Investigation reveals systems were not penetrated in the incident
Apple completed its investigation regarding the hacking into the iCloud accounts of multiple female celebrities that resulted in the leak of intimate photos, and concluded that its services were not breached.In a statement released a short while ago, the company says that more than 40 hours have been spent investigating the cause of the leak, as rumors about possible vulnerabilities in its software set customers on edge.
Apple fans can rest easy, especially now that the brute-force abuse of the login feature for the service is no longer possible.
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone” the statement from the company says.
It appears that the celebrities fell victims to targeted attacks relying on social engineering techniques for extracting user names, passwords and security questions. This means well-crafted, phishing campaigns aimed specifically at them.
Cloudmark research analyst Andrew Conway also believes that the login data was obtained this way. “It is more likely that the images have been acquired though spear phishing attacks or social engineering, which exposed a username and password. At Cloudmark, we have seen Apple ID’s phished in similar fashion via SMS and email,” he said via email.
Although this method has been speculated by security researchers, brute-forcing seemed more fitting. Apple does not deny this, either, suggesting that users should create strong passwords.
Setting hard-to-crack passwords coupled with 2FA is the recommendation of security experts, too. Eric Chiu, co-founder of HyTrust cloud control company, said that rotating the passwords on a regular basis is a good security practice, too.
On the same note, Bob Doyle, security consultant at Neohapsis, a firm focusing on cloud security services, recommends using unique passwords; this way, if credentials for one account are compromised, other services are still safe.
2FA ensures that even if the user name and password are retrieved by the cybercriminals, they would not be able to access the content in the account because a third authentication code would be required, which is generally delivered to the owner’s phone via SMS.
The hackers who compromised the iCloud accounts of the female celebrities pulled images of them in different stages of undress and leaked the content on 4Chan, Reddit and AnonIB.
The list of those affected includes names such as Rihanna, Ariana Grande, Selena Gomez, Mary Kate Olsen, Kirsten Dunst, Hope Solo, Mckayla Maroney, Krysten Ritter, Yvonne Strahovski, Teresa Palmer, Kate Upton and Victoria Justice.
However, not all those whose nude pics were published online confirmed the authenticity of the images, which could suggest that some of the content is fake. Mary Elizabeth Winstead, Kirsten Dunst and Jennifer Lawrence were among those admitting the photos were real.
The FBI is also investigating the incident.