After a massive breach that saw hackers steal nude pictures and videos from phones belonging to various celebrities, fingers have been pointed at Apple’s iCloud as the potential point of access. Now, various reports have emerged detailing the way these phones may have been obtained, and revealing Apple’s involvement in the process.
Online publication The Next Web reveals that hackers aware of an iCloud security issue (found in the Find My iPhone service) and may have taken advantage of it to break into the phones of the affected celebrities, who include Jennifer Lawrence, Ariana Grande, Kate Hudson and many more.
Apparently, a Python script was posted on Github last Monday that allows users to target any iCloud account with a “brute force” attack – basically, the program tries to repeatedly guess the password of an iTunes account (assuming the attacker already knows the email of that account) until it finds the right one.
Apple has apparently patched this security issue, and now the brute force attack will stop after the fifth unsuccessful login attempt, leaving the owner of the iTunes account unharmed as long as the password isn’t discovered in the first few tries.
However, Apple has not confirmed the hack, or whether the program was used to steal personal details from certain users.
According to The Guardian, Apple is investigating the claimed iCloud attack and whether the data was taken from its cloud service – and, if so, “to what extent users’ accounts were compromised.”
Even if the attack relied on the demonstrated iCloud security issue, this still does not explain how the hackers obtained the email addresses used by the targeted celebrities to create iTunes accounts. Without that crucial detail (an email address tied to an iCloud account) hackers would not have been able to break in using the brute force attack in the first place – assuming that’s how they got the data.
The publication says that there may be other explanations than an iCloud hack. Someone with access to celebrities and their gadgets may have been collecting email and password data from them, and storing compromising details for a long time for later use.
Hackers could have attacked other devices including Macs and PCs (rather than actual smartphones) to steal iTunes logins from, and thus access to iCloud backup features that would have allowed them to download those nude pictures on their devices. Business Insider suggests a scenario in which only a single device was hacked, either a phone or laptop, laden with such images and videos, that could have been stolen.
The same publication also offers a more unlikely theory, that celebrities might have been hacked using over Wi-Fi, while at the Emmy Awards ceremony.