Apple has confirmed that a large number of celebrity iCloud accounts have been compromised, and indeed it's likely that it wasn't just nude and semi-nude photos (and videos) which were stolen from the hundred or so victims.
Apple issued a press advisory after 40 hours of investigation into the affair (opens in new tab) which is said to have left the company "outraged". Cupertino said that iCloud had not been hacked or breached itself, rather the accounts had been undone by a "very targeted attack on user names, passwords and security questions".
While the naked photos have been the scandal and gossip this week, one point that seems to have been overlooked by many is the fact that it's likely that images aren't the only things the attacker was able to pilfer.
The Sydney Morning Herald (opens in new tab) reported that Nik Cubrilovic, an Australian security expert, noted that it's very likely those who breached the accounts also made off with texts, contacts, calendars, notes, and potentially other info which hasn't been published (yet). These would be accessible via special forensic software which could extract the data from cloud-based backups.
Cubrilovic said the attacker(s) would also have been able to access real-time GPS coordinates via the Find My iPhone service – and remember, this is the location of major celebs we're talking about here (and their address books and so forth).
We could yet see more of a storm from this incident, and in general, Cubrilovic noted that: "What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public. The networks are broken down horizontally with specific people carrying out specific roles, loosely organised across a large number of sites (both clearnet and darknet) with most organisation and communication taking place in private (email, IM)."
Cubrilovic also said that iCloud is the most popular target for hackers due to the popularity of the iPhone, and because Picture Roll backups are enabled by default (Windows Phone backups, on the other hand, are off by default, and Android uses various third-party backup apps).
As we did yesterday, Apple has advised iCloud users that to be fully secure, they need a strong password and to enable two-factor authentication.
However, Cubrilovic also said: "Two-factor authentication for iCloud is useless in preventing passwords or authentication tokens being used to extract online backups."
He goes into great detail about what is wrong with Apple's current account recovery process and how that can be leveraged by hackers – read more in his lengthy blog post (opens in new tab).