Apple 'actively investigating' celebrity photo leaks for possible iCloud connection

Posted:
in iCloud edited September 2014
Apple on Monday confirmed in a short statement that it is in the process of determining whether or not security breaches in its online services were responsible for the outing of hundreds of racy photos of celebrities, including actress Jennifer Lawrence and model Kate Upton, over the weekend.




"We take user privacy very seriously and are actively investigating this report," Apple representative Natalie Kerris told Re/code. The company has not made any further public comment.

Rumors of an iCloud security breach began circulating as soon as the first photos hit the web on Sunday, though there remains scant evidence to support the claims. The original poster of the images on web forum 4chan indicated that the shots had been collected from Apple's online service, but also admitted to having gathered the photos from others, making it unlikely that they are privy to the technical details of the leaks.

The fact that many of the celebrities were shown taking "selfies" with Android or Blackberry handsets cast even more doubt on iCloud's role. Other services, including Snapchat and Dropbox, have also been implicated at various times with similarly nonexistent levels of evidence.

Adding confusion to the mix was the Monday disclosure of a flaw in Apple's "Find my iPhone" service that could allow attackers to use brute force tactics against weak iCloud passwords when the login email address was known. Apple quickly patched that hole, and it is unclear what role, if any, it may have played in the leak.

Numerous previous leaks that had been initially attributed to "hacks" were later found to actually be the result of a combination of social engineering techniques and poor password management on the part of the victims, and those issues remain the most likely explanations for Sunday's release.
«13456711

Comments

  • Reply 1 of 210
    #1 rule - never have pictures of yourself naked on a phone, any phone or computer.
    #2 rule - never let anyone take your picture naked.

    follow these two simple rules.
  • Reply 2 of 210
    1) Why put up a 938KB ""10314-2477-photosharing_hero-l.png? Can't AI simply put an 80KB .jpg in the thread instead please?

    2) Bit late to the party on this story AI, already discussed in depth over here:
    http://forums.appleinsider.com/t/182037/apples-secret-iphone-6-digital-payment-system-said-to-also-include-visa-mastercard
    FYI, that was yesterday

    3) I didn't see any proof of a 5.5 incher in those pics¡
  • Reply 3 of 210
    Quote:
    Originally Posted by AppleInsider View Post

    [....]The original poster of the images on web forum 4chan indicated that the shots had been collected from Apple's online service, but also admitted to having gathered the photos from others, making it unlikely that they are privy to the technical details of the leaks.

    [....]

    The fact that many of the celebrities were shown taking "selfies" with Android or Blackberry handsets cast even more doubt on iCloud's role. Other services, including Snapchat and Dropbox, have also been implicated at various times with similarly nonexistent levels of evidence.

    [....]

    Adding confusion to the mix was the Monday disclosure of a flaw in Apple's "Find my iPhone" service that could allow attackers to use brute force tactics against weak iCloud passwords when the login email address was known. Apple quickly patched that hole, and it is unclear what role, if any, it may have played in the leak.

    [....]

    lots of people 'get' photos via email or MMS... although it's an exercise for the user to put them into your photo stream, it's a pretty minor effort to mine your apple email if I got your password by hook or by crook.  Or just hook up a phone to each of these accounts with the apple ID password, and latch onto the streams of information (notes, photo streams, etc).

     

     

    NB:

    I love the irony of people who get photographed at various levels of undress, and then take/get/store pictures of themselves in various levels of undress, and then claim foul when they feel their 'privacy' was impinged. (I know, the choice of what is published and what is personal is the very definition of privacy).  'Exposure' is their only fungible asset.

     

    Now Justin Verlander... what did Mickey Say "Lay off the Women... Women Weaken Legs!"  He got more than his fair share of exposure.

  • Reply 4 of 210
    Quote:

    Originally Posted by PhilBoogie View Post



    3) I didn't see any proof of a 5.5 incher in those pics¡

    No, but there were a couple of definite 'large diagonals' exposed.;-)

  • Reply 5 of 210
    bigpicsbigpics Posts: 1,337member
    Leaving anything you don't want seen in an online computer or repository with anything less than best practices (frequently changed LastPass passwords, two factor authentication, 256 bit AES encryption, e.g.) is an invitation to the [B][I]"hackarazzis"...[/I][/B]

    ...that said, sometimes I wonder about some of the photos that get leaked, i.e., I can see wannabe D-listers, somewhat there starlets who can't get press, and those finding themselves losing relevance, "Wow, look what leaks did for Paris Hilton and [insert relevant 15 minutes of fame and looking for more name here]...."

    ....and then kinda, sorta, maybe leaving some stuff where it practically begs to be picked up and published, and then getting in front of the media cameras all indignant (but lookin' good!) and upping their Q factor...
  • Reply 6 of 210
    solipsismxsolipsismx Posts: 19,566member
    [quote name="PhilBoogie" url="/t/182044/apple-actively-investigating-celebrity-photo-leaks-for-possible-icloud-connection#post_2587434"]2) Bit late to the party on this story AI, already discussed in depth over here:
    http://forums.appleinsider.com/t/182037/apples-secret-iphone-6-digital-payment-system-said-to-also-include-visa-mastercard
    FYI, that was yesterday[/QUOTE]

    Yesterday was really just the celebrity stuff. Today is an actual article about Apple actively investigating the leak of photos that appear to have come from iCloud. The other tech sites are also only now reporting on Apple investigating how these accounts were breached.
  • Reply 7 of 210
    Quote:

    Originally Posted by bigpics View Post



    Leaving anything you don't want seen in an online computer or repository with anything less than best practices (frequently changed LastPass passwords, two factor authentication, 256 AES encryption, e.g.) is an invitation to the "hackarazzis"...



    ...that said, sometimes I wonder about some of the photos that get leaked, i.e., I can see wannabe D-listers, somewhat there starlets who can't get press, and those finding themselves losing relevance, "Wow, look what leaks did for Paris Hilton and [insert relevant 15 minutes of fame and looking for more name here]...."



    ....and then kinda, sorta, maybe leaving some stuff where it practically begs to be picked up and published, and then getting in front of the media cameras all indignant (but lookin' good!) and upping their Q factor...

    agreed.  on all points.

     

    I did bring up adding the TouchID /secure enclave to all Macs (I wonder if it's possible without the ARM chip), thus making apple's iCloud access fully 2 factor from all Apple-Sold vantage points (would require an iPod Touch with touchID, and maybe a TouchID on your AppleTV remote... but I digress....).

     

    The fact that Apple's site would allow for infinite tries made me feel this was a targeted attack on individuals, probably seeding passwords captures through other means, and then doing brute force if no hits.

  • Reply 8 of 210

    Hmm. I assume the person in charge of the 'active investigation' has to take a proper inventory of all the compromising data on iCloud, so as to have an accurate sense of what proportion was hacked/compromised, no?

     

    Nice job....

  • Reply 9 of 210
    jkichlinejkichline Posts: 1,290member
    Quote:

    Originally Posted by PhilBoogie View Post



    3) I didn't see any proof of a 5.5 incher in those pics¡

    That's because only naked women were hacked ;)

  • Reply 10 of 210
    solipsismxsolipsismx Posts: 19,566member
    bigpics wrote: »
    Leaving anything you don't want seen in an online computer or repository with anything less than best practices (frequently changed LastPass passwords, two factor authentication, 256 AES encryption, e.g.) is an invitation to the "hackarazzis"...

    1) I know LastPass is free but I don't care for their UI and that it's all saved on their servers.

    2) I'm not sure if LastPass has this security feature but when I click on my 1Password browser extension to add a username and password 1Password will first warn me that the site is not using SSL. In all cases this is one of those wonky webpage setups that you can click Submit on the empty field to have the page reloads with SSL page telling you your submitted username and password were incorrect and to type them in again. Or just change the HTTP to HTTPS, but I find the other way faster. Anyway… does LastPass have that?
  • Reply 11 of 210
    Originally Posted by LunarMoon View Post

    #1 rule - never have pictures of yourself naked on a phone, any phone or computer.

    #2 rule - never let anyone take your picture naked.

     

    You’d be surprised at the number of people who claim this isn’t a valid argument and that people should be allowed to do whatever they want.

  • Reply 12 of 210
    rogifanrogifan Posts: 10,669member
    So is Apple confirming that iCloud was breached or is that what they're investigating? Because the media has run with this story (being a slow news weekend with Labor Day holiday and all) and are basically calling it an iCloud hack.
  • Reply 13 of 210
    gtrgtr Posts: 3,231member
    This reaks of a public smear a week before the latest iPhone release.

    It staggers me that ALL of the major news sites are reporting this as an iCloud hack in their headlines before briefly mentioning deep within the articles that this information has not been verified.

    What the f*ck has happened to reporting these days?
  • Reply 14 of 210
    philboogie wrote: »
    1) Why put up a 938KB ""10314-2477-photosharing_hero-l.png? Can't AI simply put an 80KB .jpg in the thread instead please?

    2) Bit late to the party on this story AI, already discussed in depth over here:
    http://forums.appleinsider.com/t/182037/apples-secret-iphone-6-digital-payment-system-said-to-also-include-visa-mastercard
    FYI, that was yesterday

    3) I didn't see any proof of a 5.5 incher in those pics¡

    Why does it matter so much about the size of the photo? I have no issues with them.
  • Reply 15 of 210
    Quote:

    Originally Posted by Rogifan View Post



    So is Apple confirming that iCloud was breached or is that what they're investigating? Because the media has run with this story (being a slow news weekend with Labor Day holiday and all) and are basically calling it an iCloud hack.

    On the one side Antennagate.

     

    I hope apple does it right, and shows who[was it 200 celebs or 200,000,000 people] was hacked and how, what they did (if anything) to prevent it.

     

    Apple's response to Antennagate was slow, measured, and basically, a problem in the industry, not with our phone.

     

    But if anything,everyone should be changing their AppleID passwords, just a a matter of good hygiene 

  • Reply 16 of 210
    gtrgtr Posts: 3,231member
    You’d be surprised at the number of people who claim this isn’t a valid argument and that people should be allowed to do whatever they want.

    They do have a point.

    And let's face it, anarchy has generally worked out well for anybody who's ever tried it in the past.

    /s
  • Reply 17 of 210
    rogifanrogifan Posts: 10,669member
    On the one side Antennagate.

    I hope apple does it right, and shows who[was it 200 celebs or 200,000,000 people] was hacked and how, what they did (if anything) to prevent it.

    Apple's response to Antennagate was slow, measured, and basically, a problem in the industry, not with our phone.

    But if anything,everyone should be changing their AppleID passwords, just a a matter of good hygiene 
    If this wasn't an iCloud hack there's nothing for Apple to show. Unfortunately everyone seems to be rushing to blame it on an iCloud hack when no one knows for sure if that's what happened. I find it highly suspicious this comes out a week before Apple's big event.
  • Reply 18 of 210
    bobschlobbobschlob Posts: 1,074member
    Quote:
    Originally Posted by TheOtherGeoff View Post

     

    NB:

    I love the irony of people who get photographed at various levels of undress, and then take/get/store pictures of themselves in various levels of undress, and then claim foul when they feel their 'privacy' was impinged. (I know, the choice of what is published and what is personal is the very definition of privacy).  'Exposure' is their only fungible asset.

     

    Now Justin Verlander... what did Mickey Say "Lay off the Women... Women Weaken Legs!"  He got more than his fair share of exposure.


    Rant is a little hard to follow; but are you saying that if they had been clothed, then the situation would not be "impinged privacy", and they would then have no "claim" of foul?

    (or in other words; what does their level of undress have to do with anything?)

  • Reply 19 of 210
    bobschlobbobschlob Posts: 1,074member
    Quote:
    Originally Posted by Rogifan View Post

     
    Quote:
    Originally Posted by TheOtherGeoff View Post



    On the one side Antennagate.



    I hope apple does it right, and shows who[was it 200 celebs or 200,000,000 people] was hacked and how, what they did (if anything) to prevent it.



    Apple's response to Antennagate was slow, measured, and basically, a problem in the industry, not with our phone.



    But if anything,everyone should be changing their AppleID passwords, just a a matter of good hygiene 


    If this wasn't an iCloud hack there's nothing for Apple to show. Unfortunately everyone seems to be rushing to blame it on an iCloud hack when no one knows for sure if that's what happened. I find it highly suspicious this comes out a week before Apple's big event.

    Ha! Hardly suspicious.  More likely; "expected". (never fails :no:)

    Still a week to go. Won't be the least bit surprised if somebody tries yet another smear before then.

  • Reply 20 of 210
    Quote:

    Originally Posted by TheOtherGeoff View Post

     

    On the one side Antennagate.

     

    I hope apple does it right, and shows who[was it 200 celebs or 200,000,000 people] was hacked and how, what they did (if anything) to prevent it.

     

    Apple's response to Antennagate was slow, measured, and basically, a problem in the industry, not with our phone.

     

    But if anything,everyone should be changing their AppleID passwords, just a a matter of good hygiene 


    This is different.   Apple is typically quick about fixing security holes(well, as fast as they can fix these things).    They've already patched the hole that allowed unlimited number of password tries.     No, i'm not changing my password.    They had to know my email address first.  Even then, my password is strong enough that even a brute force won't break it(unless they try every combination of characters which will take years).    Typical brute force method uses a list of known weak passwords.   In some cases, they may try dictionary attack, but that's rarely done online due to the number of tries needed.   Dictionary attack is normally done locally where it's much quicker.   

    These celebs had easy passwords or they were retrieved via social engineering, phishing or some other method.

     

    If you have good password, i wouldn't worry about it.....unless it turns out that there was some systemwide hack on iCloud(which is extremely unlikely).

Sign In or Register to comment.