Apple confirms accounts compromised but denies security breach

Bookmark and Share

Apple has confirmed that some celebrities' iCloud accounts were broken into, but says it has found no evidence that this was caused by a breach of its security systems.


Instead, the firm suggests perpetrators carried out their thefts by deducing victims' log-in credentials.


The statement follows the online publication of intimate pictures of about 20 personalities.


Actress Jennifer Lawrence has confirmed a leaked topless photo of her was real.


There had been speculation that the images were obtained due to a vulnerability in software that allows users to locate missing iPhones, since it had allowed unlimited password guesses.


But Apple has indicated that this was not the case.


'We wanted to provide an update to our investigation into the theft of photos of certain celebrities,' said the firm in a statement.


'When we learned of the theft, we were outraged and immediately mobilised Apple's engineers to discover the source.


'Our customers' privacy and security are of utmost importance to us.


'After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet.


'None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.'


The FBI said earlier that it was looking into the case.


Experts have raised concerns over the security of 'cloud' storage sites.


'It is important for celebrities and the general public to remember that images and data no longer just reside on the device that captured it,' said Ken Westin, security analyst at Tripwire.


'Although many cloud providers may encrypt the data communications between the device and the cloud, it does not mean that the image and data is encrypted when the data is at rest.


'If you can view the image in the cloud service, so can a hacker.'


Images of the celebrities were leaked on image posting website 4Chan.


The user posting them - who defined him or herself as a 'collector' rather than 'hacker' - said more images of different celebrities would soon be posted.


Copies of the images spread to other services, including Reddit, Imgur and Twitter, from which they were subsequently deleted by administrators.


While some of the celebrities said the images were fake, others have confirmed their authenticity.


Actress Mary Elizabeth Winstead posted on Twitter: 'To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.


'Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this.'


Winstead's comments would suggest iCloud was not at play, as pictures on Apple's service are only viewable online for 30 days.


Raj Samani from Intel Security said: 'Almost every service used online requires a password, and to ensure your passwords are secure, they must be complex.'


But more often than not, it is human weaknesses that give hackers the simplest route to compromising accounts.


'Phishing' people - meaning to trick them into giving up their password - is considered perhaps the simplest and most targeted way hackers gain access to accounts.


{ 0 comments... Views All / Send Comment! }

Post a Comment

Powered by Blogger.