The theft of private celebrity photos wasn't the result of an iCloud system security breach, an "outraged" Apple revealed.
The Cupertino company said in a statement it mobilized its engineers as soon as it heard of the attack over the long US holiday weekend. After more than 40 hours of investigation, it determined "that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions."
Apple called attacks like this "all too common on the internet."
It concluded that none of photos were obtained through "any breach in any of Apple's systems including iCloud or Find my iPhone." However, it sounds as though individual iCloud accounts were compromised to obtain the images. As described by Apple, the hack appears to have stemmed from some sort of phishing scheme and/or was a brute-force hack by which the attackers kept guessing account passwords until they gained account access.
Son of a breach
The attack saw nude photos of A-list celebrities hit the web, though a number were written off as fake.
Veracity of photos aside, the leaks raised concerns among users, especially since Find my iPhone previously allowed unlimited password entry attempts.
Apple has since limited the number of attempts to five, and today it repeated the message that users should create a strong password and set-up two-step verification to protect themselves. More information on security is available through the Apple support page (opens in new tab).
The high-profile hack comes at a bad time for Apple. It's expected to unveil the iPhone 6 and iWatch a week from today. Among the new iPhone's rumored features is an integrated mobile payment platform; a hack of this size and type doesn't exactly breed confidence in the security of Apple's systems.
The company said it's continuing to work alongside law enforcement to track down the celebrity photo leak perpetrators. TechRadar asked Apple if it is any closer to identifying the individual or individuals responsible and whether the company is planning to implement any further security measures as a result of the attack.
We'll update this article when we hear back.