Apple (finally) breaks silence on Celeb media hacks

It was you, not us.

If you haven't been living under a rock these past few days, then you may have heard about the celebrity media hacks that were posted to 4Chan. The hacker gained access to the private photos and videos of dozens of celebs via iCloud and then proceeded to post them on the message board. Users then raced to host the files on the popular image sharing site imgur and via torrent sites; imgur has been proactive in taking down the images, but once an album is removed another one pops up.

Kirsten Dunst was one of the celebs who had her account compromised, and let that be known via Twitter shortly after the news broke.

Apple has now officially commented on the matter and is taking the breach, understandably, very seriously:

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved. 

The Cupertino company also stated that no systems were compromised, and that it appears to be a targeted  password hack on individual accounts. Additionally, Apple recommended that people use two-step authentication, perhaps hinting at the root cause of the hack itself.

Back in May, many Australian iCloud users found themselves locked out of their accounts after hackers gained access through the "Find my iPhone" feature. At that time the hackers demanded money for restored access; Apple said then, as now, that it had nothing to do with an iCloud or services breach. 

In any case, it does bring to light misplaced trust in such services and a failure in properly protecting such sensitive data. Either way, we're sure that those that were affected have learned something about online privacy from this.

Source: Business Wire | Image via Apple

Report a problem with article
Previous Story

HTC owners can now get 100GB of free cloud storage on Google Drive

Next Story

Toshiba's 7-inch Windows 8.1 tablet costs $119.99, includes a year of Office 365

83 Comments

Please Login or Sign Up to post a comment.

Wow, I know I'm probably going to catch hell for this but


Here's an idea, take a minute to look at your device and make some changes to it's syncing options, FFS! I remember when Camcorders were all the rage, and couples were filming themselves having sex on them, then the embarrassment of finding out that the said camcorder got stolen and the 'tape' has been seen by thousands etc... We're just going round in circles..

If you have pictures like this, then don't be surprised that someone somewhere will try to (in this case, was able to) steal them, and if it REALLY matters to the celebs, that pictures like these could be leaked, don't take them to begin with.
There are millions of red blooded men out there who would think, I would love to see 'celeb x's' topless pictures etc, some of those wouldn't care how they got them (and this has now been proven, by simply checking some websites)
(it's like protecting your car, no matter what you do, if they want it bad enough they will take it, but in the exact instance of one's car, it obviously makes sense to make it so difficult it wouldn't be worth the time it would take, ie in case there's a cop around and said thief's chances of being caught is too high etc..)
Sorry, rant over

What about not storing nude pictures of yourself on the cloud? Even if a super-hacker broke into your now more secure account, the worst they could do is post pictures of you with your family.

Do you think it was their intent to let these nudes go public?

Putting private pictures on your cloud should make no difference than storing them locally, as both belong to you. But with many services automatically (and prematurely) doing all this stuff for you, something like this was almost inevitable.

LightEco said,
Hmm, something along the lines of "You're securing it wrong"? coming from Apple PR?

Or like: "You are iPorning it wrong!"

the hackers have said they were able to bruteforce the passwords without the locking penalty. apple can say their security was not breached,because it really wasn't technically. they just didn't have the right security features implemented. its sickening that the media is simply sweeping this whole thing under the rug and trying to absolve apple of any wrong doing.

What media is trying to sweep this under the rug? Every article I've seen from the major players mentions the bruteforce attempt on iCloud, and how there's no lock out after so many failed attempts. Some articles even walk people through on how to turn off iCloud.

I think it was a hack of DropBox, not iCloud. Anyone who has conducted a security analysis of the leaked images would have also seen the hidden ".dropbox" files.

I will never believe in the cloud anything. Unimportant items get backed up to OneDrive and that's about it. Our family history photos and nude photos of myself(/s) are all on physical media duplicated and locked away.

About that two-step authentication.... http://www.tuaw.com/2014/09/02/think-iclouds-two-factor-authentication-protects-your-privacy/

"If you haven't been living under a rock these past few days, then you may have heard about the celebrity media hacks that were posted to 4Chan."

Why would I care about some random person getting hacked?

Neowin on 9/3/2014: "Apple (finally) breaks silence on Celeb media hacks"

Recode on 9/1/2014: "Apple said Monday it was “actively investigating” the violation of several of its iCloud accounts in which revealing photos and videos of prominent Hollywood actresses were taken and posted all over the Web."

I'm sorry. The article title on Neowin had me under the impression that Apple hadn't addressed the celeb media hacks until after their investigation, when they really addressed it shortly after The Fappening started. Like less than a day.

And having an easy to guess password or security question answers is the user's fault, is it not? I have a pretty common name, so I have people constantly trying to take over my Facebook and Instagram accounts because they want my user name. I've even had some offer to buy it. But say those people did finally gain access to my account, who do I blame? Facebook? Instagram (well, Facebook)? Or do I own up to not safeguarding my stuff on third party services with better passwords and answers?

The latter.

Steven P. said,
40 hours later.. and blamed it on the users.

i know people hate it, but....

They're storing it wrong.

They're storing it the way that "just works" when you have an iPhone. Most of them probably didn't even know the cloud copies of their files even existed.

for once I don't think its apple's fault. Social engineering has been out there for a while and the only way you can blame apple is that they attract dumbest users to use their services and phones. or they could force 2 step authentications which only few do.

trojan_market said,
for once I don't think its apple's fault. Social engineering has been out there for a while and the only way you can blame apple is that they attract dumbest users to use their services and phones. or they could force 2 step authentications which only few do.

It's partly Apple's fault for not locking someone out after so many failed attempts, which most sites now a day do.

I thought Apple ID passwords needed to include a capital letter, character and number, and needed to be at least eight characters long. = secure?

68k said,
I thought Apple ID passwords needed to include a capital letter, character and number, and needed to be at least eight characters long. = secure?
They do now, but older accounts might still have passwords that are simple

Even so, those factors don't guarantee that a password is invulnerable, and sharing a relatively secure password across many different accounts also makes it vulnerable. People can be highly predictable e.g. 1LastnameFirst or UsernameBirthdate, and often security breaches are caused by the component between the keyboard and the chair. I'd guess, having never used it myself, that Apple's service will block login attempts after a few wrong guesses like many other online services - it seems entirely possible that the login detail breach occurred independently of the iCloud service itself.

Rudy said,
They do now, but older accounts might still have passwords that are simple
Indeed, I know people with Apple ID passwords that are their name.

Apple is right, they can't fix stupid. Even forcing complex passwords doesn't fix the issue. Talk to your parents and such, ask them how many of them have a post it note, or txt doc with all their usernames and passwords on it.

- If password entered contains a word in the dictionary, prompt user to enter 'proper' password, or allow system to randomly generate a complex password.
- Monitor IPs of sign-in locations, and allow users to only set certain locations (from which a service will allow signing in).

68k said,
- If password entered contains a word in the dictionary, prompt user to enter 'proper' password, or allow system to randomly generate a complex password.
- Monitor IPs of sign-in locations, and allow users to only set certain locations (from which a service will allow signing in).

http://xkcd.com/936/

I haven't seen any reports of celebs losing access to their iCloud or Apple account which makes it even more fishy, if it were a typical password hack, then usually the accounts get taken over too.

Steven P. said,
I haven't seen any reports of celebs losing access to their iCloud or Apple account which makes it even more fishy, if it were a typical password hack, then usually the accounts get taken over too.

If you're only interested in the pictures, you wouldn't take over the account. You'd allow the victim to keep taking pictures and giving you material to steal.

Steven P. said,
I haven't seen any reports of celebs losing access to their iCloud or Apple account which makes it even more fishy, if it were a typical password hack, then usually the accounts get taken over too.

well check the images that leaked, i bet those are not paparazzi pics :) i mean boobs and naked pics in their real homes with their real boyfriends... definitely not paparazzi

I'm calling complete BS on this.. There is no way the "hackers", guessed the account names of these celebs.. Come on now.. Selena.Gomaz@me.com? I don't thinks so.. They are not being truthful here..

Give a smart hacker with nothing better to do a few months and tell me that he wouldn't be able to give a targeted attack on just about anyone here. Much less a team of these slimy bastards trolling for any information that they can find. All that Apple is saying is that the hackers didn't get in via some backdoor in the services, not that the services weren't exploited. This leads us back to the #1 rule of digital security which is that the end user is always the weak link.

fusi0n said,
I'm calling complete BS on this.. There is no way the "hackers", guessed the account names of these celebs.. Come on now.. Selena.Gomaz@me.com? I don't thinks so.. They are not being truthful here..

So i take it you did not saw the leaked images then??? You missed a lot :)

What i don't understand is why those photos were stored in a Cloud... And I don't know Apple policy about storage, but on other storage like OneDrive and Google Drive there are problems if storing nude photos - it's prohibited...

Terms of Service only prohibits storing nude photos if the law prohibits it. That being said, I think all the services would advice against it.

Because during setup it asks if all photos and video should be synced to the cloud as well, and that's usually a typical "yes" Mine also syncs with OneCloud, but I don't have anything there worth torrenting or losing any sleep over :p

I use OneDrive, so I don't know about others but I imagine they're all the same. For OneDrive, you can have nudes, as long as the folders are not publicly shared, and the people in the pictures are obviously of legal age.

/me is waiting to see if Microsoft and/or Google are going to take advantage of this... Since Apple would obviously do the same if the roles were reversed...

Somehow people seem to forget that this was a co ordinated operation that spanned months. With that much time you can constantly attack an account by trying different passwords without being locked out.

Nope, it all happened over the weekend. True the vulnerability was present in the Find my iPhone feature for a long time, which Apple denied and refused to patch until this incident, but only after someone created this tool to take advantage of it to automate and speed up the process did these hacks happened:
https://github.com/hackappcom/ibrute

Some of the pictures taken were very old according to the victims. Some had been deleted by the victims years ago.

It's been alleged this was part of large cache of pictures & videos that have been circulating in a seedy ring of people who swap celeb material with each other.

Even if they were hacked they probably would still say they wasnt hacked. So I still think that they was hacked.

Cloud is as secure as the user makes it. With two form factor authentication, having someones password is still useless on its own.

Not exactly, if it was a true hack it would not care for the passwords at all. If they (in this case Apple) did not secure it well, even if you have strong pass and 2-3-4 form factor authentication will not help you.
Of course in this case even if those owners were using their home PCs for their photos and not cloud stored pics i bet it would not be any harder to steal them but still, i would prefer to control my own security.

Yes, enjoy it, but be smart about it too. I use cloud services, but I don't put any banking or private info in them. I don't have nudes, but if I did and they got posted on the internet, I would just feel sorry for the people who looked at them.

Uhh they weren't hacked but somehow you can target individual accounts and get in without the account locking on invalid attempts? WTF any 3rd rate audit would call that a complete no no.

Apple:
"We were not hacked, our security is so lax they they did not need to hack our infrastructure to get all the personal data."

Anyone that never saw this coming from those crap cloud services has obviously been living under a rock and it fell on their head before getting under it! It was only a matter of time.

I personally will NEVER use them! :x

cork1958 said,
Anyone that never saw this coming from those crap cloud services has obviously been living under a rock and it fell on their head before getting under it! It was only a matter of time.

I personally will NEVER use them! :x

This is NOT A HACK though, its based on either bad icloud passwords or bad passwords on the mailbox linked to the forget my password function. Either way its bad passwords.

I see your point to a degree, if they weren't stored there then there would be no issue but you could follow on from that and say if the pictures were never taken the issue wouldn't exist, or if cameras weren't invented this issue wouldn't exist, the point is the issue here is specifically based on pad security from the end user, NOT a breach of a service based on its bad coding or security - you can only do so much then the user gets involved and that is the weak point.

duddit2 said,

This is NOT A HACK though, its based on either bad icloud passwords or bad passwords on the mailbox linked to the forget my password function. Either way its bad passwords.

I see your point to a degree, if they weren't stored there then there would be no issue but you could follow on from that and say if the pictures were never taken the issue wouldn't exist, or if cameras weren't invented this issue wouldn't exist, the point is the issue here is specifically based on pad security from the end user, NOT a breach of a service based on its bad coding or security - you can only do so much then the user gets involved and that is the weak point.


There has been hacks in the past. Why? Not enough security (cuz weak point found)? Common passwords? Yes... Or even remembering passwords on browsers and (PC) apps.

IT IS A HACK.

"In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network."

A weakness has been exploited. That weakness was that Apple allowed unlimited failed logins, which in turn allowed the discovery of passwords using brute force attacks.

End of discussion.

Unlimited failed logins were not related to these hacks. It was that security question info was available on wikipedia, twitter, Facebook, imdb, instagram, et cetera. And there was no "4chan hacker".

Right, forgot about security questions and unlimited attempt. I rarely uses security questions, I tents to write my password in to a local password storage app. Most of times, I just send a email and change password. But yeah, those are some of the good points I forgot to mention.

Yeah, but using Apple's 2FA wouldn't save them from guessing their passwords as it doesn't protect Photo Stream, Backups, mails, contacts, etc. 2FA in iCloud basically protects only from changing account details and making purchases. If someone will guess password, he / she can then remotely wipe the device or copy data without ever being asked for a one-time code.

I saw another article yesterday by some 'tech blogger' who obviously had a hard on for apple. His premise was that its unlikely that the breach was people guessing users details to et into their icloud accounts directly, but rather that it was likely they used the recover password function AND had access to the users mailbox.

This assessment clearly misses the point that for the person to have access to the victims mailbox we're back to square one of how did the user gain access to the mailbox, and the most likely cause is weak passwords.

So having a strong password on your icloud, or even two factor auth which sends a code to your email address is USELESS IF your mailbox is secured with weak password and/or no 2 factor auth.

My MS services are all secured with 2 factor auth using the authenticator app for the 2nd stage auth, and I struggle to think of any reason why anyone would use any other email system than the big free ones (outlook.com / gmail mainly), especially ISP linked email accounts! The security, portability, accessibility and features along with them being free make any other email system (other than if you need your own domain name but then its 365/gapps/exchange onsite way before cheap ass webhosting based email) worthless!

plur44 said,
"Lumina's"

I mean, I know they are not that popular but c'mon...

I'm not sure how a bunch of old Chevy coupes are going to help these celebs... did you mean lumia

winrez said,
If they were smart Microsoft PR should take advantage of this by giving the victims Lumina's
Apple could put the nude photo's on their homepage, and most of them still wouldn't use a MS Phone :p

Hint: Using PASSWORD as your password, does not a good password make. Sucks for the people effected by the hack. 2-way identification, or IP-lock would certainly make it harder.

68k said,
Password1#' is up to standard.

That's a horrible password. "Password1!" is much better. You don't have to take your finger off the "1" key for the exclamation point. :D