Updated — 2:40 p.m., EST
Apple PR has released a statement claiming there was no wide breach of iCloud:
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers' privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
As the dust begins to settle on the initial image dump of nude celebrity pictures that began circulating Sunday afternoon, security researchers, law enforcement, and regular cloud-fearing phone users are looking for answers. And Apple, largely thought to be the weak security link, is silent.
Across the internet, the image leaks are being regularly referenced as an "iCloud hack," thanks to the original 4chan leaked photo posts, which alleged the photos were retrieved via Apple's cloud storage. And multiple sites have identified both notable vulnerabilities in iCloud (via Find My Phone) as well as well-documented communities of iCloud hackers, who can crack passwords with "brute force" programs (which allow for unlimited password guessing attempts) and download photos stashes in bulk.
However, three security researchers told BuzzFeed that it's too early to pin this security breach on the Apple cloud service, suggesting instead that the photos were obtained through multiple, individual hacks over a long period of time and then assembled into a larger collection through trading on obscure online forums.
Bryan Hamade, one of the prime suspects in the leak, told BuzzFeed on Monday, "It does seem the photos [were] passed around to multiple people before being leaked, so it may just be someone who has them and didn't hack to get them. They seem to have amassed a huge collection trading picture for picture and it's possible that whoever they sold it to started leaking the pictures yesterday."
Troy Hunt, an Australian security writer and expert, said the fact that fake photos have surfaced may undermine the severity of the breach. If that's true (that some photos are fake), it throws into question the legitimacy of the "hack," he wrote in an email to BuzzFeed.
"We may well find the attack vector is similar to that of an Australian scenario I wrote about, that is a separate attack (such as a phishing campaign) has successfully obtained credentials. That then of course is also predicated on other aspects of the victims' security being poor (such as missing two factor authentication), and that's entirely plausible," he said.
Hunt added that the nature of the leaked pictures — a variety of celebrities, many obscure, as well as barely any personal information besides photographs — means that a full-fledged breach of iCloud is also less likely. "One question worth asking is why celebrities are the 'target,'" Hunt said. "If there was a vulnerability in iCloud per se, you'd expect the 'hack' to be pretty indiscriminate. Yes, there's a greater financial upside if an attacker obtains photos and videos of high profile individuals, but they're a tiny percentage of the broader Apple ecosystem and you'd expect to see more 'collateral damage' to everyday citizens."
And Johns Hopkins computer science professor and info security expert Matthew Green warned the New Yorker's Jay Caspian Kang that "there's still no proof of a large-scale iCloud break-in, or that the images were ripped from the servers all at once."
That said, Apple may still be partially at fault for at least some of the breaches. According to a report from The Next Web's Owen Williams, the Find My Friends vulnerability allowed "malicious users to 'brute force' a target account's password on Apple's iCloud." Williams goes on to say that "brute-force attacks consist of using a malicious script to repeatedly guess passwords in an attempt to discover the correct one."
With no password timeout, hackers would be able to guess passwords an unlimited amount of times, allowing them to possibly run programs and try millions of variations in order to gain access. If that's the case, this would be a major security flaw and, in the case of those accounts hacked through iCloud, would be entirely Apple's fault.
The timing is also less than ideal for Apple, which is most likely putting the finishing touches on next week's keynote, where the company is set to unveil a line of new products including new iPhones and a much-anticipated wearable device. Part of Apple's wearable strategy is to obsessively track personal health data, which would ostensibly be stored to Apple's cloud services — medical data so personal that Apple has, according to Morgan Stanley, hired blood researchers to help. With the questions about Apple's cloud security swirling, it's possible this and other new features could suffer.
Two days into the affair, company's only comment on the invasion of celebrities' privacy is a short note via Apple spokeswoman Natalie Kerris to Recode, saying that Apple takes "user privacy very seriously and are actively investigating this report."
Apple has so far ignored multiple requests for comment from BuzzFeed regarding the iCloud vulnerability (which the company reportedly patched on Monday morning) as well as the nature of the celebrity hacks and whether they're all a result of a greater iCloud breach. A significant part of Apple's current mobile and desktop ecosystems run with the support of iCloud and many of the company's forward-facing initiatives depend on a safe and secure cloud.
Charlie Warzel is a Senior Technology Writer for BuzzFeed News and is based in Missoula, Montana
Contact Charlie Warzel at firstname.lastname@example.org.
Got a confidential tip? Submit it here.