Apple said Tuesday a “targeted attack” on some user accounts led to the release of nude celebrity photos but that it found no breach of its cloud storage system.
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,” Apple said.
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”
The statement was the first since the release at the weekend of private, nude pictures of dozens of celebrities including actress Jennifer Lawrence and top model Kate Upton.
“When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source,” the Apple statement said.
The FBI confirmed it was investigating.
“The FBI is aware of the allegations concerning computer intrusions and the unlawful release of material involving high-profile individuals, and is addressing the matter,” the US law enforcement agency said.
“Any further comment would be inappropriate at this time.”
The Apple statement suggested that the celebrities had their accounts hacked by using easy-to-guess passwords, or by giving up their personal data to cybercriminals posing as Apple, a technique known as “phishing.”
Hundreds of nude pictures of the stars were apparently posted, causing shockwaves in Hollywood and in the computer security community.
Among the scores of celebrities whose pictures were allegedly stolen were singer Avril Lavigne, actress Hayden Panettiere and United States soccer star Hope Solo.
Former Nickelodeon star and singer Victoria Justice said the images claiming to show her nude were anything but the real deal.
Chris Morales, a security specialist with NSS Labs, told AFP the hack appeared to be going on for some time, accessing multiple accounts — not just of celebrities but of their friends and associates.
“The pictures weren’t just from celebrity accounts,” Morales said.
“They might have been from friends or ex-boyfriends or other people. Someone did a lot of digging.”
Morales added that it is possible that the person or persons who leaked the pictures were not the hackers, but obtained the photos later.
“The people who put it online were trying to trade photos for bitcoins,” he said.
“It was claimed that this was a sampling of a bigger cache.”
Morales said Apple’s security practices may be called into question but that it is following industry standards.
“They want to make it easy to use, so it is easy to hack,” he said.
Apple and others offer customers so-called two-factor authentication, an extra layer of security that will allow users to reset a password through a code sent to an email or phone.