Apple: Hackers Stole Celebs' Passwords, Did Not Breach Our Systems
SAN FRANCISCO (AP) — Apple is acknowledging that computer hackers broke into the accounts of several celebrities to steal personal photos that have been posted online, a security breakdown that the iPhone maker blamed on the intruders' ability to figure out passwords and bypass other safeguards.
The preliminary conclusions emerged Tuesday after Apple's engineers spent more than 40 hours investigating a high-tech break-in that has exposed weaknesses in online security at a time more people are storing photos and other sensitive information on other computers hosed in massive data centers.
Apple opened its inquiry over the Labor Day weekend after the online distribution of nude photographs of Oscar-winning actress Jennifer Lawrence and other stars, including Mary Elizabeth Winstead. Some of the stars say the photos are fakes, but Lawrence has acknowledged the revealing pictures of her are real in a statement branding their theft as a "flagrant violation of privacy."
The intrusion raised concerns that Apple's iCloud service, which is widely used by iPhone and iPad owners to store copies of personal photos, may have suffered a massive security lapse.
Apple, though, says it found no evidence of a widespread problem in iCloud or its Find my iPhone service. Instead, the affected celebrity accounts were targeted by hackers who had enough information to know the user names, passwords and answers to personal security questions designed to thwart unauthorized entries, according to Apple.
Knowing this crucial information would enable an outsider to break into Apple accounts, including iCloud.
It's much more difficult hack into an account if a user enables a two-step authentication feature offered by Apple, Google Inc., Microsoft Corp. and several other major technology companies. This security measure requires a user to enter a special code sent to a smartphone when an attempt is made to sign into an account from a device that hasn't been previously used.
Security specialists also suspect the hacking into the celebrity accounts could have been avoided if Apple had stricter controls on how many times an incorrect password can be entered before access to the account is forbidden for a short time period. Apple has a lockout feature on its online accounts, although it won't say how many times an incorrect password must be entered before it's triggered.
Apple is urging its users to switch to stronger passwords and enable the two-step authentication feature in the aftermath of the celebrity hacking attacks. "Our customers' privacy and security are of utmost importance to us," Apple said in its statement.
The Cupertino, California company also is cooperating with an FBI investigation into the intrusion.