iCloud hacked

BladeVenom

Supreme [H]ardness
Joined
Jun 29, 2005
Messages
7,707
All the celebrities using iCloud are having their nude photos leaked online.
 

Oldie

Mean Old Administrator
Staff member
Joined
Jan 12, 2004
Messages
21,895
I'm just going to toss in a quick reminder here that linking to any of those photos on this forum is not in line with the rules. ;)
 

Aurelius

2[H]4U
Joined
Mar 22, 2003
Messages
4,004
Also, there's no confirmation that iCloud has actually been hacked, and the technique some are claiming has been used... has been patched. Not ruling out iCloud, to be clear, but there seems to be a lot people who are treating vague rumours as absolute fact.
 

CHANG3D

Supreme [H]ardness
Joined
Jul 23, 2010
Messages
4,975
I think the lesson here is to not share private photos to anyone else, not even to Apple, Microsoft, or Google, etc.

Also, use a password that's not easy for a computer to crack. If this rumor is true, this "hacker" just used a brute force password hack, most likely dictionaries and birthdays.

If you do wind up sharing your photos to someone, make sure they follow those rules too.

P. S. the alleged "hacker" is a system network administrator who somehow had email addresses of these celebrities. My guess is he works for someone in the industry who actually do have email accounts of them. It's even possible that these celebrities have an account on the system and use the same password, making it a whole lot easier. The reason why I don't think it's as simple of as a iCloud brute force find my phone exploit is where did he get the logins?
 
Last edited:

JPF_

Limp Gawd
Joined
Dec 30, 2011
Messages
494
P. S. the alleged "hacker" is a system network administrator who somehow had email addresses of these celebrities. My guess is he works for someone in the industry who actually do have email accounts of them. It's even possible that these celebrities have an account on the system and use the same password, making it a whole lot easier. The reason why I don't think it's as simple of as a iCloud brute force find my phone exploit is where did he get the logins?


Just going to say it; You sound like an apple fanboi making it appear it was just by chance that this "system network engineer" had these actresses iCloud email addresses.......as if Apple is un-hackable or unobtainable in that regard. This wasn't your run of the mill "hay guiz i found dis emails and it haz pictarz!! wut do?!"

No one is safe if the right people know the right things.

iCloud is no more secure than any other cloud storage that is available to the public, or private for that matter.

Can't wait to see someone hack up Amazon's cloud storage that the government will be using.....
 

Aurelius

2[H]4U
Joined
Mar 22, 2003
Messages
4,004
Just going to say it; You sound like an apple fanboi making it appear it was just by chance that this "system network engineer" had these actresses iCloud email addresses.......as if Apple is un-hackable or unobtainable in that regard. This wasn't your run of the mill "hay guiz i found dis emails and it haz pictarz!! wut do?!"

No one is safe if the right people know the right things.

iCloud is no more secure than any other cloud storage that is available to the public, or private for that matter.

Can't wait to see someone hack up Amazon's cloud storage that the government will be using.....

I think at least some of us understand this. To me, this is more an attempt to head-off the inevitable attempt by trolls to paint this as some unique failing on Apple's part rather than a combination of factors that are issues across the industry.
 

Optik

Limp Gawd
Joined
Jul 28, 2003
Messages
326
Just a shame that people cant comprehend that the centralization of this kind of information leaves it vulnerable to these kinds of attacks.

It's called cloud for a reason, and there is enough information out there to suggest that "deleted" in the cloud really means nothing.

These technology companies all have a track record of talking about privacy, and it's really just limited to them constantly copying and pasting rhetoric. We all know that deleted not only means nothing, but apparently exploitable and retrievable by a layman such as a hacker.

quite sad, honestly.
 

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
The problem with blaming Apple for this is that all we have is a hacker's claim that they hacked iCloud with zero details of how they did so, and speculation about what tools might have been able to be used for the job.

I'd rather wait and see if investigators find out what really happened than trust the word of someone who was selling the pictures for bitcoin on 4chan.
 

kirbyrj

Fully [H]
Joined
Feb 1, 2005
Messages
30,220
Actually it's pretty easy to blame Apple for this because they had the pictures secured and now they are on internet regardless of how it was done.
 

Aurelius

2[H]4U
Joined
Mar 22, 2003
Messages
4,004
Actually it's pretty easy to blame Apple for this because they had the pictures secured and now they are on internet regardless of how it was done.

The whole point is that we don't actually know how this was done yet -- there are theories, but few facts. I'm willing to accept that Apple screwed up with an easily preventable flaw, but there's already a few people here who have already made that assumption, evidence be damned.
 

Trimlock

[H]F Junkie
Joined
Sep 23, 2005
Messages
15,228
Just going to say it; You sound like an apple fanboi making it appear it was just by chance that this "system network engineer" had these actresses iCloud email addresses.......as if Apple is un-hackable or unobtainable in that regard. This wasn't your run of the mill "hay guiz i found dis emails and it haz pictarz!! wut do?!"

No one is safe if the right people know the right things.

iCloud is no more secure than any other cloud storage that is available to the public, or private for that matter.

Can't wait to see someone hack up Amazon's cloud storage that the government will be using.....

noooooooo!!! opinions and assump ... err, I mean FACTS! show us things!
 

ChedWick

Gawd
Joined
Sep 16, 2011
Messages
596
Actually it's pretty easy to blame Apple for this because they had the pictures secured and now they are on internet regardless of how it was done.

With no real proof of how this hack was even achieved, I would argue that its actually pretty damn hard to blame apple at this point.

Could this be due to a stupid and preventable security flaw that does make apple to blame? Absolutely yes, but until more details are known you're just jumping the gun.

I wont take on the blame the victim mentality but I do personally consider anything stored on someone else's servers already hacked. This is why I don't store anything of real importance out in "the cloud".
 

Mchart

Supreme [H]ardness
Joined
Aug 7, 2004
Messages
5,900
They assume it was just a brute-force script. Every website is susceptible to this method. The only difference is that for this particular login service using the Apple ID it wasn't protected with something that prevents X number of attempts in Y period of time.

So it really is Apple's fault and I think it's safe to assume whomever was in charge of the coding team for that particular portion of that web service has been fired for such a stupid oversight.
 

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
Eh, never mind. Seems like the pictures have been circulating for months before they went public, so it's not the Russian hacker group.
 

kirbyrj

Fully [H]
Joined
Feb 1, 2005
Messages
30,220
With no real proof of how this hack was even achieved, I would argue that its actually pretty damn hard to blame apple at this point.

Could this be due to a stupid and preventable security flaw that does make apple to blame? Absolutely yes, but until more details are known you're just jumping the gun.

I wont take on the blame the victim mentality but I do personally consider anything stored on someone else's servers already hacked. This is why I don't store anything of real importance out in "the cloud".

You're looking at this way too detailed. What do these pictures have in common? They were stored in iCloud. What do they have in common now? They are on the internet. Whose responsibility was it to keep these pictures in iCloud and off the general internet? Apple
 

Zorachus

[H]F Junkie
Joined
Dec 17, 2006
Messages
10,714
LOL at Kate Upton saying she'd never do nude photography or Playboy. She doesn't need to now :eek: She has a nice rack for being a thin woman. And Jennifer Lawrence, had some real racy photos leaked.

Bottom line, if you don't want your nude sex photos leaked online, very simple, don't take pictures of yourself naked with your smartphone. Just use an old Polaroid or something.

And then the whole Cloud data storage thing. If you have private info or pics stored digitally in the "cloud" someone, somehow will find a way to hack into it, and leak it if they want to. I see this becoming more and more common.
 
Last edited:

Aurelius

2[H]4U
Joined
Mar 22, 2003
Messages
4,004
And here's Apple's response:

http://www.marketwatch.com/story/apple-media-advisory-2014-09-02

Surprise, the breaches were due to lax usernames/passwords, not an actual breach of iCloud and its servers. Seems like a lot of the hyperbolic fear was unmerited. In short: use complex passwords, people.

Also, Zorachus: that's an overly simplistic way of tackling things. It's like saying that the way to avoid credit card theft is to never use a credit card.
 

mi7chy

2[H]4U
Joined
May 22, 2013
Messages
3,985
So pretty much blame Apple users for passwording it wrong when the system lacks strong password enforcement and has poor brute force protection that's been available on unix for decades. In line with previously blaming reception issues on Apple users holding it wrong.
 

CHANG3D

Supreme [H]ardness
Joined
Jul 23, 2010
Messages
4,975
They got into the account without brute forcing their way in, assuming that whoever claim to have hacked it is a group of people, not just one. They got into the account through answering security questions and took them months.

The FBI has also said that another cloud service (without naming which) was also hacked. My guess is DropBox or Google, as they are the most popular mobile cloud photo backup.
 
Last edited:

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
From Aurelius' link: "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone."

Hah, Aurelius blames the victims, mi7chy blames Apple, and Zorachus enjoys the pictures.
 

Optik

Limp Gawd
Joined
Jul 28, 2003
Messages
326
when the PR release creates more questions than it does answers, you know that there is someone is covering up their ass.
 

Optik

Limp Gawd
Joined
Jul 28, 2003
Messages
326
They got into the account without brute forcing their way in, assuming that whoever claim to have hacked it is a group of people, not just one. They got into the account through answering security questions and took them months.

The FBI has also said that another cloud service (without naming which) was also hacked. My guess is DropBox or Google.

Oh so when it leaks out that they had 100,000 guesses before apple patched the account lock bug it's the victim's fault.

yeah, ok.
 

Aurelius

2[H]4U
Joined
Mar 22, 2003
Messages
4,004
Yes, Apple should make sure that brute force isn't an issue. The problem is that a lot of people treated this as some kind of compromise of iCloud itself; it's not, any more than someone figuring out your Gmail password is compromising Google's servers.

It's no doubt embarrassing to Apple if brute force worked, but that's apparently been patched, too... so it amounts to arguing over nothing.
 

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
Oh so when it leaks out that they had 100,000 guesses before apple patched the account lock bug it's the victim's fault.

It is now becoming apparent that these hacks were not performed quickly. These are celebrities, who have a problem that ordinary people do not: their personal historical details are much easier to obtain for the answers to forgotten password security questions. Your best friend's nickname in high school? For you, it would be nearly impossible to guess, but a celebrity's best friends get mentioned in the gossip rags, then it's some research, maybe browsing some high school yearbooks to get the answer.

Celebrities probably try to obscure these answers while making them not impossible to remember, which is where it takes some time to guess how they altered the answer. For example, if your best friend's high school nickname was Zero, was it altered to Zer0, or zer0, or z3r0, and so forth.

If the account has brute force protection, you get to attempt these questions as many times as the brute force algorithm allows. If it's set as low as a few times a day, that would make it not worthwhile to hack an ordinary person's account - but the payoff is so big for a celebrity account that there will be endless amounts of patience for the process. Those 100,000 guesses you're talking about occurred over months, if not years.

It is the entire concept of passwords that is flawed, not Apple's particular implementation of them. Come up with something better and you will be a billionaire.
 

Erasmus354

[H]F Junkie
Joined
Mar 12, 2004
Messages
9,450
Yes, Apple should make sure that brute force isn't an issue. The problem is that a lot of people treated this as some kind of compromise of iCloud itself; it's not, any more than someone figuring out your Gmail password is compromising Google's servers.

It's no doubt embarrassing to Apple if brute force worked, but that's apparently been patched, too... so it amounts to arguing over nothing.

It all comes down to an issue of trust, and for Apple they have lost some degree of trust from consumers as a result of this breach. The simple fact is Find My Phone didn't have basic 1999 levels of security to prevent sophomoric brute force attacks. It being fixed after the fact doesn't repair the trust that Apple lost, consumers will still feel "what else will Apple fail to secure properly".
 

CHANG3D

Supreme [H]ardness
Joined
Jul 23, 2010
Messages
4,975
Once again, there was no brute force attack to get the passwords. So you're blaming Apple for this loophole when this loophole wasn't even used...
 

Aurelius

2[H]4U
Joined
Mar 22, 2003
Messages
4,004
Once again, there was no brute force attack to get the passwords. So you're blaming Apple for this loophole when this loophole wasn't even used...

It's more accurate to say we don't know that a brute force intrusion was used. It'd make sense (that's how you get frequently guess a login), but it's not certain yet.

Apple definitely took a bruising, either way. It's just good to know that there was a quick fix instead of some really calamitous breach (see: Sony in 2011).
 

Matthew Kane

Supreme [H]ardness
Joined
Dec 1, 2007
Messages
4,233
Jennifer Lawrence, Kate Upton, Victoria Justice, Brie Larson, Teresa Palmer, Kristen Dunst, etc.

Ok, did google searches for all those, seems the only ones that positive results is mostly Jennifer Lawrence.

Why do these people upload nudes into a cloud service that isn't even safe to begin with? Nothing floating in the cloud or internet is ever safe. :confused:

IT security 101.
 

Optik

Limp Gawd
Joined
Jul 28, 2003
Messages
326
Ok, did google searches for all those, seems the only ones that positive results is mostly Jennifer Lawrence.

Why do these people upload nudes into a cloud service that isn't even safe to begin with? Nothing floating in the cloud or internet is ever safe. :confused:

because apple just works. No, seriously.

Photostream is set by default to backup to icloud. It's a setting that you physically have to turn off.

read this article

https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/
7. Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. The recovery process is broken up into steps and will fail at each point. While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple. The second step is verifying the date of birth and it will pass or fail based on that data alone so can be guessed, while the last step are the two security questions. It would be a good idea for Apple to kill the interface on signup that shows new users if their email account is available to use as an iCloud account or not. It would also be a good idea to make the recovery process one big step where all data is validated at once and the user is not given a specific error message. It would also be wise to attach rate limits and strict lockout on this process on a per-account basis.

Being able to POST an email address to https://appleid.apple.com/account/validation/appleid and getting back a response indicating if it is a valid account or not, with little to no rate limiting, is a bug.


but somehow apple wants you to believe that its the victim's fault.
 

Matthew Kane

Supreme [H]ardness
Joined
Dec 1, 2007
Messages
4,233
Proves my point, not safe. I don't use icloud or an Apple i-mobile device so not up to date how icloud or such works.
 

Erasmus354

[H]F Junkie
Joined
Mar 12, 2004
Messages
9,450
Once again, there was no brute force attack to get the passwords. So you're blaming Apple for this loophole when this loophole wasn't even used...

And yet again in your fanboyish desire to defend apple your reading comprehension has completely disappeared. I never said that a brute force attack was used in this specific hack.I said that Find My Phone was vulnerable to brute force attacks, which it was. That is a vulnerability that even a tiny porn site from 1999 would have protected against, yet somehow Apple didn't. It doesn't matter at this point if the find my phone vulnerability is what was used or not, Apple has already lost Consumer trust.
 

Flopper

[H]ard|Gawd
Joined
Nov 15, 2007
Messages
1,642
Ok, did google searches for all those, seems the only ones that positive results is mostly Jennifer Lawrence.

Why do these people upload nudes into a cloud service that isn't even safe to begin with? Nothing floating in the cloud or internet is ever safe. :confused:

IT security 101.

you would think kids would understand security nowadays, dont post anything important that can be accessed from a computer elsewhere. my e-mail has 2 security locks in place and I still wont have important information there.
if your a celeberity the need for geeks to access your mail or garbage or underpants are common so they should protect their info better.
40k downloads for naked celb pictures?
seriously havent people seen naked boobs and such before?
 
Top