Apple said Monday it was “actively investigating” the violation of several of its iCloud accounts in which revealing photos and videos of prominent Hollywood actresses were taken and posted all over the Web.
“We take user privacy very seriously and are actively investigating this report,” said Apple spokeswoman Natalie Kerris.
Photos — some real, some possibly fakes — are said to have been taken from the iCloud accounts of several celebrities, such as actress Jennifer Lawrence. They were posted to the Web image-sharing community 4chan and have since spread across the Web, showing up on social media sites like Twitter, Reddit and elsewhere.
Security experts said the hacking and theft of revealing pictures from the Apple iCloud accounts of a few celebrities might have been prevented if those affected had enabled two-factor authentication on their accounts.
Apple hasn’t yet said anything definitive about how the attacks were carried out, but researchers at the security firm FireEye examined the available evidence and said it appears to have been a fairly straightforward attack that could have been thwarted.
Apple calls the additional step usually known as two-factor authentication “two-step verification,” although it doesn’t work very hard to tell people about it, said Darien Kindlund, director of threat research at
“In general, Apple has been a little late to the game in offering this kind of protection, and doesn’t advertise it,” he said. “You have to dig through the support articles to find it.”
When enabled, two-factor authentication requires users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password. Since the number constantly changes, it makes it much more difficult for attackers to gain access to the account, even if they know the password.
Assuming the compromised accounts were running without the two-step option turned on, it would have been relatively easy for the attacker to gain access to the accounts.
As The Next Web reported earlier today, the attack may be linked to software on GitHub called iBrute that is capable of carrying out automated brute-force attacks against iCloud accounts. In this scenario, an attacker simply guesses a password again and again until he or she succeeds. While tedious and time-consuming for a person, it’s a simple and infinitely faster process for a computer.
The as-yet-unknown attacker had one other advantage: Apple allows an unlimited number of password guesses. Normally, systems limit the number of times someone can try to log in to a system with an incorrect password before the account is locked down entirely. Apple has since fixed that aspect of the vulnerability.
“The attackers never should have been allowed to make an unlimited number of guesses,” Kindlund said.
And while there’s no direct evidence tying the program to the attack, the timing of the incident appears to coincide with a talk given by security researchers on the subject of security on iCloud. See the slides here.
The iBrute program was created by security researchers in Russia as a proof of concept and demonstrated as part of a talk at a security conference in St. Petersburg earlier this month.
It’s not the first time that this sort of thing has happened, nor will it be the last. Back in 2005, socialite Paris Hilton was the target of a hacking attack in which pictures and text messages from her Sidekick smartphone were pilfered from a cloud storage account. A group of young men were prosecuted over that incident and another attack against the database giant LexisNexis, and most of them served time in federal prison or juvenile detention.
Update: I corrected Kindlund’s association as being with FireEye, not its Mandiant unit.
This article originally appeared on Recode.net.