Apple has released a statement addressing the illegal accessing of celebrity iCloud accounts, saying it can’t find “any breach” of the security protecting iCloud accounts.
The following from Apple’s statement,
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”
According to Wired’s Andy Greenburg, this information is technically correct, but Apple shouldn’t be so quick to absolve itself. While iCloud security was not breached, a relaxed approach to password security in the iCloud service made it possible for hackers to use a brute-force attack to secure account passwords.
Greenburg’s investigation has revealed that two hacking tools might have been used in unison to access celebrity accounts. iBrute is a tool that will generate thousands of different password combinations and enter them into the iCloud system again and again until a match is found. Many password-protected consumer sites will block users from accessing an account after a number of failed attempts with incorrect passwords, but not iCloud.
Hackers can then use different software to download and access iOS device backups from the iCloud account — effectively giving them access to all data stored on a device at a given point in time. This is why some of the celebrity victims claim to have deleted images which have since turned up in the leaks.
Apple is recommending its customers “use a strong password and enable two-step verification” to avoid becoming the victim of future attacks. But as we said in an earlier article, we can only wonder whether Apple’s advice is enough to attract celebrity customers back when iPhone 6 launches this month.