A slew of nude celebrity photos was dumped onto the internet this past weekend, and most of the discussion surrounding the hack has centered on security flaws in Apple’s iCloud service. On Tuesday, Apple released a official statement in which it denied a systemwide breach, but acknowledged that “certain celebrity accounts were compromised” by a targeted attack. The full statement is below:
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
Based on the statement, it seems that Apple systems have not been breached with a new exploit, but rather that certain iCloud accounts were accessed through (presumably) garden-variety phishing or social engineering. After all, if an attacker gains access to one account — say, an email account — the information within can often be used to access that target’s other accounts. Apple’s statements leave open the possibility that a flaw in another company’s security was what led to the very public security breach.
Apple is recommending two-factor logins if there’s something on your phone you’d like to keep private. That’s a good idea — and considering that sometimes it takes up to three days to turn on iCloud two-step verification, you should start the process now.