This week the FBI is investigating an alleged iCloud celebrity hack, labelled The Fappening, after over 400 celebrities nude photos and videos leaked on the image board, 4chan.org/b. Apple’s iCloud service allows users to store photos and other content and access it from any Apple device.
According to Mac Daily News, the hack was achieved by a combination of weak passwords, security questions and software bugs that allowed brute-force attacks. Before we go on to proactive steps to protect our data in iCloud, here is the media advisory from Apple:
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved. To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
Storing data in online storage services such as iCloud is and will continue to be very useful to access and share our data.
What can we do?
Every day user
Use a strong password that is not the same password on other accounts. This is much easier with a password manager.
Update security questions that have answers only you know the answer.
Enable two-step verification.
- As well as the above, create a free email account and change your Apple ID to this email address. This way a hacker has to guess not only our password, but Apple ID as well.
- Disregard the above, use private cloud storage such as owncloud.org instead of a big target like iCloud.
What should Apple do?
make two-factor authentication easier to use.
ensure there are no bugs that allow brute force (password guessing) attacks.