Apple: iCloud security has not been broken when stealing nude photos

Apple’s iCloud service hasn’t been cracked. The Cupertino company said so after it was rumored that vulnerabilities in the service had been used to steal nude photos of celebrities. It concerns an ‘attack with usernames, passwords and security questions’.

The Cupertino company has released a press release claiming that iCloud security has not been compromised. That rumor came after a large amount of nude photos of celebrities suddenly surfaced.

However, Apple confirms that unauthorized access to the accounts of the affected persons has been obtained. The perpetrators responsible for the theft of nude photos are said to have obtained passwords and usernames by focusing on answering security questions. According to Apple, this would have given them access to the accounts.

The FBI has launched an investigation into the theft of the photos. Apple says it is working with authorities to find the culprits. To prevent photo theft, the company recommends using two-step verification, which also requires an attacker to access a device such as a smartphone to log in.

Earlier this week, the 4chan website published nude photos of a large number of celebrities. The photos would have been obtained from iCloud, among others, and because reports came out about the same time about a method to retrieve passwords via brute force, it was quickly suggested that the photos would have been stolen that way.

Apple advises users to enable two-factor authentication to guard against these kinds of security vulnerabilities. That advice is striking: Last year a security researcher discovered that Apple’s protocol used for iCloud backups does not support two-factor authentication: an attacker could therefore retrieve those backups with only a password. There is even a tool on the market that automates this.