Apple “Actively Investigating” Alleged Celebrity iCloud Account Hack

Apple is actively investigating a hack of celebrity accounts that resulted in the leak of tons of nude images and movies that flooded the Internet, the company tells Re/code.

“We take user privacy very seriously and are actively investigating this report,” said Apple spokeswoman Natalie Kerris.

Following reports of the celeb photo hacks, Apple has allegedly patched the Find My iPhone vulnerability that may have allowed hackers to gain access to the iCloud accounts of celebrities.

Some of the posted images are said to be real, some fake, but the main issue is the source of these images: the iCloud accounts of the Hollywood celebrities — at least according to the hacker who originally posted them on the Web.

According to security experts contacted by Re/code, the hacking and theft of the nude images might have been prevented if those affected had enabled two-factor authentication on their accounts.

Apple, however, has been silent on how these attacks were carried out, but if we are to believe an earlier report from today, the Find My iPhone API has a vulnerability that was highlighted just several days ago.

There are too many coincidences, including the iBrute software posted on GitHub that allows hackers to automate brute-force attacks against iCloud accounts, and since Apple allows an unlimited number of password guesses, there was plenty of time for the software to guess the passwords. Apple has fixed that aspect of the vulnerability since then.

Also, there was talk from a security researcher who spoke about the security on iCloud: You can view the slides here.

The fact is, Apple is a bit late in the game of two-step verification, and it doesn’t advertise it properly, Mandiant security researcher Darien Kindlund points out. The two-step verification system adds another layer of security for Apple accounts, as it requires both a security code and a trusted device to log the user into his/her account.