In what amounts to a “don’t blame us” statement, Apple appears to be trying to shake off any culpability it might have in this weekend’s massive posting of hundreds of stolen photos of a female celebrities in various states of undress (Again — no, we’re not linking to them). The company is saying there was no data breach on iCloud or Find My iPhone… but only in the sense that not everyone’s photos were stolen.
In a statement released this afternoon, Apple explains (bolded for emphasis):
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
The question is what, exactly, constitutes a data breach.
No, the hackers did not find some back door in iCloud or the Apple network to access these victims’ accounts.
So that should be some comfort for people who might have been worried that these stolen images were just part of a much larger data heist, or that there was some easily exploitable hole in iCloud.
But what the Apple statement does not address is the original claim made by hackers that they were able to unlock these victims’ accounts via brute force, by repeatedly trying passwords and/or security questions until they succeeded.
This should not be an option, and the fact that outsiders were able to eventually figure out these answers does still raise concerns about Apple’s safety protocols. So it’s not a data breach, but personal data has been stolen.
The only way in which Apple could be completely blameless is if these hackers had gained access to passwords and security questions through other means and were able to enter them into the account within the first few attempts.
by Chris Morran via Consumerist
No comments:
Post a Comment