Apple says no security breach occurred in celebrity photo leak
Apple Inc. said Tuesday that the recent theft of racy celebrity photos was not a result of a widespread breach of its systems but was instead due to a “very targeted attack” on individual accounts.
The announcement came a day after Apple said it was “actively investigating” reports that its iCloud service had been breached, leading to the leak of hundreds of intimate photos of celebrities including Jennifer Lawrence and Kate Upton.
“When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source,” the company said in a statement Tuesday morning. “After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”
Although Apple’s media representives declined to comment further, the official statement implies that the celebrities involved failed to use basic security precautions.
However, security expert Phil Lieberman, founder and president of Lieberman Software, said “Apple [is] correct when they say their system wasn’t breached in that no one gained universal access. They, however did have poorly implemented security that allowed this. This is like someone selling you a cheap lock. It’s pretty embarrassing. This is Security 101.”
Apple said it was working with law enforcement officials to help identify the perpetrators of the attacks. The Cupertino, Calif., company also advised users to always use a strong password and enable two-step verification.
The celebrity photos circulated on various websites and social media platforms Sunday after first surfacing on 4chan. A publicist for Lawrence called the published photos a “flagrant violation of privacy.”
It remains unclear how exactly the photos were obtained, although security experts suspect a wide-scale phishing scam.