Apple has released a statement about the alleged hack on iCloud resulting in nude pictures of hundreds of celebrities being posted on the internet.
According to posts on 4Chan, 101 celebrity iCloud accounts were hacked, including those belonging to Hollywood actresses Jennifer Lawrence, Mary Elizabeth Winstead and Kate Upton.
Apple has now released an official statement on the matter in which it blames weak passwords for the leak.
The firm has stated that during its investigation it has found that there has been no breach in any of its systems, including iCloud. Apple advises that users user stronger passwords and enable two-step verifications.
Here’s the full statement:
“We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.”
KPMG’s security researcher, Yiannis Chrysanthou, believes that blaming breaches on passwords ‘is history’ and multi-factor authentication is the only way businesses can help keep customer’s info safe.
“To prevent password breaches, users are often asked to stop reusing the same password combination across several access points, and businesses are advised to ensure that they have cryptographic hash functions specifically designed for password storage. But this method hasn’t been affective. Organisations seem to believe that if they force users to pick long complex passwords and then store them only in their cryptographically hashed formats, then they are relatively safe. The reality is that we hear of password breaches time and time and again, and this needs to change,” said Chrysanthou.
“What often happens is that a website or organisation suffers a breach and the attackers publicise the database with usernames, emails and passwords online. The passwords are either in plain text or hashed using cryptographic hash algorithms that are often cracked within a few days. The alternative is to use multifactor authentication as it improves security by combining multiple forms of identification data.
"Passwords on their own are just one authentication factor because they rely on ‘something the user knows’. Multi-factor authentication will block traditional attacks relying on guessing or stealing a user’s password because the password itself will no longer be sufficient.”
Richard Parris, CEO if Intercede, agrees that it is time for stronger authentication methods: “As we live more and more of our lives online, all our various digital identities need to be effectively protected – worryingly, it appears that this is not the case at the moment. It’s time for stronger authentication and more sophisticated forms of identity, but also for a more comprehensive, wider program of education for the general public highlighting the numerous, and largely unknown vulnerabilities inherent with mobile devices and the apps we use in our everyday lives.”
CloudMask’s CEO, Wael Aggan, offers up these tips for keep your data safe:
1. Use strong passwords that comprise of alphanumeric and special letters
2. Do not use the same password for all your sites
3. Use two-factor authentication
4. Encrypt your data from creation – even if your account is hacked your data will not be seen