What the iCloud 'hack' can teach us

What the iCloud 'hack' can teach us
Keke Palmer, Kim Kardashian, Hayden Pannettiere and Selena Gomez are reportedly victims of the recent hacking.

We awoke yesterday morning to the entirely unnecessary sight of the presumed personal photos of several celebrities, the pictures ranging from the fully clothed "mirror selfie" to the far more explicit.

Victims included Jennifer Lawrence, Ariana Grande, Kate Upton and Victoria Justice.

For obvious reasons, clicking on links to "naked celebrity" photos or opening e-mail attachments related to this would be a very bad idea right now - expect criminals to ride this bandwagon immediately.

The images first surfaced on the infamous 4chan image board, where the author is claiming to have much more photographic and even video material, stolen from Apple iCloud accounts and for sale to the highest bidder.

The reality of many of these images poses an uncomfortable question for anyone using iCloud and, indeed, anyone who has anything they would rather keep private: Is my cloud storage safe?

A wide-scale "hack" of iCloud is unlikely - even the original poster is not claiming that. The fact that certain celebrities are involved and the nature of the stolen material make this seem far more targeted. So, how could it have happened?

Possible scenarios

» (Least likely) All the celebrities affected had weak, easy-to-guess passwords. The hacker simply worked them out and logged in.

» If the attacker already knew the e-mail address which a victim is using for iCloud, then he could have used the "I forgot my password" link, assuming that the victim had not enabled two-factor authentication for iCloud.

Without two-factor authentication, the password reset uses the traditional "security question" method.

The peril in this for celebrities is that much of their personal information is already online. A security question such as "Name of my first pet" may be a lot less "secret" for a celebrity than it is for you and me.

» The attacker broke into another connected account with a weaker password or security, perhaps a webmail account that is used to receive password reset e-mail messages sent by iCloud.

» Password reuse. Too many people are happy to use the same password across multiple services.

With so many people affected by recent high-profile mega-breaches, the number of simple lookup services for stolen credentials and the amount of details for sale online have skyrocketed.

At the same time, the price of stolen data has tumbled, thanks to oversupply.

Of course, if the victim is using the same password for iCloud as for another already compromised or easily compromised service, the doors to iCloud are open.

» Phishing. It's old school, but it still works. A targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page, would do the job just as well as any more complex hack.

Next: What are the lessons here?

More about

Purchase this article for republication.



Your daily good stuff - AsiaOne stories delivered straight to your inbox
By signing up, you agree to our Privacy policy and Terms and Conditions.