Apple: iCloud hack not to blame for leaked celebrity photos

Icloud with phone, ipad and laptop below

Apple has denied an iCloud hack resulted in numerous personal photographs belonging to a slew of female celebrities being leaked online.

Earlier this week, news emerged that hundreds of private pictures belonging to female celebrities, including Hunger Games star Jennifer Lawrence and Spiderman actress Kirsten Dunst, had been published on the Reddit and 4Chan messageboards.

It’s been claimed the photos were obtained by hackers who managed to infiltrate Apple’s online backup service iCloud using a tool called iBrute.

This allows hackers to repeatedly submit potential passwords to Apple’s Find My iPhone service login page until they uncover the correct one.

Once accessed, it is then possible for the hackers to access data stored in the iCloud account belonging to the breached Apple ID.

As reported by our sister site IT Pro yesterday, Apple has now patched the security flaw that allowed the hackers to repeatedly test passwords without being locked out.

Speaking to the Associated Press news agency, a spokesperson for the FBI said it is “aware of the allegations” and making moves to address them.

However, Apple has now released a statement declaring that none of the leaked photographs are in the public domain because iCloud was breached.

“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet,” the statement reads.

“None of the cases we have investigated has resulted from any breach in any of Apple’s systems, including iCloud and Find my iPhone.

“We are continuing to work with law enforcement to help identify the criminals involved,” it concluded.

Even so, Eduard Meelhuysen, vice president for EMEA at security firm Netskope, said the case highlights why companies should be wary of letting employees store company data in iCloud.

“Apps like iCloud, which are predominantly aimed at consumers, are such an essential part of users' lives that blocking their use within a business environment isn’t really an option. But, as this breach shows, iCloud is far from infallible, and there are many questions around security that need to be addressed,” said Meelhuysen.

“To protect sensitive corporate data, organisations need to understand what data is being moved into iCloud and what users are doing with that content.

“Rather than block iCloud, or any app for that matter, organisations should try to shape usage by stopping risky behaviours such as the upload of personal identifiable information or the sharing of sensitive content outside of the company. That way you can mitigate risk while enabling the use of cloud in your business,” he added.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.