The leaking of naked photographs of dozens of Hollywood celebrities, including Jennifer Lawrence, was not due to a breach of Apple’s iCloud and Find my iPhone services, the company has found.
Instead the leak, which saw intimate photographs posted on Reddit and Twitter after originally surfacing on the 4Chan forums, was blamed by Apple on a “very targeted attack on user names, passwords and security questions.”
This means that, rather than there being a flaw in Apple’s security, the accounts were accessed by hackers correctly guessing passwords and answers to security questions.
Apple’s full statement is as follows:
“We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us.
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”
Instead, hackers appear to have correctly guessed the answers to iCloud’s security questions - such as the account owners first car, or their mother’s maiden name. The victims may well have answered these questions correctly, making it easy for the hackers to gain access, providing the information is public information.