Apple has released an official statement in response to accusations that its iCloud storage system might be somehow behind the recent leak of a large number of nude or otherwise private celebrity photos, whose victims included Jennifer Lawrence. In the statement Apple denies any breach within its systems, but does concede that celebrity accounts were compromised by attackers using standard phishing techniques to guess user names, passwords and the answers to security questions.
Apple’s statement in full:
CUPERTINO, Calif.–(BUSINESS WIRE)–We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
The distinction Apple is making is clear – certain iCloud accounts may have been accessed, but that didn’t happen as a result of any systematic flaw in Apple’s security systems or cloud services. Instead, the techniques used to access the accounts in questions were the same that make any online accounts vulnerable; those include researching biographical details of a target to guess passwords and answers to security questions, and possibly running through multiple options until you find the right one.
Workarounds to prevent vulnerability to this kind of attack include, as Apple mentions, selecting strong passwords (like those created using random password generators) and enabling two-factor authentication, which is an option on iCloud. Users could also employ 1Password and other password management services, which make it easier to use complex passwords not tied to biographical info, and which encourage regular cycling of login credentials.