is bruteforce the password based on previous obtained information.

The question that didn't get answered in this statement is if said celebrities were affected by people trying 100+ of passwords on their accounts since the mechanism to block social hacking wasn't there. Of course they won't admit to this, because it would be a PR nightmare.

 

[iBug2]

You still have to have a username to do the security questions...How did they get those?

You get the username through social engineering most of the time. Security questions are not that hard if the celebrity isn't smart enough with the answers. Things like pets name or mothers name etc. are easy to find with celebrities.

 

[flux73]

A "Local Storage Only" or "Private" mode in Camera would be a good idea for Apple to implement.

 

[richardmu]

Most famous? Among these celebrities I'd say Jennifer Lawrence is the only really famous one and maybe Kate Upton. There were four or five out of 11 which I didn't know who they were.
A list of 11 celebrities whose nude photos people would want to see online would not contain any of these people.

Celebrities, never heard of any of them. But then again I live in a cave.

As for this rubbish 'don't blame the victim' culture. In the Real World if you do stupid things and nasty things happen to you then get real and learn lessons.
It's never how it should be, it's always how it turns out.

 

[mozumder]

No, it's mostly the fault of the individual(s) who broke into the accounts. Yes, Apple can and should do more to encourage stronger passwords (as should every 'cloud provider') but the blame lies with the thief.

No.

A good designer can design systems robust enough to stand bad actors.

Because Apple designed the (bad) system, they are at fault of bad design.

The reason we blame the designer instead of the user is because if you determine blame, you can fix it.

And it's easier to fix one thing (Apple's bad design) instead of fixing hundreds of bad users.

 

[iBug2]

umm, so this statement is weird. They admit of no wrongdoing, but at the same time, they state that the stars were socially hacked by bruteforce etc their passwords. To know this they must have some proof of people access the stars accounts, how many tries, etc? What the tool did is bruteforce the password based on previous obtained information.

The question that didn't get answered in this statement is if said celebrities were affected by people trying 100+ of passwords on their accounts since the mechanism to block social hacking wasn't there. Of course they won't admit to this, because it would be a PR nightmare.

Not necessarily. Security questions don't need to be brute forced. You can guess them with a couple of attempts or simply learn them through googling.

It all bogs down to how hard to get they were.

 

[dredlew]

Enforcement

There will always be people that choose weak passwords, so don't leave it completely up to the user to protect an account. Two-step verification should be required to be activated by default and passwords should require a certain length, upper and lower case characters, numbers and symbols. Especially after this, Apple should be enforcing these rules. While not technically their fault, it still hurts the brand image, regardless of how the attack happened.

Security questions are the worst; almost every company is using the same ones. An employee of any company employing such a system could arbitrarily try out a popular site/account of yours just by using the email address on file and the answer to the security question. Highly insecure, and as this attack confirms, was used here as well.

 

[samcraig]

Samsung has done some pretty shady things, like paying people to create forum accounts and downplay it's competitors, including Apple.

I wouldn't be surprised if they are here right now trying to pettle this iCloud "breach"

You're equating astroturfing with this crime?

 

[phillipduran]

So you're going to blame the victim?

This don't blame the victim thing is too disconnected from reality.

Let me put my home entertainment gear in the back of an open truck and park it in a bad part of Detroit while I go eat lunch in a restaurant.

Now tell me how I'm not, in some part, to blame when I get back and all of the electronics are gone. People would say to me, that was really dumb that you did that, and what were you thinking?

You make bad choices, you are in part to blame. The internet is a dangerous place and you need to harden your security against it. Failure to do so puts you and your information at risk. If this was a problem caused by using weak passwords, like your dogs names or kids birthday, then you are in part to blame for not doing your part.

Don't be dumb, if you are, you deserve the ridicule. What was John Wayne's quote? "Life is hard; it's harder if you're stupid."

I'm not giving these folks a free pass if it was bad password choices. They chose to be on the stage and in the spotlight. You darn sure better be making good choices when it comes to securing your information because the wolves are going to be out there looking to exploit you.

 

[iBug2]

No.

A good designer can design systems robust enough to stand bad actors.

Because Apple designed the (bad) system, they are at fault of bad design.

The reason we blame the designer instead of the user is because if you determine blame, you can fix it.

And it's easier to fix one thing (Apple's bad design) instead of fixing hundreds of bad users.

Newsflash: All security systems can be hacked. So let's redesign all of them.

 

[A MacBook lover]

umm, so this statement is weird. They admit of no wrongdoing, but at the same time, they state that the stars were socially hacked by bruteforce etc their passwords. To know this they must have some proof of people access the stars accounts, how many tries, etc? What the tool did is bruteforce the password based on previous obtained information.

The question that didn't get answered in this statement is if said celebrities were affected by people trying 100+ of passwords on their accounts since the mechanism to block social hacking wasn't there. Of course they won't admit to this, because it would be a PR nightmare.

The photos are from a darknet celeb photo ring...not iCloud. No evidence that these photos were obtained via brute force only.

 

[pedromcm.pm]

Now, if you leave your house for work in the morning and you don't lock your door or set your security system, part of the blame is going to be on you.

Says who? Good luck with that with the police! You have no idea of what you are talking about.

If I leave the doors open it's my choice, no one has anything to do with it. I would break the legs of the thieves, if I could.

 

[Doctor Q]

Security questions need to go away. The information is always too easy to obtain. I would make up fake answers, but then I'd have to remember them. Like another password.

Nobody's guessing my security answers. I use a password generator to make up answer strings. Then I use a password manager to keep track of them.

For example, my favorite book might be jF!m$ztaGC8^29DmxH=Uo. It's certainly fun when a customer service agent tries to use one of my security questions to verify my identity over the phone!

 

[shurcooL]

The key phrase here for me is "and security questions". Most of those questions are biographical, and most celebrity biographies are well known.

I've always thought it was silly to say that the name of my high school was a security question-- there is nothing secure about that information.

This is so spot on. I wish others realized this.

 

[Chupa Chupa]

I'm not surprised. Most of us, who aren't celebrities, care more about security than celebrities do. I bet they had easy passwords, and most of their security questions answers could be found on Google.

What a ridiculous, specious comment. If anything high profile people have more of a professional and financial need to care about security, and where it matters most their agents do go all out to make sure accounts are as secure as possible. Nude selfies never hurt an actresses career though that I can recall.

The "truth" here is that most people have a difficult time keeping track of multiple complex passwords for sites so they resort to the least annoying denominator. If I were to guess I'd say 95% of people use passwords that are not random and just have 2 or 3 "go to" versions.

Celebrities are ordinary people too, not computer nerds or paranoids so they make the same mistakes as everyone else. The difference is no one cares much about selfies of no one they've heard about unless its extraordinary. Jennifer Lawrence is money though and only has to be ordinary to create buzz.

I don't know if these pics were intentionally stored on iCloud or the auto iCloud backup wasn't turned off. That's the real problem here; people's devices storing docs and photo's in the cloud they didn't realize were being stored there. I'm not really sure why someone would intentionally save the very personal pics in the cloud unless they wanted them to go viral.

 

[iBug2]

The photos are from a darknet celeb photo ring...not iCloud.

The photos did not appear out of nowhere in the celeb photo ring obviously. Some of them probably are from iCloud accounts.

 

[TroyBoy30]

Simple passwords or not, being able to brute force iCloud accounts is a serious issue

 

[gotluck]

Newsflash: All security systems can be hacked. So let's redesign all of them.

well the system really shouldnt allow weak passwords, I thought icloud already didnt allow weak passwords to begin with, so i am confused.

 

[smith4925]

Perhaps they shouldn't post nude photos to any cloud service in the first place. Seems like a no brainier to me.

 

[xuinkrbin.]

No it doesn't. Why relish in something bad happening to someone just because they're a celebrity.

What SMIDG3T says has nothing to do with whether or not the Victim is a Celebrity; it has everything to do with using a weak-ass password. At the very least, People should read XKCD comic #936 before choosing a password.

 

[TWSS37]

I blame the celebrities who have compromising documents stored on the internet behind weak passwords. I especially blame those who have not yet been hacked, but aren't currently strengthening their passwords and removing the compromising files.

You may think they should just leave everything as it is, and hope that they get hacked because that will absolve them of all responsibility.

This isn't mid-80's "Wargames" where passwords are "pencil" and stored in a desk drawer. While people should know that passwords are important, we all know, or actually are, someone who creates passwords based on the ability to remember. When Apple does not make that password system to be something that could not be easily guessed, they are allowing their system to be infiltrated much easier. Apple most definitely has a vested interest in this not occuring.

 

[The Deepness]

I have to agree with this guy. Though I must also state that there is also responsibility on the hacker. Celebrities have a higher burden of security on themselves; hence they should take extra steps to safeguard their private life, not a company.

Both the victim and hacker share blame. Everyone is always advices and cautioned by sites to use strong passwords. Many give you a gauge to test how weak or strong your password is.

Rule of thumb is to use the following:

- At least one lower case letter
- At least one upper case letter
- At least one number
- At least on special character (if permitted)
- At least 8 characters in length

Also like a fellow poster just stated, don't answer security questions with the actual answer. If they ask for your high school, the answer shouldn't be something Google can give you an answer, it should be something unrelated like a phrase or a word (in this case the word "Chocolate" works as an answer).

I agree with you, and appreciate the advice about the security questions. I've used complex, very strong passwords for years (and sometimes go with the randomly generated passwords Safari suggests), but my answers to security questions, while usually obscure, were still the actual answers.

I'm pretty confident my passwords are secure and my security questions wouldn't be easily guessed, but I'm going to revisit them on the few sites that ask them and get more creative.

 

[firewood]

Again, you can not crack even an unsafe password with only 5 attempts!

You can if it's one of the 4 most commonly used passwords. You would be surprised how many people try to use one.

 

[TWSS37]

Samsung has done some pretty shady things, like paying people to create forum accounts and downplay it's competitors, including Apple.

I wouldn't be surprised if they are here right now trying to pettle this iCloud "breach"

I think you are well aware of the difference between paying forum trolls/defenders (allegedly) and launching multi-nation cyberwar, right?