Apple investigating iCloud hack, starting by patching a major security flaw
Apple has responded to Re/code on the leak of hundreds of seemingly legitimate nude celebrity photos that surfaced on 4chan over the weekend. The photos, seemingly confirmed by at least two of the victims, are thought to have been obtained through Apple's cloud photo storage service, iCloud.
Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.— Mary E. Winstead (@M_E_Winstead) August 31, 2014
Thank you iCloud🍕💩— Kirsten Dunst (@kirstendunst) September 1, 2014
In the brief statement, Apple noted that it takes the privacy of its users "very seriously" and that it would be "actively investigating" the situation. The company appears to have already quietly taken a few steps to patch vulnerabilities in its system. One, noted by the Next Web, is a hack called iBrute that takes advantage of flimsy security in Apple's Find My iPhone service. Notably, Apple's cloud login doesn't lock a user out after a certain number of password attempts, inviting brute force attacks—automated programs that crack a password by guessing repeatedly.
Beyond that shocking security lapse (most systems shut out users after just a few failed login attempts) is the fact that Apple has never aggressively promoted its own version two-factor authentication for iCloud. Two-factor authentication requires a special freshly generated code, sent to a trusted device, in order for a user to log into a system from a new computer or mobile device.
It's probably the best protection the average user can hope for against these kinds of attacks. While Google has very actively promoted two-factor authentication in recent years, Apple doesn't publicize the powerful extra security step for its iCloud services.