Apple denies breach in celebrity iCloud 'hack'

Apple denies breach in celebrity iCloud 'hack'

Summary: Apple admits accounts compromised but states: 'None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.'

TOPICS: Apple, Security
Apple releases statement on celebrity photo breach, denies culpability - Jason O'Grady
(Slide: Apple Inc.)

After telling Recode that it was "actively investigating" if iCloud accounts had been hacked, Apple today issued a statement on the recent hack and release of celebrity photos.

After compromising photos and videos of celebrities, including Jennifer Lawrence and Kate Upton, were released on image-sharing site 4chan on Sunday, Apple "mobilized Apple’s engineers to discover the source."

The statement says, in part that the Apple accounts of the celebrities were compromised: 

After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.

In the statement, Apple claims that iCloud and Find My iPhone were not breached:

None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.

Apple carefully worded the statement and didn't outright deny that the data came from iCloud or Find My iPhone. Instead, Apple said that "none of the cases we have investigated" were as a result of a system breach.

Some have speculated that the racy content may have come from iCloud backups (as opposed iCloud photos) because the leaked data included some videos – which aren't currently stored directly on iCloud.

Apple was originally mentioned as a source of the photos after murmurs on 4chan implied that the content had come from "iCloud." This was immediately challenged, however, after several non-Apple devices were noted taking some of the selfies in question. 

The timing of Sunday's leak also implicated Apple because HackApp posted a proof of concept exploit for an iCloud flaw the day before, on Saturday. The "iBrute" vulnerability flooded the Find My iPhone website with password attempts without being locked out. Apple patched the FMF brute force vulnerability yesterday and now locks an Apple ID after five unsuccessful Find My iPhone password attempts.

Topics: Apple, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Seems far fetched to me

    How else would you get the data other than iCloud? Otherwise you've got to get into the phone.... seems a lot harder to me.

    I think Occam's razor applies here... major dump of private data = batch access to private data.
    • Sloppy passwords on individual accounts ...

      ... is a much more Occammy Razor.

      Multiple individual attacks over a period, rather than one massive attack that would take them 4 years to find the good stuff after.

      Don't forget that most of the 'phone hacking' cases have been been simple password guessing.

      As Occam would doubtless have said "people grow hair and need razoring. Electronic devices don't"
      • Apple has sloppy auditing

        They should have been able to detect this.

        Regardless its another Apple fail.

        How many hacks have happened this year... 3 or 4 at least.

        IOs is really secure .. ROFL.
        • exactly

          Apple lies lies lies
          the reason is huge security disaster of Find my phone by Apple!
          Apple says again and again "you hold it wrong"
          liars, rotten Apple

          Apple is the most insecure system in the world, well known fact among professionals:

          "I can make you call a phone number by clicking a link in any app that didn't implement custom handling for tel links"
          "President Obama Cannot Use Apple’s iPhone Due To Security Reasons"
          "Do not use iPhones. I mean, you can use them, but do not store your personal data there"
          Jiří Pavelec
          • Jiri

            Proof of your claims for once please. Thanks.
          • When you've finished your rant...

            Some celebrities (who live on, and constantly create opportunities for, publicity) are making a lot of publicity out of dubious claims that their iCloud accounts have been hacked.

            Apple have denied this. The alleged stolen photographs demonstrate that hacking is not the whole truth.

            There is a suggestion, no more, that this relates to a successful brute force attack on several celebs attack.

            But there is also a suggestion that security questions have been used to get access.

            If the users used any used any sort of serious passwords, like "im8RaECl2vRSdY2W" rather than "Pete" as there passwords, then it is implausible that the brute force attack suggested would have got anywhere on even one account, let alone several.

            It the users use a security question like "Pet's Name?" and give the name that is then published in Hello magazine, along with the boyfriends name, "Pete", then it's hardly necessary to "hack" there accounts to get access.

            There is a suggestion that locking access to accounts after 5 failed password attempts would have been a good idea. Have you any idea how many random fans will try to break into these celebs accounts every day by guessing their passwords? If the accounts are locked after each 5 attempts, the celebs themselves will never have any access to the accounts.
            Henry 3 Dogg
          • LOL

            "Apple have denied this."

            And you buy that hook, line and sinker, just like every member of every religious cult would...

          • Blame the user. Brilliant.

            The law of all western countries, including the USA put an end to that kind of inacceptable thinking years ago.

            Your a joke Henry 3 Dogg
        • Fallacy

          iOS /= iCloud

          Nor is sloppy password security on the user's part - i.e. not utilizing the 2 step verification - a fail on Apple's part.

          Nice try though.
          • You know 2 step verification doesn't apply to this breach right?

            Read Apples faq on 2 step verification and what it DOESN'T cover before you tell people how wrong they are as you try to apologize for Apples security failure.

            Is it really so hard to admit that Apple screwed up?
          • and...

            Is it really so hard to wait until we know whether Apple screwed up?
            Henry 3 Dogg
          • 2 step IS available


            I believe this is accurate, but I haven't tried it.

            I believe the system works by using 2-step *device* authorisation, generally by sending an SMS. Once a phone or tablet or mac is authorised, you only need to enter a password. (I haven't tested it, because I'd have to de-authorise a device, and all the data on that device would be wiped when I did that.)
  • Oh well...

    Apple will never admit their failure... nothing else is expected...
  • So...

    Photos and content from Apple accounts were accessed unknowingly and without permission. If someone did that to me I would say they hacked my account. Why so much spin from Apple?
    Sean Foley
    • hack

      Do you really not understand the difference between hacking someone’s account by guessing the password and hacking by exploiting a software vulnerability, or are you just being obtuse?
      • whether

        You break into someone's car by first stealing their keys, or you do it by finding a flaw in the door locks - it still results in it being broken into.

        The method isn't what defines the act, the result does. So yes these peoples accounts where hacked - whether by breach of their password or by breach of the underlying system.
        • The best comment

          Wow just wow a well thought out response and it makes total sense its not how it happens it the result and the result is hackery.
        • Secure Apple

          It means that someone wanted into a few selected celebrity’s accounts and obtained username and passwords obtained IN ONE OF MANY WAYS. They might have use brute force hacker techniques to identify the login info, or it may be as simple as someone slipping some cash to a celebrity’s assistant to provide the login info. Most celebrities have people that handle social media, or for one reason or another have been given access to the true owner’s login id. Apple is merely stating that the iCloud account was entered by conventional means: a user ID and password; the iCloud data system was not broken into
          • I doubt most celebritys have someone that handles their naked selfies

            Apple is obviously word smithing a response to cover their rear end as they have a major iPhone update coming in a few days.

            This is why I don't trust Apple with security. They always seem to choose "company image" over a mature and open approach to dealing with security issues.
        • locks

          but if there was a wave of e.g. Mazda car thefts carried out by stealing keys, you wouldn't expect Mazda to change all the locks on the cars