Unless you’re living under a rock, or some other no-media penetrated secluded villa in the south of France, you will have heard about the hundreds of photos leaked onto the internet. Naked photos, specifically, of celebrities purportedly taken from their iCloud accounts and posted on the dark website Tor, before landing on 4Chan and leaking alll over the internet, as something as viral as naked celebrity photos was always destined to do.
Some of the celebrities involved have claimed that the photos are fake, whilst others have been confirmed to be legitimate.
Bad news.
Apple gave a statement to the guys over at Re/code advising that they will be undertaking a full investigation into the matter, which is great. “We take user privacy very seriously and are actively investigating this report,” said Apple spokeswoman Natalie Kerris.
Apple has since today come out with confirmation that the iCloud feature was not breached, instead the hackers were able to access and steal the photos using a targeted attack on user names, passwords and security questions.
From the sauce:
“We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud(R) or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”
This validates what security experts suggested yesterday – that the hackers were able to get ahold of the photos because of a combination of weak passwords and the lack of two-step verification. Two-step verification is a feature Apple introduced in March last year which requires a security code and a trusted device to log into your iCloud account as well as a password.
Although originally suspected of being used in the hack, it appears that a tool shared a few days ago on Github, a code-sharing website, was not used by the Hackers. This tool would have allowed hackers to repeatedly guess passwords without being locked out of an iCloud or Apple account but was fixed by Apple as of Monday morning. Attempting to use the tool now locks an Apple ID after five attempts to guess a password.
As always, if you’re concerned about your privacy we recommend using strong passwords and making use of the two-step verification.
Strong passwords will include numbers, symbols and a mixture of capitals and lower case letters, and will not create a word or sequence of numbers that can be related to any of your biographical information by anyone but yourself.
To find out more about how to set up two-step verification, visit the Apple support page here.
Image courtesy of Apple.