Apple Inc. said its iCloud service wasn’t breached by hackers who posted nude pictures of celebrities, as the company works to deflect questions about the security of its systems.
Photos from the celebrities were stolen individually, the company said. The celebrity accounts were “compromised by a very targeted attack on user names, passwords and security questions, a practice that is all too common on the Internet,” Cupertino, California-based Apple said in a statement today.
Apple is working to quiet a firestorm about the hacked celebrity accounts, with nude photos of actress Jennifer Lawrence and others surfacing over the last few days on the Internet, allegedly obtained by hackers who used the company’s iCloud service to illegally access files. The reports threatened to mar Apple’s event on Sept. 9, where the company is set to unveil new iPhones, a wearable device and a mobile-payments system, people with knowledge of the matter have said.
The incidents spurred the U.S. Federal Bureau of Investigation to release a statement yesterday saying the agency is aware of the allegations “concerning computer intrusions and the unlawful release of material involving high profile individuals.” The agency is “addressing the matter,” Laura Eimiller, an FBI spokeswoman in Los Angeles, said by e-mail.
The incident highlights challenges that Apple and other developers of Internet services confront in striking a balance between security and convenience, said Brian Finch, a partner in the Washington office of the law firm Pillsbury Winthrop Shaw Pittman LLP. Part of that challenge is many consumers are unwilling to use features that tighten security while making the services harder to use, he said.
“You can’t sell what people don’t want and there needs to be a greater awareness among consumers about the need for security and the effectiveness of security functions,” Finch said. “So much of cyberattacks can occur because the Internet and so many services are built for reliability first. Security is a far lower consideration.”
Celebrities are easy targets because so many personal details about them are already public, which can make it easy for hackers to guess the answers to their security questions. Sarah Palin’s Yahoo account was once hacked when a college student used a Wikipedia page to find the birth date, and Paris Hilton’s T-Mobile account was breached when hackers correctly entered her dog’s name in response to her security question.
The iCloud service is a key part of Apple’s strategy to unite its iPhones, tablets and desktop computers, letting users store contacts, e-mails, photos and other personal information on external systems they can access.
Apple said in its statement today that a flaw with iCloud wasn’t responsible, nor was its “Find my iPhone” feature.
“When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source,” Apple said. “Our customers’ privacy and security are of utmost importance to us.”
The company said it is working with law enforcement to identify the perpetrators of the hacks.
Apple is also encouraging people to use stronger passwords, including having at least eight characters with one number, one letter, one capital letter and not be used in the prior year. Apple also wants customers to use two-step verification, which means after a password is entered, an additional code will be sent to a person’s mobile phone.
Security and privacy is a key issue for Apple as it introduces new services that will require people to trust the company with sensitive information. New HealthKit software serves as a clearinghouse for health and fitness related information, while the next batch of iPhones will include technology so they can be used for making payments.