Apple says the theft of intimate photos of celebrities including Oscar-winner Jennifer Lawrence was due to a targeted attack on individual iCloud accounts.
Concerns had been raised that the theft was the result of a breach of Apple’s iCloud or Find my iPhone systems, but the company said that its investigations had revealed that the leak came from the apparent hacking of individual iCloud accounts storing personal data.
The scandal, which also ensnared swimsuit model Kate Upton, actress Kirsten Dunst and possibly dozens more, has come at a bad time for Apple as it prepares to launch a new iPhone next week.
“When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us,” Apple said in a statement.
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”
Apple's iCloud service allows users to store photos and other content and access it from any Apple device.
Some cyber-security experts have criticised Apple for failing to make its devices and software easier to secure through two-factor authentication, which requires a separate verification code after users log in initially, especially as smartphones and cloud storage become increasingly used for healthcare and banking applications.
"We need to get to a point where security is the standard (and) Apple could make it easier in the set up," said Branden Spikes, founder and CEO of Spikes Security and former chief information officer of Space Exploration Technologies.
Experts say the perpetrators possibly gleaned the celebrities' email addresses and mounted a long-term phishing attempt – a relatively straightforward attack through which hackers gain access to users' accounts by getting them to click on a compromised URL or Internet link.
Another possibility that was initially suspected was a brute-force attack on Apple’s Find my iPhone system, where hackers use software to cycle through large numbers of possible passwords during log-in attempts, though Apple appear to have denied this.
"This feels like a brute-force attack and someone's using bad passwords," said Michael Fertik, chief executive of online image manager Reputation.com. "If you must take a nude photo use a non-obvious password."
The photos were posted on image-sharing forum 4Chan, prompting Lawrence's representatives to describe their release as a "flagrant violation of privacy" and contact law enforcement authorities.
Fertike said hacked celebrities would likely have to live with the leaked photos remaining outside their management for the foreseeable future.
The FBI said it is addressing the celebrity photo hacking, but added that any further comment "would be inappropriate at this time."
Apart from any criminal charges that might be pursued under federal or state hacking laws, Lawrence and the other celebrities could bring civil lawsuits against the alleged hacker or hackers and those who shared the photos.
But according to Marc Maiffret at security firm BeyondTrust the incident also underscores the longer-term risks for mobile users as smartphones increasingly become the repository for far more sensitive healthcare, banking and personal data.
"Every great innovation is convenient but also a big opportunity for the bad guys in the world," he said.