Apple: Celeb photo attack was targeted, not widespread breach

Hackers accessed celebrities' iCloud accounts through targeted attacks on usernames, passwords, and security questions -- something Apple says is "all too common on the Internet."

Shara Tibken Former managing editor
Shara Tibken was a managing editor at CNET News, overseeing a team covering tech policy, EU tech, mobile and the digital divide. She previously covered mobile as a senior reporter at CNET and also wrote for Dow Jones Newswires and The Wall Street Journal. Shara is a native Midwesterner who still prefers "pop" over "soda."
Shara Tibken
2 min read

Jennifer Lawrence, pictured attending the Christian Dior show in July as part of Paris Fashion Week, had photos stolen from her Apple account. Pascal Le Segretain/Getty Images

It wasn't our fault, Apple says.

The Cupertino, Calif., electronics giant on Tuesday said the recent attack on celebrity iCloud accounts wasn't a widespread breach but was the result of a targeted attack on people such as actress Jennifer Lawrence.

"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords, and security questions, a practice that has become all too common on the Internet," Apple said in a statement. "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone."

Apple declined to comment beyond the statement.

A large cache of risque images -- some said to be real, others fake -- first appeared Sunday on the image-based bulletin board 4chan. The images were said to have been taken from the iCloud accounts of celebrities such as Lawrence, model Kate Upton, and recording artist Ariana Grande, and have since spread across the Internet on social media.

Apple on Monday said it was ""="" shortcode="link" asset-type="article" uuid="f62fefa5-69c4-44b6-a1f4-c01c42637720" slug="apple-actively-investigating-icloud-link-to-celeb-photo-hack" link-text="" section="news" title="Apple 'actively investigating' iCloud link to celeb photo leak" edition="us" data-key="link_bulk_key" api="{"id":"f62fefa5-69c4-44b6-a1f4-c01c42637720","slug":"apple-actively-investigating-icloud-link-to-celeb-photo-hack","contentType":null,"edition":"us","topic":{"slug":"security"},"metaData":{"typeTitle":null,"hubTopicPathString":"Security","reviewType":null},"section":"news"}"> whether a security breach at its iCloud service was responsible for the leak of several private, nude images of celebrities, including Lawrence.

Some security sites speculated that a vulnerability in the online storage service's "Find My iPhone" feature could allow a brute force attack in which multiple, rapid-fire attempts are made to correctly guess an account's password, according to Github. The code-hosting site reported that Apple had repaired the vulnerability.

However, some of the photos appeared to have come from different devices and may have been accumulated over a long period of time. Apple's statement on Tuesday refuted speculation about a widespread breach.

This isn't the first time Apple's online service has been linked to a hack. In 2012, former Gizmodo reporter Mat Honan blamed an AppleCare technician for allowing his personal email and Twitter accounts to be hacked. Honan said a hacker wiped his devices and gained access to his Gmail and Twitter accounts after an Apple technician fell victim to social engineering, a technique of manipulating people instead of computers to perform a task or divulge information.

Apple, which said Tuesday that it was "outraged" when it learned of the most recent attacks, noted that it will continue to work with law enforcement to identify the criminals involved. It also advised iPhone owners to always use a strong password and enable two-step verification.

Two-factor verification or authentication adds an extra step to the basic login procedure. When a user has to enter only a username and one password, that's considered a single-factor authentication. Two-factor authentication requires the user to have two out of three types of credentials before being able to access an account. The three types are :

  • Something you know, such as a Personal Identification Number (PIN), password, or a pattern
  • Something you have, such as an ATM card, phone, or fob
  • Something you are, such as a biometric like a fingerprint or voice print