Skip to main content

Tim Cook addresses iCloud photos hacking, says major security improvements coming soon

Apple CEO Tim Cook has finally taken the iCloud leaked photos situation into his own hands. Cook today sat down with The Wall Street Journal for an interview regarding the breach, and the Apple executive shared details on key security improvements coming soon to iCloud. Cook first addressed what happened, confirming our own theories.

In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities’ iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords. He said none of the Apple IDs and passwords leaked from the company’s servers…When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.

He then described which improvements are coming:

  • “Mr. Cook said Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time.” “Apple said it plans to start sending the notifications in two weeks. It said the new system will allow users to take action immediately, including changing the password to retake control of the account, or alerting Apple’s security team.”
  • “As part of the next version of its iOS mobile-operating system, due out later this month, [two-factor authentication] will also cover access to iCloud accounts from a mobile device. Apple said a majority of users don’t use two-factor authentication, so it plans to more aggressively encourage people to turn it on in the new version of iOS.”

Cook’s interview and announcement of new security features is a stark contrast from the Apple statement earlier this week that effectively just denies any responsibility and pushes blame onto a “common” occurrence on the internet. As a major company, Apple has the responsibility to take care of its customers (even celebrities) and innovate in the security space. Even with his big event coming up next week, Cook has realized this and has begun executing an actual roadmap of improvements.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. jedwards87 - 10 years ago

    Good. Glad to see Apple take responsibility and step up security.

  2. Max Mars (@devianter) - 10 years ago

    Basically it goes like this
    1) If you’re famous – don’t make “111111” or “love” passwords and don’t make your security questions “mother?” “father” or “dog’s name [like it’s difficult to discover that sort of thing] (i actually encountered such stupid passwords and questions/answers)
    2) If you’re not famous – well, continue doing what you’re doing. Nobody wants to see your ugly kids anyway.

  3. lkernan - 10 years ago

    Apple needs to improve it’s two factor to be less cumbersome.
    After using two factor from Google, Microsoft and Apple, the others are a breeze to setup and use compared to the Apple one.

  4. Rimtas Kentas - 10 years ago

    Hmmm there are plenty countries whereas are not supported for iCloud two-step verification….shame…

  5. Steve Lawrence - 10 years ago

    This stuff is overdue. I have 2-step authentication setup on my iCloud account, and I was surprised that when I bought a new iPad recently and set it up I was not challenged via 2-factor authentication at all. How does this give confidence that your account is only being accessed by you?

    • Jassi Sikand - 10 years ago

      Because when any new iOS device is set-up, Apple sends you an email about that

      • Steve Lawrence - 10 years ago

        If you’ve setup 2-factor authentication, it should make you authenticate. End of. What use is an email that I check maybe hours later if the account has already been compromised?

      • Jassi Sikand - 10 years ago

        That makes no sense. You check email hours later? That’s your problem. Check email from Apple immediately. Problem solved. No need for authentication for device activation. You can set-up iCloud later if you want. iCloud itself should have two-factor authentication upon request, but email satisfies me since they literally send it immediately. What situation can you be in where you can’t check email within 30 min.?

      • borntofeel - 10 years ago

        Come on, stop telling BS. An email is not enough, period.

      • Andrew Maloney - 10 years ago

        @Jassi

        WTF? It’s the consumers fault for checking their email hours later for a breach they had no idea of? Please explain your logic.

      • Steve Lawrence - 10 years ago

        What about when I’m asleep? Idiot.

      • PMZanetti - 10 years ago

        What is the big deal of requiring 2-factor authentication for big things that you don’t do very often? i.e. Activating a new iOS device? Seems like it should have been this way already.

      • francoborgo - 10 years ago

        Maybe because you are on the same IP as your other device, it does not need to ask more. That’s how most bank in Canada work, if you login to your account using another IP then you will be ask for more proof that you are how you say you are, otherwise, just the password is enough

    • mechanic50 - 10 years ago

      Obviously you have no clue how 2 step id works. You can add all the devices you want but you won’t be challenged with 2 step id until you try to purchase something with that new device or if you make changes to your apple id like changing a password like a criminal would do. It has nothing to do with adding the device and only to do with purchasing from that new device.

      • mechanic50 - 10 years ago

        Here I will help you understand. This is directly from apples Apple ID page:

        What is two-step verification for Apple ID?

        Two-step verification is an additional security feature for your Apple ID that’s designed to prevent anyone from accessing or using your account, even if they know your password.

        It requires you to verify your identity using one of your devices before you can take any of these actions:

        Sign in to My Apple ID to manage your account
        Make an iTunes, App Store, or iBooks Store purchase from a new device
        Get Apple ID related support from Apple

  6. chasinvictoria - 10 years ago

    I don’t at all get where the writer thinks Apple’s previous statement “denies any responsibility and pushes blame onto a ‘common’ occurrence on the internet.” The company absolutely did no such thing. It noted that there was no breach of iCloud servers (fact) and noted that the actual cause — hacking passwords of targeted individuals — is a common occurrence (also a fact — ever heard of News of the World?). The statement then *went on* to mention that Apple conducted a thorough investigation of the incident — hardly what I’d call “denying any responsibility.”

    I should also mention that Apple has a *way* better track record of (lack of) breaches than pretty much any other service one could care to name, and was encrypting iCloud information from the get-go (both in transit and on the server). Security is, was and continues to be a priority with the company. About the only thing I can honestly criticize Apple over in this scandal is not making two-factor mandatory for those who have an iOS device. Had that been done, some of the harm (since not all of the pictures came from Apple users, as we’ve learned) might have been avoided.

    You guys are pretty good at doing news, but your editorializing is pretty off the mark. Stick to your strengths next time, hey?

    • krismortensen - 10 years ago

      I think the 9to5 guys tend to do a pretty good job and this article is 75% quotes. Apple’s initial statement was purposely vague and dismissive for good reason; Apple needed to buy time to thoroughly investigate while addressing an issue that the community all grabbed their pitchforks for.

      Yes, Apple needs to beef up security and this drilled that point home, and that’s what Tim Cook is doing while addressing it in a more personal and thorough manner than a heavily lawyer-ized public statement.

      Also, this article straight up debunks the “iCloud is encrypted” statement: http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/

      I’m pretty sure Apple new what it needed to do the minute this whole thing went down and possibly before then. However, with a company as big as it is and with so much at stake, I don’t think it’s reasonable to expect them to just be able to just flip a switch and make all these changes – if that were the case I’m sure these issues would’ve been done long ago.

      They made a mistake, dealt with the legal side of things, and are now addressing the issue head on, and rolling out all of these new implementations within 3 weeks. For a customer base as big as theirs, that’s pretty big.

      • John (@icposse2k) - 10 years ago

        Not disagreeing with you, but that mashable article about hacking her own icloud account seemed a bit fabricated.

        She claimed to use a brute force method to hack her password but didn’t give any details about how she’d done it. Given that the Find My iPhone API vulnerability was patched before she wrote the article, she either has discovered a new, unknown vulnerability in iCloud or embellished her claims a bit. I’m guessing the latter. She used a very easy to guess password and then pretended to try cracking it with a very short list of easy to guess passwords that just happened to include her own. Bc I’m pretty sure right now you get frozen if you guess the wrong password more than 10 times. The rest of her article was good, but she implies that there is still a brute force vulnerability left on iCloud which, if true, she should disclose to Apple.

        I’m guessing it’s not there though, bc she didn’t even mention it as one of the things Apple should do to improve security at the end of the article.

    • herb02135go - 10 years ago

      Apple is totally walking back what it said earlier.
      If what the company said earlier had traction (and credibility) it wouldn’t have to trot its CEO on front of major media just days before a product announcement.

      I’m not going into details but I get paid to do the work that Apple is trying to do – and failing at.

      No wonder its stock price is falling.

      • Jassi Sikand - 10 years ago

        How so? It IS those celebrities’ fault for having weak passwords. These types of hacks ARE a common occurrence. 2-factor authentication had nothing to do with this hack. iCloud itself wasn’t breached – user’s passwords were. Not to mention that this article does a hack job at editorializing. We don’t even know how the hack actually occurred. Brute force should’ve been fixed, true, but it was patched quickly after discovery. As for your complaint about emails, most companies do not send emails when the attempt itself is made – they usually send emails after the password has been changed, depending on the password-change system they have in-place. I already received emails when my password was changed or when devices were added. The only thing they truly added was iCloud restore notifications and 2-factor for iCloud itself.

      • papakoolaid - 10 years ago

        You’re wrong. They are not walking back, they are saying “What more can be done to help people make common sense decisions?”.

      • PMZanetti - 10 years ago

        You clearly don’t get paid for anything of value…in the real world, people who lack so much common sense don’t ever achieve high pay grades.

        1. Initial Statement: Nothing was hacked, we’re looking in to it.

        2. Followup Statement: Nothing was hacked. Where there is a will, there’s a way. But what we can do is expand the usage of 2-factor authentication…..so we’re going to. Case closed.

      • Well, it looks like you have no knowledge of being a CEO so why do you even comment?

      • flaviosuave - 10 years ago

        As an Apple shareholder, I certainly hope Apple stock “falls” as much next year as it did this year. You’re a clown.

  7. dumasrocks - 10 years ago

    LOL.. really?!? I guess you are the same morons that would blame the razor manufacturer for your child choking down that razor… whaaaat?

    Get a clue.. Apple did nothing wrong. They are being the socially responsible citizens they have proven to be over and over again, by taking responsibility for our stupidity. Thats right, I clump myself into that group. I get complacent and lazy and expect someone to automatically know what I want and need and do exactly that.. I allow the continued dumbing down of society by our gov’t and big business affect me too.. you can see it in my excuses on occasion… such as.. “well.. what can I do about it?”,”it should just work”,”dammit they want me to have a password that isn’t related to anything about me, has at least two capitals, two lower case letters, one number and a “special” character that is anything but a . or , or ` or…” wtf?!?!?

    Yea… you know what I’m talking about… you get pissed every time… you have to change a password (oh yea and it can’t be one you previously used), they make you add security questions, provide two-factor authentication and so on… WHY do we get pissed? Well…. frankly…. because we are f*cking lazy asses… thats why. Then we blame Apple for our lack of attention to detail… so suck it up and stfu about your lazy ass bullshit….

    Oh yea… and you lucky 1% to be put on a pedestal by the other 98% of mindless idiots that don’t get you are just people… to you I say… if you don’t want the world to know about it or see it… DONT PUT IT ON ANY COMPUTER OR DEVICE THAT CONNECTS TO ANOTHER COMPUTER OR DEVICE.

    In case you were all wondering… There is NO SUCH THING AS A 100% SECURE SYSTEM. Not even one that doesn’t connect to a network… why? Are you locking it in an impenetrable vault and using your own proprietary code with very strong encryption and passwords? Oh well.. wouldn’t matter anyway.. If someone wants in, they are getting in. You are NOT the smartest person in the world (as evidenced by your moronic statements below and you deserve all the crap you get because of it…just saying.)

  8. giskardian - 10 years ago

    I think the two factor authentication is a bit of a distraction. The problem, which Apple immediately patched, was an iCloud backdoor that enabled brute force password attacks with a tool known as “iBrute”. Reportedly, some of the celebs accounts were breached when people acquired their user names and ran them in iBrute with a top 100 list of leaked passwords.

    1. The celebs chose bad passwords, along with 80% of other iCloud users.

    2. The pirates shouldn’t have hacked into the accounts.

    3. Apple should have guarded against brute force password attacks.

    Apple deserves a lot of blame here since of all the involved parties, they are the ones who should know better, and also the one’s with the most at stake. Props to them for owning up to their mistake – mostly. Cook still mostly blames the celebs “awareness”. But then he goes on to list upcoming improvements, which are an implicit recognition that Apple didn’t do enough to ensure security. This is the most we can expect from a CEO, and it should put this issue to rest.

    Cook is also right about the need to educate users on passwords and security. People also need to know that no matter what password and authentication method you choose, do NOT put sensitive material in “the cloud”. Nobody should trust a cloud any further than they can throw one.

    • krismortensen - 10 years ago

      Spot on and well said. I think too many people forget that for a company as big as Apple, who like all of us will make mistakes, things take longer to fix and implement appropriately. The key take away is that after the initial (and I’m sure very heavily reviewed by lawyers and damage control team) statement by Apple, they’re owning up to fault while also acknowledging that we all need to be smart and safe about what content we put out there.

      I think a lot of things are fault in this whole debacle: Apple’s security issues, weak passwords, hackers being hackers, etc. It’s a culmination of factors, not just one.

    • herb02135go - 10 years ago

      He says Apple will start sending emails when a password is changed??

      APPLE MUST BE THE ONLY COMPANY THAT IS NOT DOING THAT ALREADY!

      Heads need to roll at Apple’s corporate communications shop.

      “It’s not our fault. Oh wait, we f#4 ked up and blamed the customer. But it’s not our fault!”

      • geuseppi - 10 years ago

        That is odd that he said that. I have been getting an email whenever changes like that were made to my Apple ID for at least a year or so.

      • o0smoothies0o - 10 years ago

        I’ve gotten many passwords regarding changes I made to my account. I know for a fact they’ve sent me password and security key change emails…

      • BenRadUK - 10 years ago

        They’ve always sent emails to notify of changes to your account. The new feature will be the push notifications to devices to confirm or even pro-actively change your account password…or contact Apple security. It’s a good addition to the already existing email notification in my opinion.

      • You have completely no knowledge and your statements are flat. GTFO!

    • musclecarlover07 - 10 years ago

      Im sorry but I have o disagree with some of what you said. It was not any way Apple’s fault the celebrity’s had their accounts hacked into. It’s their own fault for not using good practice when it comes to choosing passwords. Also it was the security questions that was the problem. AGAIN NOT APPLE’S FAULT. I can’t help some moron wants to use their birthdate or their mom’s name etc. as their answer. They deserve to be hacked.

      “2. The pirates shouldn’t have hacked into the accounts.” This was an idiotic statement. That will always happen. IF someone can they will. A waste that was.

      Two factor authentication is a distraction. Are you serious dude. It works if done properly. Anytime you want to secure something you use 2+ methods. For example password AND fingerprint reader. Makes it that much harder to hack into.

      Cook is right in to blaming the celebrities. He should put ALL the blame on them. Apple is secure and takes it serious compared to other companies. Unlike Google, Where Android’s Sundar Pichai said that he didn’t care about security, they wanted a customizable device and that if he worked with a company that made malware he would target Android. What does that say about Android’s stance on Security? So Apple is rolling out some new feature’s that awesome, but again they aren’t to blame. Also some experts say not all the pictures came from iCloud.

      • Andrew Maloney - 10 years ago

        Your 100% right idiot.

        Its the celebs fault for choosing passwords that can be brute force attacked. How dare they choose a password with even the remotest possibility of remembering it.

      • taoprophet420 - 10 years ago

        Auto generate passwords and have your device remember it.

    • Kawaii Gardiner - 10 years ago

      That is what surprised me – most websites either lock you out permanently after three failed attempts (and you have to ring up to get it unlocked) or it locks you out for 15 minutes after three failed attempts. Personally the biggest problem is that although Apple has tightened up its password requirements the problem is that existing passwords are still valid and until Apple forces ends users to use a stronger password the older less secure ones will remain.

  9. pedrotaquelim - 10 years ago

    “Cook’s interview and announcement of new security features is a stark contrast from the Apple statement earlier this week”

    “In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities’ iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords. He said none of the Apple IDs and passwords leaked from the company’s servers…When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

    Stark contrast? Where?

  10. This summary of the WSJ piece is terrible. The quotes are poorly formatted and almost impossible to tease out of the “post”, and the facts remain convoluted and distant even after reading 9to5mac. If you’re going to repost someone’s original content, at least add some value. This is brutal.

  11. Jerry Donel - 10 years ago

    Since when is it acceptable for a big-time company like Apple to BLAME THE CUSTOMER, and claim that the problem is an “awareness thing”?? Talk about BULL! Why should customers pay high prices for Apple products and services that do not work to protect the customer? Where is the “security improvement” in that?

    • So I’m guess you’re the kind of guy who would blame the lock company because someone found the key to your front door that you left under the plant on your porch.

    • Jason Brusa - 10 years ago

      They do work to protect the consumer.

      Nothing was hacked or broken into.

      Guessing the poor selection of passwords and social engineering was the method used for this intrusion.

  12. Brent Cotton - 10 years ago

    Apples not responsible for the leaks, but I love how Cook comes to the table with an actual action plan and not shying away from saying they can do things better, and Apple can be a leader. Good on Cook, good on Apple.

  13. Jason Brusa - 10 years ago

    And here comes the other side of the coin…

    Now people will complain that there is to much to do to sign in and restore and access content etc etc. Do you know the number of people that piss and moan about the security change that was made for Apple ID passwords? (requires 8 characters, a capital letter, lower case letter and number). It is a VERY large number.

    Do I use two step authentication? you bet your arse I do… But I am technically skilled. The greater portion of people out there using devices are not interested in increased security if it makes them take extra steps to achieve it.

    Make my information completely safe, but don’t require me to do anything to keep it that way.

    All companies attempt to find the perfect mix of protection and ease of use. The easier it is to use, the less secure, Bottom line.

    • Andrew Maloney - 10 years ago

      Do you play any online games? There are many that require you to authenticate them with a verification email when logging in from a different location. Why is a feature like this not already in place with Apple? Attempting to access your iCloud with a new device, please verify with your email. It’s not rocket science and protects users, even those that are subjects of phishing scams.

      • geuseppi - 10 years ago

        I agree, the point I was trying to make is that people will complain about having more steps to take to be secure.

  14. taoprophet420 - 10 years ago

    Apple didn’t back track.

    Wonder how many millions the brute force password hacks saved Home Depot this week. Really people are totally ignoring more stolen credit cards and focussing on poor password management.

    The password thing isn’t an Apple problem it is a society and pretty much global internet problem. All tech companies need to push for 2 factor verification and stronger passwords and the old security questions need to go.

    Target, Home Depot getting hacked is a much more serious threat. The victims at those stores are innocent. Leaked nude pics are just naive people.

  15. Andrew Maloney - 10 years ago

    All in all, its still not enough.

    I don’t find much time for it anymore, but back in the day at Uni I played a plethora of online games and have seen how they address security issues evolve over the years.

    The most recent game I looked at was Path of Exile and, quite frustratingly, it asked me to put in a verification code every time I took my laptop to my friends house to play it. After retrieving the code from my email I was then able to log in and access the game. The frustrating part was the process would be repeated when I got home… logging in from a new location, please verify again.

    Now change out ‘locations’ for ‘devices’ and you have a near flawless security system that requires both the email address and the iCloud account to be hacked (or have a common password which you’d hope they don’t). Checking the accessing devices ID wouldn’t be too hard, especially given each has a unique IMEI and/or MAC address.

    This system has been used in online gaming for years, a marketplace where users have been subject to successful phishing attempts, protecting their accounts from being compromised.

    So are Apple responsible?

    If the breaches happened as a result of brute force attacks? Yes.
    If the breaches occured as a result of phishing? Somewhat (they could have done better to prevent this).
    If the breaches occured as a result of a lost or stolen phone or laptop with saved credentials and no PIN/password on the device? No.

    I’m pretty sure the photo leaks fit into one (or both) of the first two instances.

    And please Apple, even though I use none of your devices** and don’t have an iCloud account, put this same device level security in place. It is the right thing to do for your consumers.

    ** Actually I do have a Macbook, but the iOS partition was deleted when I bootcamped it.

  16. 89p13 - 10 years ago

    As someone said in an earlier article, let the customer choose their own questions and answers. Most of the “Security Challenge Questions” I’m presented with when setting up a password, on any system, are either too easy (Mother’s Maiden Name / City where you were born / Year you were born) to discern via internet searches or too obscure for me to remember (Your first grade teacher’s name / Your first phone number).

    This is not just Apple – It’s most of the on-line setups out there. The Systems Engineers should wake up and realize that we live in a very connected and published world. Simple challenge questions are so 30 years ago!

    • taoprophet420 - 10 years ago

      Why is Apple the only company speaking about this? Some of the photos were from Android devices so I doubt all the brute force passé arid phishing was done through iCloud.

      This is an industry problem, not just Apple. This is something every internet company needs to address. It’s something tech companies and even the government needs to bring public awareness to. Weak passwords and archaic security questions lead to these type of attacks.

      Why not have the requirement of having registered devices only being able to change passwords and having a list of authorized devices that can access your account.

      Also why not have a easy accessible list of up logins made to your account and a email or notification when an unknow ip tried to access your account.

      iOS and OSX users should be forced into using or have the default option of using a password manager. Auto suggested passwords needs to become the norm. I don’t see what passwords and credit card details is an option in Safari settings and not privacy in iOS. Privacy should include passxode, passwords,auto fill and credit card info. It should also be right below general settings in the settings. This eliminates some of people ignorance and makes them more actively stay involved in there security.

  17. hydrovacing - 10 years ago

    Google has had that for at least five years. If their servers see suspicious activity on your account(s) it send out a email asking you if you have re entry tried to change your password.

    • taoprophet420 - 10 years ago

      Google also has a list of io addresses that have been used to login to your account easy to access. There needs to be standards said on passwords, login activity and the security around them.

  18. herb02135go - 10 years ago

    So a company that can’t secure celebrity photos wants to be a repository of health data?

    Smooth move, Apple.

  19. André Hedegaard Petersen - 10 years ago

    There he goes, using the word “outrage” in the interview.
    Is that really necessary? Its so enerving, theres absolutely nothing to be outraged about since it wasn’t Apple’s fault.
    Apple execs, please, use appropriate language that fits the situation!