Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
What else can they do? Not have backups?

Yep, I store my backups locally not only for security but for the ability to manually access files in my backup whenever I want. Also, last time I tried to restore from an iCloud backup, it failed 4 times before "just working".
 
I think this stuff is more human. However, if enough people end up having their nudes and sex pics all over the net.... people will stop caring about that. However, as far as securing banking data etc...that's different.
 
They did think of this before the damage was done. A year and a half ago Apple released 2-step verification. Had those celebrities enabled 2-step verification, this wouldn't be an issue.

Everyone should have 2-step verification enabled, but especially people who are in the public's eye. Those people should be very security conscious. In addition, their PR reps and agents should have ensured security steps were taken. The blame is almost entirely on the celebrities, Apple offered them the tools necessary to protect their data.

Too bad it already fappened.

Apple, a company notorious for knowing what's best for their customers should have had 2-step verification enabled by default.
 
Most importantly, he points out that most of their customers CHOOSE not to use 2-factor authentication. (Which is THE CUSTOMER'S FAULT, not Apple's.) And they are going to start harassing customers to smarten up and use it.

It is Apple's fault when they don't even support 2-factor authentication in every country that they sell the iPhone.

----------

2-step authentication? Just use a private key (a.k.a. password) that's strong. It's mathematically proven. Your own stupid fault if you make your password weak.

Guess what? Most of the hack attempts were done because they answered a few security questions. They didn't need to know the user's password.
 
Too bad it already fappened.

Apple, a company notorious for knowing what's best for their customers should have had 2-step verification enabled by default.

Clearly you don't know how 2-step verification works. It can't be enabled by default as not all iCloud users have the ability to use it. Most do, but not all.
 
Most importantly, he points out that most of their customers CHOOSE not to use 2-factor authentication. (Which is THE CUSTOMER'S FAULT, not Apple's.) And they are going to start harassing customers to smarten up and use it.

There is nothing more Apple can do than that.

Well, this sucks because I don't even want it. I just want an option to disable the password reset. 2-step authentication is an ugly and complicated fix for a problem that shouldn't even exist. Anyone can reset the password only by answering security questions. There's not even a verification email! And people ask why I always use a fake birthday for online accounts…
 
Last edited:
Sounds like a typical case of users using weak passwords (which most users tend to do) and hackers using common words to guess them. Amazing that with all the attempted hacking and identity theft and such going around that people still refuse to use complex passwords and security features. Especially celebrities.

People have issues remembering passwords. The school I work in had to change all the user account passwords to 123456 because people kept forgetting the password. Those of us who knew better immediately changed the default password but majority of people kept that generic password.
 
They need to halt the restore until you authorize the action either with trusted device or secure backup key... Notification after the fact, is of questionable value...

They are.. You cannot restore w/o adding the device to the account first.. He stated they are forcing 2 factor auth to be able to add a new device starting with iOS 8.

You cannot restore / download a backup w/o the device being added to trusted list first.
 
Guess what? Most of the hack attempts were done because they answered a few security questions. They didn't need to know the user's password.

I just tried the password reset, and you're right, that is a seriously weak link. Usually, you're supposed to also get a verification email. You know what, I want the password to be non-resettable. Everything on iCloud is stored somewhere else anyway, so if I somehow forget my password, it's not the end of the world.
 
It is Apple's fault when they don't even support 2-factor authentication in every country that they sell the iPhone.

Because 2-step verification not being enabled in Macedonia is why celebrities in the United States had their data stolen.
 
Not if you enable 2-factor authentication. Then they will not be able to change your password, so they won't be able to get at your iCloud data.

Also, as the article said, Apple is also going to expand 2-factor authentication so, presumably, even if you know someone's password, you STILL won't be able to restore/slurp their iCloud backups without also having access to one of their trusted devices.

Most importantly, he points out that most of their customers CHOOSE not to use 2-factor authentication. (Which is THE CUSTOMER'S FAULT, not Apple's.) And they are going to start harassing customers to smarten up and use it.

There is nothing more Apple can do than that.

I could think of one more thing they could do....

Re-establish aliases on iCloud and allow/encourage customers to change their Apple ID to a new email address. That way you can have a private address know only to you and never made public which makes the first step of finding your house so much harder.

Edit: Ooops Just check they have already established Aliases on iCloud.
Still they don't let you change your ID with ease.
 
Last edited:
And there you see one of the very few fantastic things about the stock market.

Falling stock prices are the only thing that will get a company to actually do something good, and in the end that's great for everybody.
 
And there you see one of the very few fantastic things about the stock market.

Falling stock prices are the only thing that will get a company to actually do something good, and in the end that's great for everybody.

Yes, it is good. But is the funding it provides for companies trying to expand not a good enough benefit?
 
They need to halt the restore until you authorize the action either with trusted device or secure backup key... Notification after the fact, is of questionable value...

Very few people know what a secure backup key is, or how to keep it secure. And very often the reason for doing the restore is that the trusted device fell in the toilet and is DOA. So now what?

Not if you enable 2-factor authentication.

Same problem. The 2nd factor is your "water" damaged (dropped off a cliff, stolen, left in the taxi, etc.) iPhone.

So when the so called hacker is already restoring all the data to a phone or a forensic program all we get is an e-mail telling us "hey all your dumb selfies are being downloaded by an unknown person"?

Maybe there should be a configurable delay. Waiting a half-day for a restore is better than Apple sending all your dumb selfies to some foreign hacker immediately.
 
So now everyone must suffer a bit more for celebtards, assuming this breach wasn't sponsored.
 
They should have thought this ahead before the damage is already done.
This type of poor management of sensitive data reminds me of Microsoft, ie; Damage control policy, let the bad things happen then look for ways to prevent them from happening again.

You are a Douche!!
Did you not hear or investigate the real problem, before you go slandering Apple! Weak passwords! Operator error!
 
By adding the backup-has-been-restored alerts, Apple is acknowledging that their systems needed hardening, which they certainly do.

FIXED:
When I step back from this terrible scenario that happened and say what more could Apple have done, I think about the integrity piece. I think Apple has a responsibility to ratchet that up. Blaming the user for your gross negligence is not really an ethical thing.
 
Because 2-step verification not being enabled in Macedonia is why celebrities in the United States had their data stolen.

Oh. So it is not an issue since "celebrities" aren't affected. That is good to know. I assume these new alerts are only sent to "celebrities" then.
 
"Argh malevolent computer hackers wouldn't exist if computer companies just tried harder" - the internet
 
I just tried the password reset, and you're right, that is a seriously weak link. Usually, you're supposed to also get a verification email. You know what, I want the password to be non-resettable. Everything on iCloud is stored somewhere else anyway, so if I somehow forget my password, it's not the end of the world.

Explain. Are you saying you were issued a temporary password after answering the security questions right then and there in the browser instance you were using to reset the password? Are you saying you didn't have to confirm the reset by clicking a link in a verification email they sent you?
 
Ppfft....

I.T. folks can whine and moan about "poor passwords" all they like, but I've worked in this industry long enough to know that it's never going to really change.

The entire concept of providing some "difficult to guess, yet easy to remember" password is horribly flawed at the core.

All of the work-arounds for this are boneheaded "band-aid" fixes that cause more problems than they solve -- like demanding users change a password every 30 days. That just ensures people forget what they used, or get tired of the struggle and start using weaker, easier to remember passwords. After all, their priority is getting logged in to use the service or get to their data!

A small step forward is using a password manager like LastPass and only having to remember one "master" password to the service, which keeps the rest of them for you and auto-fills them as needed. But let's be honest. That's a great example of all your eggs in that one basket. If your password manager service gets taken down with a denial of service attack, or they go out of business, or ?? -- where does that leave you? Can you actually remember any of those passwords you let the thing randomly generate for you years earlier?

Two factor authentication provides some real security, and it's a legitimate improvement on the status-quo, but it also adds a lot of inconvenience for people. IMO, it's well worth it for SOME things, but certainly not for all websites or online services.

I think it's really time we get away from the idea of keying in passwords at all, and use another form of identification for computer logins. Facial recognition using a webcam or camera attached to a system has some promise, at least for your everyday use cases (message forums you need to sign in to post on, your Facebook account, etc.).


Sounds like a typical case of users using weak passwords (which most users tend to do) and hackers using common words to guess them. Amazing that with all the attempted hacking and identity theft and such going around that people still refuse to use complex passwords and security features. Especially celebrities.
 
It is Apple's fault when they don't even support 2-factor authentication in every country that they sell the iPhone.

----------



Guess what? Most of the hack attempts were done because they answered a few security questions. They didn't need to know the user's password.

It's hard to understand why people use real answers to security questions. For years now, many well-known people have had their accounts hacked (from many services) simply because their security questions were so easily guessed.

I'm not a security expert, but I'm a network tech. Years ago I attended a basic security class and they stressed to never give correct answers to these personal "security" questions. Make up ridiculous answers and save them in something like 1Password. Perhaps not perfect, but it does allow for an extra layer of protection.

Although I'm sorry it happened, it's hard to feel sorry for these folks. They are extremely well-paid, and perhaps, along with their agents and PR people, they could afford to hire technology consultants?

I'm sure it's happened to "regular" people much more often, but because they're celebrities, they get special treatment.
 
Oh. So it is not an issue since "celebrities" aren't affected. That is good to know. I assume these new alerts are only sent to "celebrities" then.

Nope. You said it was Apple's fault that the celebrities had their data stolen because 2-step verification wasn't offered in all countries.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.