GO
Loading...

Apple says it is 'actively investigating' celeb photo hack

Attendees gather at the Apple Worldwide Developers Conference at the Moscone West center in June in San Francisco.
Getty Images
Attendees gather at the Apple Worldwide Developers Conference at the Moscone West center in June in San Francisco.

Apple said it was "actively investigating" the violation of several of its iCloud accounts, in which revealing photos and videos of prominent Hollywood actresses were taken and posted all over the Web.

"We take user privacy very seriously and are actively investigating this report," said Apple spokeswoman Natalie Kerris.

Photos, some real, some said to be fakes, are said to have been taken from the iCloud accounts of several celebrities, such as actress Jennifer Lawrence. They were posted to the Web image-sharing community 4Chan and have since spread across the Web, showing up on social media sites like Twitter, Reddit and elsewhere.

More from Re/Code:
Twitter Gets a New Welcome Mat
Apple Partnering With American Express on iPhone Payments
Howa Kickstarter Project Came to Power Cartoon Network's Next MobileGame

Security experts said the hacking and theft of revealing pictures from the Apple iCloud accounts of a few celebrities might have been prevented if those affected had enabled two-factor authentication on their accounts.

Apple hasn't yet said anything definitive about how the attacks were carried out, but security researchers at Mandiant, a unit of the security firm FireEye, examined the evidence that has emerged so far, and said it appears to have been was a fairly straightforward attack. That said, it is also one that could have been thwarted had some additional steps to secure the targeted accounts been taken.

That additional step is known as two-factor authentication. Apple calls it "two-step verification," although it doesn't work very hard to tell people about it, said Darien Kindlund, director of threat research at Mandiant.

"In general Apple has been a little late to the game in offering this kind of protection, and doesn't advertise it," he said. "You have to dig through the support articles to find it."

When enabled, two-factor authentication requires users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password. Since the number constantly changes, it makes it much more difficult for an attacker to gain access the account, even if they know the password.

Assuming the compromised accounts were running without the two-step option turned on, it would then have been relatively easy for the attacker to gain access to the accounts.

Read MoreAre banks or retailers more secure?

As The Next Web reported earlier today the attack may be linked to software on GitHub called iBrute that is capable of carrying out automated brute-force attacks against iCloud accounts. In this scenario, an attacker simply guesses a password again and again until they succeed. While tedious and time-consuming for a person, it's a simple and infinitely faster process for a computer.

The as-yet unknown attacker had one other thing going for him: Apple allows an unlimited number of password guesses. Normally, systems limit the number of times someone can try to log in to a system with an incorrect password before the account is locked down entirely. Apple has since fixed that aspect of the vulnerability.

"The attackers never should have been allowed to make an unlimited number of guesses," Kindlund said.

Read MoreEx-Apple worker Sam Sung's irony nets $2,653

And while there's no direct evidence tying the program to the attack, the timing of the incident appears to coincide with a talk given by security researchers on the subject of security on iCloud. See the slides here.

A program called iBrute was created by security researchers in Russia as a proof of concept and demonstrated as part of a talk a security conference in St. Petersburg earlier this month.

It's not the first time that this sort of thing has happened, nor will it be the last. Back in 2005, socialite Paris Hilton was the target of a hacking attack in which pictures and text messages from her Sidekick smart phone were pilfered from a cloud storage account. A group of young men were prosecuted over that incident and another attack against the database giant LexisNexis, and most of them served time in federal prison or juvenile detention.

By Arik Hesseldahl, Re/code.net.

CNBC's parent NBC Universal is an investor in Re/code's parent Revere Digital, and the companies have a content-sharing arrangement.

Contact Technology

  • CNBC NEWSLETTERS

    Get the best of CNBC in your inbox

    To learn more about how we use your information,
    please read our Privacy Policy.
    › Learn More

Squawk Alley