Apple washes hands of celebrity iCloud hack

Apple has denied that its own systems are to blame for the compromise of celebrities' iCloud storage accounts that saw their intimate pictures being posted across internet forums.

The company claims that the celebrities' privacy was breached as a result of targeted attacks that aimed to discover celebrities' log in details, Apple said.

"We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet."

"None of the cases we have investigated has resulted from any breach in any of Apple`s systems including iCloud or Find my iPhone," Apple said in a statement to United States media.

Raids of this sort on cloud-based back-up storage facilities are likely to be routine for seasoned hackers.

Security researcher Nik Cubrilovic claims that the recent breach "seems only to be scratching the surface". 

Cubrilovic said trading networks exist that are comprised of loosely organised groups of people, each with specific roles to facilitate the data theft.

The activity is mostly done in private and rarely shared with the public, Cubrilovic said.

"The goal is to steal private media from a target's phone by accessing cloud based backup services that are integrated into iPhone, Android and Windows Phone devices. To access the cloud based backup requires the users ID, password or an authentication token".

Attackers scour Facebook and other social media to collect as much information as possible, he said. This also includes going through public records for celebrities as well as purchasing credit reports on them.

The information gleaned is then used to work out answers to secret questions for password resets, along with phishing emails for that request the same information.

He said that Apple's iCloud is the most popular target as it is popular and the image backup to the cloud is enabled by default.

Furthermore, Cubrilovic said Apple accounts "seem particularly vulnerable" as it is possible to detect if email addresses have an associated iCloud account.

It also appears to be possible to automate the discovery of valid Apple email accounts, testing by Cubrilovic showed.

posting an email address as JSON to appleid.apple .com /account/validation/appleid returns if it is a valid account or not. no rate limit.

— nik cubrilovic (@nikcub) September 2, 2014

Apple said it is working with police to investigate the breach, which resulted in images being uploaded to the 4Chan webforum in return for payment in Bitcoin.

Yesterday, one of the victims of the iCloud breach, actress Jennifer Lawrence, told Reuters that she had contacted authorities over photos stolen from her iCloud account.

A spokesperson for Lawrence said the data breach was a flagrant violation of privacy and warned that anyone who posts images of the actress will be prosecuted by the authorities. 

The breach may have started some time ago. Another actress, Mary Elizabeth Winstead, whose private photos were also stolen from her iCloud account, noted on Twitter that they were old and had been deleted.

Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.

— Mary E. Winstead (@M_E_Winstead) August 31, 2014