In the wake of explosive news reports about celebrity iCloud accounts being hacked, with hundreds of personal photos—many salacious—being stolen, Apple says that its systems have not been breached. Instead, the accounts were usurped the old-fashioned way, with hackers employing simple social engineering tricks on users who haven't done enough to protect themselves.
"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," an Apple statement notes. "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."
News of the celebrity account hacks—which include alleged nude photos of a popular actress named Jennifer Lawrence—have been a mainstay of mainstream and entertainment news for the past few days, of course. But the charge was that hackers had masterminded an attack on Apple's cloud services over several months, with the standard "cloud computing is unsafe" concerns voiced yet again.
But iCloud—or cloud computing in general—wasn't really at fault. Instead, the big issue was a familiar problem the personal computing industry has been wrestling with for decades: Users simply don't take basic steps to protect themselves from hackers and exploits.
To its credit, Apple recommends the obvious: Users should review their account security settings, create complex passwords, and implement two-step authentication. That latter feature, though sometimes inconvenient, means that even should a hacker gain access to your account name and password, they will not be able to access your account because they lack the second step of authentication, which is usually a temporary code sent a smart phone owned and controlled by the actual user.
Apple isn't alone among cloud providers offering two-step authentication, of course. So do Google, Microsoft, Dropbox, and many others. But Apple's implementation of two-step authentication is apparently somewhat flawed: It's only triggered by online purchase, support and account management interactions with Apple, and not by accessing the user's photo stream, as noted by Gizmodo.
While many were quick to draw conclusions about the security implications of putting private data in the cloud when the celebrity hacking stories began appearing, the lessons here are in fact a lot less dramatic.
First, we need to take responsibility for our own security by choosing services that offer strong controls and doing everything we can to lock the virtual doors. As noted, Apple's security isn't strong enough to adequately protect users though the "hack" was made possible because people aren't securing their accounts effectively.
And second, it appears that a lot of celebrities use Apple products. Profound, eh?