bad_apple

Over the weekend, a large collection of nude photos stolen off of celebrities’ phones were posted to the Internet. So far there’s been a lot of speculation over how the attack was carried out and how much blame Apple in particular should receive for not allegedly properly protecting its customers.

Now, after “40 hours of investigation,” Apple has determined that the celebrities were victims of a highly targeted attack aimed at individual usernames, passwords, and security questions. “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone,” reads an Apple blog post.

In other words, this isn’t a scenario where a hacker or hackers manipulated a technical vulnerability in the iCloud platform itself, thus gaining access to millions of photos and shopping around for the ones that looked like they belonged to celebrities. That’s good news for anyone worried about their own accounts being compromised. For good measure, just change your password and make sure you enable two-factor authentication (2FA), which requires you to use a verification code texted to your phone, and you should be protected?

The trouble is, many are theorizing that the access was granted through Apple’s FindMyiPhone service which does not have a login limit, thus allowing hackers to implement “brute force” attacks. That may not be a “breach” in the strictest sense of the term, but it is a vulnerability. It’s also still only a theory.

Also, as Michael Rose writes at the Unofficial Apple Weblog, two-factor authentication does not protect your photos as well as you might think:

After installing the iCloud Control Panel for Windows (as seen above), I logged in with my iCloud credentials and checked off the options to synchronize bookmarks and photos with my new, never-before-seen PC. Within a few minutes, my photo stream photos downloaded neatly into the appropriate folders and my bookmarks showed up in my Windows-side browser, and nary a 2FA alert to be seen. I turned to my iCloud email account to wait for the obligatory ‘Your account was accessed from a new computer’ courtesy alert… which never arrived.

So while Apple claims there’s been no massive breach of iCloud, security vulnerabilities still exist within the platform that may have aided the attackers – or if not, may enable future attacks. Until Apple addresses these vulnerabilities, there are still reasons to be concerned.

There are also relatively simple steps that all users can take to ensure their own safety: make sure your password isn’t “pa$$word” (yes, CNN did just tell millions of viewers that replacing the “s”‘s in “password” with dollar signs is a sound strategy), use two-factor authentication, and you may also want to disable “My Photo Stream.”