Apple: iCloud hack not to blame for leaked celebrity photos

Apple has denied an iCloud hack resulted in numerous personal photographs belonging to a slew of female celebrities being leaked online.

Earlier this week, news emerged that hundreds of private pictures belonging to female celebrities, including Hunger Games star Jennifer Lawrence and Spiderman actress Kirsten Dunst, had been published on the Reddit and 4Chan messageboards.

It’s been claimed the photos were obtained by hackers who managed to infiltrate Apple’s online backup service iCloud using a tool called iBrute.

This allows hackers to repeatedly submit potential passwords to Apple’s Find My iPhone service login page until they uncover the correct one.

Once accessed, it is then possible for the hackers to access data stored in the iCloud account belonging to the breached Apple ID.

As reported by our sister site IT Pro yesterday, Apple has now patched the security flaw that allowed the hackers to repeatedly test passwords without being locked out.

Speaking to the Associated Press news agency, a spokesperson for the FBI said it is “aware of the allegations” and making moves to address them.

However, Apple has now released a statement declaring that none of the leaked photographs are in the public domain because iCloud was breached.

“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet,” the statement reads.

“None of the cases we have investigated has resulted from any breach in any of Apple’s systems, including iCloud and Find my iPhone.

“We are continuing to work with law enforcement to help identify the criminals involved,” it concluded.

Even so, Eduard Meelhuysen, vice president for EMEA at security firm Netskope, said the case highlights why companies should be wary of letting employees store company data in iCloud.

“Apps like iCloud, which are predominantly aimed at consumers, are such an essential part of users' lives that blocking their use within a business environment isn’t really an option. But, as this breach shows, iCloud is far from infallible, and there are many questions around security that need to be addressed,” said Meelhuysen.

“To protect sensitive corporate data, organisations need to understand what data is being moved into iCloud and what users are doing with that content.

“Rather than block iCloud, or any app for that matter, organisations should try to shape usage by stopping risky behaviours such as the upload of personal identifiable information or the sharing of sensitive content outside of the company. That way you can mitigate risk while enabling the use of cloud in your business,” he added.