Skip to main content

Apple denies iCloud/Find my iPhone breach, says ‘very targeted attack’ hit certain celebrities

icloud

Apple has responded to this week’s hackings of celebrity iCloud accounts, which resulted in postings of private photographs. Here’s Apple’s statement in full:

CUPERTINO, Calif.–(BUSINESS WIRE)–We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

Apple says that it conducted an investigation for more than 40 hours, and denies that iCloud or Find my iPhone was actually breached. Apple is presenting this as a very targeted username, password, and security questions hack on “certain celebrity accounts.” Apple recommends that users utilize the 2-step verification service for Apple IDs/iCloud. The company also says it is continuing to work with law enforcement on finding the hackers involved.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. coolfactor - 10 years ago

    They were “outraged”? I don’t ever recall Apple responding with such emotion before.

    • yourwurstnightmare - 10 years ago

      public relations.

    • Even when people were committing suicide building their phones

      • TechSHIZZLE.com - 10 years ago

        Nor did we hear “outraged” from Microsoft, Google, Samsung, HTC, or any other company when these people were committing suicide building Windows Phones and Android phones.

        Or when they were building any of the hundreds of other consumer electronics that Foxconn builds at their megafactories.

        So what’s your point?

      • standardpull - 10 years ago

        Hey, look. I get paid to bash Samsung competitors, $28 an hour. These days that’s mostly Apple. It isn’t personal. It’s just what I do – I make a good income. I get a special bonus when someone in the press quotes me.

        I admit it isn’t the highest form of employment, but it helps me pay off my debts and enjoy some of my unsavory habits.

        But please don’t take it as an attack on you.

        /sarcasm off/

    • It’s all about making themselves look good. If Apple responded with “We couldn’t give a s**t” it wouldn’t look or sound quite as good as “We were outraged”. I’m glad iCloud wasn’t compromised though since I’ve always said all along that there’s been nothing wrong with iCloud and the problems were to do with weak passwords. It seems my instinct was right and hopefully this whole ordeal won’t affect peoples opinions of Apple and iCloud.

    • Nick Jaquay - 10 years ago

      Apple projects alot more emotion publicly since Tim Cook I feel. I don’t see it as a bad thing.

    • Computer_Whiz123 - 10 years ago

      apple is very concerned about its users security (otherwise they’ll switch to the (even less secure) android operating system).

  2. yourwurstnightmare - 10 years ago

    Still very bad timing for announcement of the most overhauled iPhone yet.

    • iSRS - 10 years ago

      Eh. It will blow over by then. Everyone will be like “new iPhone, take my money”

      • herb02135go - 10 years ago

        Apple just started World War 3?
        Who cares? Their new phone is so shiny! Lol

      • Edison Wrzosek - 10 years ago

        Herb, do everyone here a favour… Shove a Samsung Galaxy Mega down your throat and STHU already.

  3. Leonson Stapleton - 10 years ago

    They were “outraged” of course i don’t blame them. if someone was saying something you developed and provide as a service was the source of all this. it’s easy to point fingers, and apple is always the first one people point to when their product is involved.

    • Computer_Whiz123 - 10 years ago

      yes, but most people these days can’t be bothered about their passwords.

      dear internet,

      use https://howsecureismypassword.net to actually help you to create strong passwords that you can remember.

      sincerely,
      everyone who has ever gotten their account hacked

    • GQ (@giovanniqm) - 10 years ago

      If the photos were hacked from the iCloud service then apple is to blame too. Even with a weak password, I can’t imagined they guessed it on the first try, and that many people, and deleted pictures too? Is apple’s fault as much as the users, if you are going to upload all their information to your services, then protect them better.

      • Mike Knopp (@mknopp) - 10 years ago

        Granted after reading an article by Nik Cubrilovic about it I think that Apple is partially at fault in this, but your statement is like saying the locksmith is at fault if you leave the key to your house under the doormat and someone uses that key to break into your house.

      • Bryan Farnworth - 9 years ago

        I have to disagree with you GQ. apparently you don’t know much about hacking. Hackers will do whatever they can to get in to any system and view/download sensitive data. Look at breaches in the past in the government. Was it the government’s fault? Not entirely. Don’t just blame apple because the hackers don’t have a name or a face to put on them yet.

  4. André Hedegaard Petersen - 10 years ago

    “Outraged”?!?! Are you serious? Theres a war going on between Russia and Ukraine and THIS outrages Apple?

    Furthermore, if no breach of iCloud, Find my iPhone features, then why is Apple working with law enforcements to find the hackers? It has nothing to do with Apple and everything to do with celebrities being stupid enough to take naked photos and poor passwords.
    Lets face it, you think most of the celebrities have a university education? I rest my case.

    • WaveMedia (@WaveMedia) - 10 years ago

      Because they have resources that can be helpful to law enforcement and they’re committed to security and privacy. Why must everything be some kind of anterior motive when someone does something because they simply have the capacity to do it? Why must it always be because of some form of guilt?

      • WaveMedia (@WaveMedia) - 10 years ago

        Ulterior… damn auto correct! lol

      • herb02135go - 10 years ago

        The company says it had a commitment to privacy and security. It’s a statement, not a fact.
        I know this is a pro-Apple website, and you may even be a compensated poster, but let’s not suspend belief or critical thinking, OK?

      • Edison Wrzosek - 10 years ago

        Herb, you suspended any critical thinking the moment you learned how to walk. All you do is bash Apple. From the get-go this was an obvious weak username/password/question attack, and now it’s been confirmed.

        GTFO.

    • herb02135go - 10 years ago

      I think an Apple response could have been better.
      Outrage wasn’t the adjective I’d recommend. Maybe “concerned” is more appropriate.

      If Apple is going to issue a statement for any product failure, or suspected product failure, they will be busy.

      Remember: this is a side of the company that needs to be visible from time to time. Job justification.

      • TechSHIZZLE.com - 10 years ago

        No matter what adjective Apple uses, someone is going to whine about it.

    • Leonson Stapleton - 10 years ago

      they brought Apple into this so apple is going to defend their reputation at what ever costs… Russia and Ukraine didn’t say we’re at war because of apple.

    • Stephen Robinson (@xstex) - 10 years ago

      Why the hell would Apple comment on a war? By your logic I can’t be outraged by something bad in my life because people have it worse than me. Ugh.

      • André Hedegaard Petersen - 10 years ago

        About Russia & Ukraine, that was a just an example to show perspective about what it takes to be really “outraged” about.
        Not that Apple should/or could involve itself in that war.

        To be outraged about a handful of celebrities is a little rich. Especially since the celebrities themselves are partly to blame.

      • standardpull - 10 years ago

        Visit our new blog, 9to5Kiev.com where we talk about the only thing you’re allowed to get angry about – the war between Russia and Ukraine.

      • spiralynth - 10 years ago

        >> André Hedegaard Petersen says:
        About Russia & Ukraine, that was a just an example to show perspective about what it takes to be really “outraged” about.

        In case you didn’t see “the memo”, the following are the proper emotions one should experience:

        – Insult: offended
        – Samdung trolls on Apple sites: annoyed
        – Fired from job: mad
        – Punched in the face: furious
        – Theft of celebrity photos: outraged
        – War between Russia & Ukraine: infuritated

      • André Hedegaard Petersen - 10 years ago

        @Spiralynth,
        Thanks for the pointers. No, I didn’t get that memo, I got a different one.
        You know, one that differentiates between personalised attack vs. public attack on someone else.

        Outraged/insulted/offended at losing your job could happen.
        Outrage over someone elses photo things is nonsense.

        I suspect Apple were “outraged” because they felt wrongly accused.

    • icrew - 10 years ago

      I think the non-consentual sexual violation of 100+ people is entirely worthy of outrage by any reasonable person or company.

      • André Hedegaard Petersen - 10 years ago

        Violation? We’re talking about pictures here, not anything physical.
        And could help exposure of some of the lesser known celebrities into the consciousness of people.

      • icrew - 10 years ago

        Wouldn’t you feel violated if sexually-explicit pictures of you, or your significant other, or of your child were posted online for millions of people to gawk at? Celebrities are people too, entitled to just as much an expectation of privacy as the rest of us.

        And yes, violation and abuse can most definitely be non-physical. (Can’t believe that I actually have to explain that in this day and age. Sigh.)

      • André Hedegaard Petersen - 10 years ago

        @icrew, I think Apple should be outraged, that people pointed fingers at them. Apple should feel violated in this regard.
        Celebrities that show tits on screen is ok, but a naked photo is a massive hype?
        I think the problem is how they use their phones to take such pictures.
        And how are they abused exactly? No-one laid a finger on them.
        They should learn like Paris Hilton, suck it up, accept it for what it is and move on.
        Either that or don’t take such pictures. Not their fault directly of course, but they do play a role in this.
        Especially since they know they’re celebrities, they should take more precautions.
        Far more important things in the world than to see Jennifer Lawrence nipples.

    • lycius84 - 10 years ago

      They provided an update on something that was thought to be their problem. I don’t remember or care who’s agent it was that mentioned Apple in this mess and claimed it was from their services. Apple would feel outraged someone would try to hack or abuse their service to steal private info stored at their servers and started to investigate. I can honestly say Apple could care less who the celebrity was. The issue here is, the public has blamed Apple, the pressure was put on them and data was stolen from them.

      No clue why you would want to compare this to the Ukraine & Russia issues.

      • herb02135go - 10 years ago

        Most of the public would lay the blame on morons who upload naked photos.

        Apple is responding to control the story. But as mentioned, it’s truth by weasel.

    • Bryan Farnworth - 9 years ago

      agreed!

  5. icrew - 10 years ago

    Hopefully this will prompt Apple (and other vendors) to change two-factor-authentication from opt-in to opt-out (with nice big warnings about why opting out is a bad idea…)

    • standardpull - 10 years ago

      I love 2-factor, but forcing it on people is dumb.

      Regardless, with all the crazy compromises reported over the past year, anyone that has failed to heed good practice has failed.

      • icrew - 10 years ago

        I’m not saying force it on people, just make it on-by-default.

  6. tupacscousinmark - 10 years ago

    Thank you Tim (pbuh) for your dedication and resolve in proving this wasn’t iCloud.

  7. hellcatm - 10 years ago

    apple denies. They denied antenna gate when it first happened, they a lot of things. You know apple is lying when someone who works at apple opens his/her mouth.

    • Edison Wrzosek - 10 years ago

      And your proof of this is?

      *crickets*

      This is Tim Cook’s Apple now, and things have changed quite a bit. Don’t make asinine comments about crap you have no clue about!

  8. Federico Natali - 10 years ago

    It’s a classical corporate statement: it lies by telling the truth

    They say that some accounts have been compromised but that iCloud or Find My iPhone had not been breached.
    That’s technically true, the system has not been breached becouse the attackers found the password by brute force. But that was possible because Apple forgot to implement a simple security measure like locking accounts after a number of failed tries. That is what made the brute force attack possible.

    They suggest to enable two-step verification but, according to apple support page, two-step verification protects from account information changes and would not have prevented the pics theft.

    This statement is almost an admisssion of being guilty, it would have been veri different if they had been clear of blame

  9. Taste_of_Apple - 10 years ago

    They replied relatively quick (compared to past incidents)…seems like it’s very critical they try to be as transparent as possible here. They need to ensure iCloud is secure and work endlessly to maintain that security before users lose trust in it. Especially, if they plan on utilizing credit card information for a payment system.

    • herb02135go - 10 years ago

      They are weaseling.
      But if the company can’t secure nude photos of b-list actresses, it can’t secure something of real value.

      Kudos to those who exposed the breach.

      • Computer_Whiz123 - 10 years ago

        For your information, it wasn’t iclouds security that caused the breach.

        little more was to blame than sucky passwords, easy-to guess security questions and cameras being on when they shouldn’t.

      • Federico Natali - 10 years ago

        I don’t know why I’m not able to reply to Computer_Whiz123 so I’ll reply here:

        Yes it was iColud’s security that caused the data theft: if Apple had implemented some limitation on password guesses all of this wouldn’t have happened, and this kind of protection form brute force attacks is quite basic

      • herb02135go - 10 years ago

        Apple has some ‘splainin’ to do, as Ricky Ricardo used to say.

      • bb1111116 - 10 years ago

        The evidence for a brut force attack is not certain. As stated in a comment on The Verge;
        – “The age of the photos, the filenames, the EXIF, the different services that were used, the different phones evident, what we know about illegal photo trading, etc., all point to standard phishing attacks over a number of years. Nevermind that there’s simply no way for a brute force attack of this nature, over the network, to have anywhere near this sort of success in 2 days.”

  10. michaeloftroy - 10 years ago

    This sounds like an engineer wrote it and a PR intern approved it.

  11. Andrew Maloney - 10 years ago

    I don’t know everyone if jumping to Apple’s defence saying they are not at fault here. I’d hope the security hole wasn’t as simple as correctly answering the security questions, which are for the most part one word answers. If this is the case then they significantly reduced the ‘scope of attack’ to common words and names in particular.

    Apple even say it right there in their statement it was an attack on username, passwords and security questions. I suspect perhaps there may have been an unlimited number of attempts to guess answers to security questions.

  12. optech - 10 years ago

    One of the important factors (pun intended) here is the fact that Apples 2-factor authentication does not provide proper protection as outlined here: http://arstechnica.com/security/2013/05/icloud-users-take-note-apple-two-step-protection-wont-protect-your-data/ and here: http://www.economitech.com/2014/09/apple2step.html.

  13. anon - 10 years ago

    I believe Apple’s claim is false. What means would the hacker have to identify what email address was associated with the “targeted” victims. It could have been anything ranging from jlaw@gmail.com to donthackmebro@somerandomdomain.com.