Apple admitted that some of its most famous customers’ iPhone accounts were invaded by hackers, as US law enforcement investigates the mass leak of intimate photographs of more than 100 celebrities.
Its central iCloud systems were not breached in the attack, despite claims by the hackers, Apple stressed, averting a wider threat that might have affected all iPhone owners.
In a statement on Tuesday, Apple said the attack on “certain celebrity accounts” was “very targeted” against their user names and passwords.
Personal images of actors including Oscar winner Jennifer Lawrence first appeared on 4chan, the unruly internet message board, over the weekend before spreading via social media.
Apple said it was “outraged” by the intrusion, which it presented as a generic problem for online accounts, rather than a specific problem with iCloud. It recommended that all iPhone, iCloud and iTunes customers use long passwords and sign up for “two-step verification”, which adds another layer of security.
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet,” Apple said.
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”
The attack on some of its best-known customers’ extremely sensitive personal information comes at an awkward time for Apple, as it gears up for its biggest product launch in several years next week.
The Federal Bureau of Investigation said it was aware of alleged “computer intrusions and the unlawful release of material involving high-profile individuals” and that it was “addressing the matter”, Bloomberg reported.
Some celebrities, including Ms Lawrence, have confirmed the authenticity of the private photos. Others whose images appear to have been released include singer Rihanna, Kim Kardashian, the reality television star, and actresses Kirsten Dunst and Mary Winstead.
“Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked,” tweeted Ms Winstead.
Before Apple’s comments, there had been a broad range of speculation about the source of the leak. Some analysts pointed to a report on GitHub, a collaboration platform for software developers, about a technical fix Apple had made over the weekend perhaps to close a possible route for attackers.
Others suggested the leak might have been the result of “phishing” attacks whereby celebrities or their managers had been tricked into sharing their passwords.
These “social engineering attacks” involve emails that appear to be legitimate requests for account details from the companies operating social networks, email accounts or cloud storage sites.
“We have a lot of speculation on this story, but not a lot of facts,” said Carl Howe, vice-president of data sciences research at 451 Research, an analyst group.
“More likely, if the photos are genuine, it was a social engineering attack of some form – ie, they guessed a celeb’s password or got it from a friend.”
Other security researchers said that before the weekend’s change to its “Find My iPhone” service, Apple had previously allowed users – and, therefore, potential attackers – to make an unlimited number of guesses at their password.
Other services typically lock an account after a certain number of incorrect attempts to enter login details. So-called “brute force attacks” use software programmes to enter many potential passwords until the right one is guessed.
“It’s a common mistake for companies, but Apple likes to be seen as more secure than average,” said David Chismon, a senior researcher at MWR InfoSecurity, a cyber security group.
The leak has generated renewed attention on the question of the integrity of personal information stored online.
“People need to decide if they want highly personal information to be in the cloud, because once it’s there, it’s at risk,” said Mr Chismon. “What people often don’t realise is that because many phones back themselves up automatically, a lot of data are being put on cloud services whether they know it or not.”
The news also underlines risks for companies that are banking on corporate clients putting ever more data in the cloud, including “software as a service” groups such as Dropbox and Box. Consumer-facing technology groups including Apple and Google have also tried to strengthen their security offerings to appeal to corporate users.