After telling Recode that it was "actively investigating" if iCloud accounts had been hacked, Apple today issued a statement on the recent hack and release of celebrity photos.
After compromising photos and videos of celebrities, including Jennifer Lawrence and Kate Upton, were released on image-sharing site 4chan on Sunday, Apple "mobilized Apple’s engineers to discover the source."
The statement says, in part that the Apple accounts of the celebrities were compromised:
After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
In the statement, Apple claims that iCloud and Find My iPhone were not breached:
None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.
Apple carefully worded the statement and didn't outright deny that the data came from iCloud or Find My iPhone. Instead, Apple said that "none of the cases we have investigated" were as a result of a system breach.
Some have speculated that the racy content may have come from iCloud backups (as opposed iCloud photos) because the leaked data included some videos – which aren't currently stored directly on iCloud.
Apple was originally mentioned as a source of the photos after murmurs on 4chan implied that the content had come from "iCloud." This was immediately challenged, however, after several non-Apple devices were noted taking some of the selfies in question.
The timing of Sunday's leak also implicated Apple because HackApp posted a proof of concept exploit for an iCloud flaw the day before, on Saturday. The "iBrute" vulnerability flooded the Find My iPhone website with password attempts without being locked out. Apple patched the FMF brute force vulnerability yesterday and now locks an Apple ID after five unsuccessful Find My iPhone password attempts.