Apple ‘actively investigating’ celebrity photo hack as security experts weigh in

BY Evan Selleck

Published 1 Sep 2014

Celeb photo hack

On the evening of August 31, many photos were posted to the 4Chan community of celebrities in compromising positions. Immediately following the situation, reports surfaced that the leak could have been brought on through a brute force attack on Apple’s iCloud service.

Now, security experts are starting to focus more intently on the role that iCloud could have played in the situation. At the same time, as reported by Re/code, Apple is “actively investigating” the situation, and, as one can expect, that Apple takes the security of individuals very seriously:

“We take user privacy very seriously and are actively investigating this report,” said Apple spokeswoman Natalie Kerris.

The photos run the gamut of many famous celebrities. Many of them have already been claimed to have been fake by the celebrities in question or by their representatives, while others have been confirmed to be real.

In a related report published by The Guardian, many security experts have begun digging into the situation, with many of them putting a large focus on iCloud and the security tied to its backup. One of the running theories at this point is that one hacker allegedly collected the photos over a lengthy period of time, and that another hacker cracked into that user’s library, or “popped” it, and then circulated the photos afterwards. This theory is bolstered by the timestamps on some of the images, with the oldest dating back to December, 2011, while the newest photo was reportedly taken on August 14, 2014.

There are several different theories out there at this point, but the general focus has been on iCloud, and the lack of protection from a brute force attack from those who would try to gain entry in nefarious methods. As noted by Christopher Sogholan, principal technology at the American Civil Liberties Union:

“If the celebs’ iCloud account passwords were brute forced, the problem seems to be lack of rate limiting by Apple, not lack of crypto.“

With Apple looking into the situation, and with security experts starting to offer their own opinions as they look into the ordeal, the only expectation at this point is that Apple does whatever they need to do to beef up their security, so that brute force attacks of this nature are no longer effective — or, as some have reported, this easy.

[via Re/code; The Guardian]