Apple confirms accounts compromised but denies security breach
- 2 September 2014
- From the section Technology
Apple has confirmed that some celebrities' iCloud accounts were broken into, but says it has found no evidence that this was caused by a breach of its security systems.
Instead, the firm suggests perpetrators carried out their thefts by deducing victims' log-in credentials.
The statement follows the online publication of intimate pictures of about 20 personalities.
Actress Jennifer Lawrence has confirmed a leaked topless photo of her was real.
There had been speculation that the images were obtained due to a vulnerability in software that allows users to locate missing iPhones, since it had allowed unlimited password guesses.
But Apple has indicated that this was not the case.
"We wanted to provide an update to our investigation into the theft of photos of certain celebrities," said the firm in a statement.
"When we learned of the theft, we were outraged and immediately mobilised Apple's engineers to discover the source.
"Our customers' privacy and security are of utmost importance to us.
"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet.
"None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."
The FBI said earlier that it was looking into the case.
Experts had highlighted that celebrities could be vulnerable to attacks if their passwords or security question answers could be guessed from articles written about them.
But one academic suggested that it would take more than obscure log-ins to shield internet accounts from the risk of theft.
"This isn't the first time photos have been taken off cloud storage and it won't be the last," said Dr Steven Murdoch, an information security researcher at University College London.
"And it's not fair to blame the victims of crime who may have simply been following the instructions websites are giving to protect their accounts.
"Authentication is not cheap to do right at large scale.
"If you contrast what Apple and Dropbox and Google are doing with what banks are doing, then you can see the banks are taking significantly more steps to protect their customers. They are sending hardware and letters to customers, and sometimes requesting they come into branches, which gives better security but at a cost."
Dr Murdoch said that users wishing to do more to protect themselves could activate two-factor authentication - which can involve the user having to type in a short code sent via text message to their phone number as an extra security step before they are given access to their uploads.
Images of the celebrities were leaked on image posting website 4Chan.
The user posting them - who defined him or herself as a "collector" rather than "hacker" - said more images of different celebrities would soon be posted.
Copies of the images spread to other services, including Reddit, Imgur and Twitter, from which they were subsequently deleted by administrators.
While some of the celebrities said the images were fake, others have confirmed their authenticity.
Actress Mary Elizabeth Winstead posted on Twitter: "To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.
"Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this."
Winstead's comments would suggest iCloud was not at play, as pictures on Apple's service are only viewable online for 30 days.
Raj Samani from Intel Security said: "Almost every service used online requires a password, and to ensure your passwords are secure, they must be complex."
But more often than not, it is human weaknesses that give hackers the simplest route to compromising accounts.
"Phishing" people - meaning to trick them into giving up their password - is considered perhaps the simplest and most targeted way hackers gain access to accounts.