Apple to add security alerts in the wake of iCloud hacking scandal

Despite his assurance that the recent iCloud hacking scandal wasn't a result of a security breach or compromise of the service itself, Apple CEO Tim Cook has announced that the company will be implementing new features in order to provide an extra layer of security in case of any unauthorized account access.

The statement came in an interview with the Wall Street Journal, where Cook discussed the iCloud hacks and how the events transpired. Most notable was his reiteration that the attacks were all targeted, and that no compromise of iCloud's security or infrastructure -- large scale or otherwise -- had occurred.

That considered, Apple is still taking increased steps to beef up the security of its services, including a new system which will push an alert to an Apple device if someone attempts to change the password for the account connected to it. An alert will also be sent if iCloud data is restored to a new device, or if a log-in attempt is made from an unknown Apple device.

Cook says the new notifications will be implemented in two weeks. Until then, users are urged to make sure their accounts are secure, including using strong passwords and choosing high quality security questions.

Source: Wall Street JournalImage via Geekwire

Report a problem with article
Previous Story

Skype for iPhone picks up group calling feature

Next Story

Motorola announces the new Moto X, Moto G, and Moto 360

27 Comments

Please Login or Sign Up to post a comment.

I'm sure apple will "change all over again" in terms of security, some how it will change by apple. And people will love it.

Security alerts from Apple? Are you telling me Apple is NOT the magical secured environment I was led to believe in? /s

The part that keeps getting swept under the rug is the fact that there was no timeouts on failed login attempts for iCloud accounts. Right after this became public Apple quietly implemented this basic feature. If that isn't an example of shotty security practices by a company, I don't know what is.

"We want to do everything we can do to protect our customers, because we are as outraged if not more so than they are," said Mr. Cook, Apple CEO.

LOL! He thinks Apple is more outraged than the people who got their nudes leaked. The hubris and ego of this company is crazy!

I'm not sure which is more embarrassing. Have a naked pic for people to see, or being a billion dollar company with almost no security on their systems.

"Almost no security" my ass.

Or people are just retarded enough to not know how to secure their personal information.

I would've thought this would be a standard thing, it's often the case for many other online services!

JHBrown said,
Thank you Apple!

For? Lacking basic security features? Or finally adding basic industry standard security features that should have been implemented 10 years ago?

Push notifications about someone using your iCloud should have been implemented years before both push notifications and iCloud even existed?! Apple might be innovative but they're not that innovative..

In all seriousness I feel Apple do a lot more than everyone else does at the moment. I don't get any notifications on my Windows Phone if I add another computer to my Onedrive account. I've never noticed anything similar on Android either. As soon as I connect a new iDevice to iMessage and the other services, all my devices including my Mac's get notifications asking me if I should allow it or not

DomZ said,
Push notifications about someone using your iCloud should have been implemented years before both push notifications and iCloud even existed?! Apple might be innovative but they're not that innovative..

In all seriousness I feel Apple do a lot more than everyone else does at the moment. I don't get any notifications on my Windows Phone if I add another computer to my Onedrive account. I've never noticed anything similar on Android either. As soon as I connect a new iDevice to iMessage and the other services, all my devices including my Mac's get notifications asking me if I should allow it or not

No. They shouldn't have allowed unlimited incorrect logins. They should have locked the account (for a time period) after a certain number of incorrect attempts. That's how people were able to brute force the passwords. That's absolutely inexcusable and they will likely be answering to that in court.

On Windows 8, you can't even add an account that is linked to a Microsoft account unless you enter a verification code sent to you via SMS or email. It doesn't sync anything until you complete that step.

With Microsoft online services, it frequently will ask for an SMS or email verification step if you sign in from a location you have never signed in before, and can select whether or not to save that verification. And you certainly can't brute force it by repeatedly hitting the server with login attempts.

I'm happy to see unobtrusive methods of security being added.. everyone shouts about 2 factor authentication, but me, i absolutely hate it and shouldn't have it forced upon me because some celebrities can't be bothered to properly secure their accounts.

I use 2 factor authentication in my business because it's not just my details i'm protecting, it's my clients.. but for my personal stuff, no thanks, my passwords are secure as are my computers.

Of course, the option would be nice, but i personally think it's unnecessary for most things and implemented because people wont change their password habits.

Apple's statements adamantly claim that none of their security was compromised but they were - someone was able to take data that didn't belong to them from their secure servers. Imagine if someone dressed up as a security guard and stole the contents of your bank account and the bank claimed that "none of our security was broken cos the guy looked like a guard"

Same deal here in a way. Sure the users looked like the real user but logging on from devices that aren't associated with the user, especially to recover data should trigger 2FA. It does with most Google services and it should have with Apple.

Not saying they're fully at fault but it's a bit poor to try and play it off as if nothing happened. What happened here could happen to anyone if the attacker had the right amount of time and effort.

The accounts where accessed because someone was able to guess the password, the security questions or got access to the email account and reset the password using the normal method. What Apple is saying is that everything on their end worked as expected, their service was not compromised.

A better analogy is identity fraud. When it happens, it isn't exactly the bank's fault if the person in question had all the information needed to infinity them as someone else.

sphbecker said,
What Apple is saying is that everything on their end worked as expected, their service was not compromised.

And what everyone else is saying is that Apple's security wasn't up to basic industry standards.

Everything worked as expected. It just wasn't good enough, and they knew better.

Microsoft already warns you security may be compromised when an uncommon IP tries to login to your account.

And two-step verification does work. I use SMS code, stopped an unouthorized login once.

Depicus said,
Good, although why these were not in place already.

As it wasn't Apple that was compromised did it need to be?

SteveCac said,

As it wasn't Apple that was compromised did it need to be?

Well I welcome better security from anybody, Microsoft, Dropbox, Facebook, Google the more security the better.

SteveCac said,

As it wasn't Apple that was compromised did it need to be?


It's pretty obvious that it did need to be since 100's of celebrity accounts (and I bet thousands of other accounts we don't know about from common users) were hacked in this targeted way. But really, 2 factor authentication should have been implemented as the default standard, something Apple suggests be done by the user, from the beginning and we would not be discussing this now. Apple really needs to share 50% of the blame for this fiasco and other cloud services need to do the same.

TechKnowNYCKEY said,

It's pretty obvious that it did need to be since 100's of celebrity accounts (and I bet thousands of other accounts we don't know about from common users) were hacked in this targeted way. But really, 2 factor authentication should have been implemented as the default standard, something Apple suggests be done by the user, from the beginning and we would not be discussing this now. Apple really needs to share 50% of the blame for this fiasco and other cloud services need to do the same.

Mmmm not sure I agree, that's like blaming Yale for not locking up my house.

True, Yale is not responsible for locking your house. But Yale is not storing anything confidential in your house that could get broken into and stolen.
Your analogy is not the same as you are not using your house\server to store anything except for your "own" belongings which you are solely responsible for. The house\server is your house\server, not Yales.
Apples house is their iCloud server where millions of people do store there belongings, confidential files. You the user are providing the lock for hopefully keeping those belongings safe in the password you use. But as we have seen, it is not sufficient the way Apple has that lock setup. Apple should therefore provide enough security to enforce your lock and another lock on Apple's side to both protect your belongings and protect Apple from any potential lawsuits (2 factor authentication). Its a win\win situation for both iCloud provider and iCloud user. What Apple did was shift that responsibility to the user rather than having implemented the necessary steps of 2 factor auth by default in the very beginning before this whole mess happened. That is why I say it is both the user and Apple that need to share that responsibility.

It's like shopping at Target or Home Depot. You use your credit card there and have an expectation that your credit card info will not get stolen and used nefariously. But as we all know, Target and HD had their servers hacked. Who is to blame, the user or the business? It's the business' responsibility to protect that info if it is being stored on their servers. Nobody is blaming the users of those credit cards for the hack, are they?

Edited by TechKnowNYCKEY, Sep 5 2014, 2:12pm :

Yes I almost totally agree with you but can you force two factor authentication. I remember when Microsoft first introduced 2FA and it was such a PITA that I turned it off. Haven't tried it since and what about all those without phones or who simply don't want to hand over another bit of personal info just to use a service. It is a tough one.

Depicus said,
Yes I almost totally agree with you but can you force two factor authentication. I remember when Microsoft first introduced 2FA and it was such a PITA that I turned it off. Haven't tried it since and what about all those without phones or who simply don't want to hand over another bit of personal info just to use a service. It is a tough one.

There are different ways to have 2FA. Most banks do it today and I bank with one of them. I am totally ok with doing 2FA as I know it will only protect me. My thought process is make 2FA default but leave the option to disable it up to the user instead of "opting in" to 2FA the way it is now. That way, if the user "opts out" then the fault will truly lie with the user. Apple or any other cloud based service provider will be completely absolved from any responsibility at that point.