Skip to main content

iCloud hack

See All Stories

Celebgate iCloud phisher pleads guilty to accessing 30+ celebrity accounts, faces 5 years

Site default logo image

icloud

One of the men behind the ‘Celebgate‘ phishing attack has pleaded guilty to accessing more than 300 iCloud and Gmail accounts, including ‘at least 30’ belonging to celebrities. The plea was announced by the U.S. Attorneys Office for the Central District of California.

Edward Majerczyk, 28, who resides in Chicago and Orland Park, Illinois, was named in a criminal information filed today in United States District Court in Los Angeles. Majerczyk has signed a plea agreement in which he agrees to plead guilty to a felony violation of the Computer Fraud and Abuse Act, specifically, one count of unauthorized access to a protected computer to obtain information.

Another of the Celebgate offenders, Ryan Collins, also took a plea back in March in return for a recommended sentence of 18 months …


Expand
Expanding
Close

Five Apple logins remain unprotected by two-factor authentication when using an unknown device

Site default logo image

[youtube=https://www.youtube.com/watch?v=IKKZfZUqk3I]

More than four months after Tim Cook promised emailed login alerts and the reintroduction of two-factor authentication in the wake of the high-profile celebrity iCloud hacks, five Apple logins remain unprotected by the system. Hackers of NY founder Dani Grant used videos to demonstrate each of the vulnerabilities in a blog post.

Grant showed that two-factor authentication isn’t needed when using an unknown Mac to login to iMessage, iTunes, FaceTime, the App Store or Apple’s website. According to Grant, only one of the five services sent an email notification advising that an unknown device was used to log in … 
Expand
Expanding
Close

Site default logo image

Phone Breaker iCloud-hacking software now supports 2FA, allows access to WhatsApp & iWork files

icloud-hack

Elcomsoft’s Phone Breaker software, used by law enforcement agencies but also thought to have been used by iCloud hackers to access celebrity nudes, has been updated to support accounts using two-factor authentication, reports MacWorld. It can also now access WhatsApp message files and iWork documents.

It’s not as scary as it sounds – the software can only be used once the attacker already has an Apple ID and password, together with either a second trusted device or your recovery key. A phishing attack is the most common way to obtain these, so as long as you use strong, unique passwords and don’t click on links in emails claiming to be from Apple, you should be safe. But it does allow users of the software to download either entire iPhone backups or selected data direct from iCloud much more easily than having to go through a compromised device by hand.

The more security-conscious will, though, want to heed Apple’s advice not to store your account recovery code on any of your devices: the software can automatically scan both your Mac and any external drives for these.

If you don’t yet have a recovery code for your Apple ID, do get one: even an unsuccessful hack attempt can lock you out of your account, and without a recovery key, there’s no way back in.

Via Engadget

Apple aware of iCloud brute-force vulnerability six months before ‘Celebgate’

Site default logo image

celebgate

The software developer credited by Apple for discovering last year’s developer center flaw says that he informed Apple of an iCloud weakness that may have been used to obtain celebrity nudes more than six months before the photos were accessed.

The Daily Dot reports that Ibrahim Balic advised Apple in March of a Find My Phone weakness that would allow brute-force attacks on iCloud accounts. It has been suggested that this may have been one of the methods used to access the accounts – or even complete iPhone backups – of celebrities … 
Expand
Expanding
Close

Site default logo image

Apple briefs Congress in its continuing effort to promote its privacy credentials

Capitol_Building_Full_View

Politico reports that Apple briefed a Congressional committee on the security and privacy of its products following concerns raised by the celebrity nudes story.

A week after Apple rolled out new products that track users’ health and fitness, the company dispatched its executives to Capitol Hill to address emerging privacy and security concerns […]

Bud Tribble, the company’s chief technology officer, and Afshad Mistri, its health product manager, briefed the powerful House Energy and Commerce Committee, according to three congressional sources.

Apple is clearly focusing on communicating its commitment to securing user data. Tim Cook yesterday published a letter on the company’s website addressing the issue. Apple also added a new webpage specifically focusing on the security credentials of iOS, OS X and its cloud services.

While it now appears clear that the methods used to obtain celebrity nudes from iCloud were a combination of phishing and weak security questions rather than any fundamental weakness in the service itself, Apple will be keenly aware that perceptions matter as much as, if not more than, facts.

Photo credit: Wikipedia

One third of Americans have improved their online security since the iCloud hacks

Site default logo image

image002

A YouGov survey of more than 1,000 American consumers commissioned by security company Tresorit found that just over a third of them have taken steps to beef-up their online security in response to the iCloud hacks.

The most common response was to change passwords for stronger ones, with 13 percent creating different passwords for each online service and 6 percent enabling two-step verification … 
Expand
Expanding
Close

Opinion: After the celebrity hacks, the vulnerability that still exists and what needs to be done

Site default logo image

main

There are still many unknowns surrounding the leaked celebrity nudes. While Apple appears to have ruled out a theory that a Find My iPhone vulnerability allowed easy brute-force password attacks, some commentators are suggesting that the wording was sufficiently vague that this may indeed have been one route in. (Apple might be arguing that it’s not a breach if the correct password was required.)

But one thing does now appear clear: rather than a single hacker gaining wide access to iCloud, the photos were instead amassed over time by a number of different individuals likely using several different approaches. Phishing was doubtless one of them – some of the claimed emails from Apple are reasonably convincing to a non-techy person – but another was almost certainly to exploit one of the greatest weaknesses found in just about every online service, including iCloud: security questions.

[Update: Tim Cook has confirmed these were the two methods used] 


Expand
Expanding
Close

Metadata analysis of leaked photos suggest complete iPhone backups obtained

Site default logo image

eppb

A forensics consult and security researcher who analyzed metadata from leaked photos of Kate Upton said that the photos appear to have been obtained using software intended for use by law enforcement officials, reports Wired. The software, Elcomsoft Phone Password Breaker (EPPB), allows users to download a complete backup of all data on an iPhone once the iCloud ID and password have been obtained.

If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages …


Expand
Expanding
Close

FBI investigating alleged iCloud celebrity hack as Reddit ‘suspect’ declares innocence

Site default logo image

photosharing_updates_image

The FBI is now leading the investigation into the alleged iCloud hack in which nude photographs of a number of celebrities were obtained, reports the Telegraph. FBI spokesperson Laura Eimiller said:

[The FBI is] aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter. Any further comment would be inappropriate at this time.

It has been suggested that a vulnerability in the Find My Phone service may have allowed attackers to brute-force passwords in order to access the iCloud accounts of celebrities … 
Expand
Expanding
Close

Vulnerability in Find My Phone service and weak passwords may explain alleged celebrity photo leaks

Site default logo image

celebrity-hack

The Next Web is reporting that a vulnerability in the Find My Phone service may have allowed attackers to brute-force passwords in order to access the iCloud accounts of celebrities.

The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.

A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News … 
Expand
Expanding
Close