The huge theft of private celebrity photos this weekend has led to speculation that they were found as a result of hacking Apple’s iCloud, it’s cloud backup system for iOS devices. Apple has responded saying it is ‘actively investigating’ this possible violation of iCloud security.
There are a number of theories about how a hacker might have gained access to data stored in iCloud. One is the victims failing to have ‘two factor authentication‘ enabled on their phones. This system, which is becoming increasingly popular, means that to access your account, you need to give both your password and a special code, typically sent to your mobile device at the moment you attempt to sign in. Apple introduced this in March 2013 (calling it two-step verification), but users are not obliged to use it.
Another theory is that a hacking tool, shared on Github, which allows you to repeatedly guess Apple ID account passwords, might have been the culprit. There is no evidence this is true, but Apple did not fix this vulnerability until yesterday. Now, you have limited attempts at guessing a password before it is reset.
The attacks could also be the result of ‘phishing’, where users are sent authentic-looking emails which ask then to enter their login details. As ever, the best advice is to never give up your login details by email, and double check that any site you do enter is legitimate.
The leak could also be the result of simple device theft. Whatever it turns out to be, even if it’s an exploit of poor security, it’s very likely to be a criminal act that could result in prosecution, as happened with a similar celebrity story in 2005. Theft of private data is illegal, and the insistence by some users on the use of Reddit and 4Chan to widely distribute the photos, where people do not reveal the source of the leaks, suggests that the leaker is very aware of this illegality.
We will return to this story when we have more details.
Follow Jonathan on Twitter: @jonathanriggall