Celebrity hack 'unlikely' a wide-scale iCloud breach
Jennifer Lawrence, Kate Upton et al likely victims of targeted attacks, says Trend Micro
Despite a number of celebrities having had their iCloud accounts compromised, a wide-scale ‘hack' of Apple's iCloud service is unlikely, according to Trend Micro's Rik Ferguson.
Earlier this morning, news broke that celebrities such as Jennifer Lawrence and Kate Upton had had nude photos stolen from their private iCloud accounts. The perpetrator of the cyber-crime posted up the stolen images on counter-culture site 4Chan, as well as a list of other celebrity accounts that he had compromised.
Despite the worries this may cause over the security of iCloud, however, Ferguson explained in a blog post that it was much more likely that the victims were individually targeted. He based this on the nature of the material that was stolen from their accounts and the fact that only certain celebrities were involved.
Ferguson went on to discuss possible scenarios of how the breach was conducted. He said that the least likely scenario would be that every celebrity had weak, easy-to-guess passwords guarding their accounts, and that the hacker simply worked them out and logged on.
More likely, Ferguson said, were a number of other possible scenarios. For example, if the attacker already knew the email address that the victim was using for iCloud, they could have used the ‘Forgot my password' link, assuming that the victim was not using two-factor authentication, he said.
"Without two factor authentication, the password reset uses the traditional ‘security question' method. The peril in this for celebrities is that much of their personal information is already online and a security question such as ‘Name of my first pet' may be a lot less "secret" for a celebrity than it is for you and I," he wrote.
Or else, the attack could have been the result of password re-use, Ferguson said. He said that, with so many people affected by recent, high-profile mega-breaches, stolen credentials are now incredibly easy to come by. Therefore, if the victims were using the same passwords for iCloud, then an attacker could easily compromise the account, he warned.
The final scenario would be simply that the celebrities were affected by phishing attacked, Ferguson said.
"It's old-school but it still works. A targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page would do the job just as well as any more complex hack," he explained.
While this latest incident is an example of how wrong things can go when cyber-criminals gain access to personal data, Ferguson said that a number of lessons can be drawn from the debacle. Firstly, he advised that, if an online service is offering options that increase security, then users should enable these options.
"Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I'm willing to bet that a compromise of a service at the heart of your digital life will be considerably more so," he said.
Ferguson added that users should avoid reusing passwords across multiple online services, as well as consider how secure their ‘secret questions' are - the answer should only be available to the individual, and not anyone else.