Skip to main content

Apple denies iCloud breach in celebrity nude photo hack

Apple denies iCloud breach in celebrity nude photo hack

Share this story

Apple says that the mass theft of nude celebrity photos that were released over the weekend did not occur because of a breach in any Apple systems, including iCloud. Apple says, however, that certain celebrities were the subject of targeted hacking attempts that focused on compromising their usernames, passwords, and security questions — a common and well-tread technique across the web. Though Apple's statement doesn't make it entirely clear, it sounds as though iCloud may still have been involved in the thefts in some capacity: that is, Apple's customers may have had their iCloud usernames and passwords stolen, giving another party access to their account.

"We were outraged and immediately mobilized Apple’s engineers."

Apple also says that Find my iPhone was not involved in the photo thefts. There had been some speculation that this service was at fault, as someone had recently discovered and published a flaw in it that allowed a malicious party to continually guess passwords without any recourse. Apple appeared to have patched the issue shortly thereafter, and its statement implies that this Find my iPhone flaw was not used here. That said, Apple's statement also does not make it perfectly clear that this flaw was not put to use. Apple did not immediately respond to a request for clarification on the matter.

iCloud was immediately pointed to as a potential source of the stolen photos, particularly by anonymous commenters on 4chan who claimed to have some knowledge of their theft. At the very least, it was a reasonable guess: most of the photos are reported to have been taken on iPhones, and photos are often automatically backed up into Apple's cloud. This may still be part of the reason that these photos were available to be stolen, as iPhone owners may not always realize that their pictures are being backed up.

The cache of images began circulating on Sunday night and is said to include nude or partially nude photos of Jennifer Lawrence, Kirsten Dunst, and Kate Upton, among dozens of others. Several of these photos have been confirmed as genuine, while several others have been written off as fake. It remains unclear whether the theft was the product of a single hacker or a ring of hackers, as has occasionally been speculated, nor is it clear exactly when or over what period of time these pictures were stolen.

Apple is now attempting to distance its service from any fault in the hacks. In its statement, Apple says that it is "outraged" by the theft and has spent 40 hours investigating it, having immediately put engineers to work after hearing news. It'll be important for Apple to keep its customers comfortable with using iCloud, particularly because of some upcoming services it's said to have planned for the very near future. Apple is reported to be just a week away from announcing a mobile payments service, which would store credit cards, and a health-tracking wearable — both of which will require significant security.

The FBI has said that it is currently "addressing" the stolen photos, and Apple says that it's working with law enforcement on identifying culprits. Apple's full statement can be read below.

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at