iCloud leak, the aftermath?

Last week was full of surprises as some of the most popular platforms experienced considerable problems. If all the articles about iCloud’s major leak aren’t enough for you, read on to find out a different view and notable recommendations on the matter!

Situation summary:
I’m sure most of you are already aware that on the 31st of August provocative photos of celebrities were released online after their iCloud accounts were hacked. There are different speculations about how exactly were they retrieved, but there are a few that stand out the most:
  • Breach in iCloud‘s system – After an approximate 40 hour investigation on Apple’s part, the company has claimed that none of the cases have been the result from a breach of Apple’s systems, iCloud or Find my phone. Rather than that some of the celebrity’s accounts were specifically attacked by a very common method that includes the guessing usernames, passwords and security questions based on information carefully gathered throughout the time and more. However, we wouldn’t know to what extend this theory can be denied, as the collection of the exposing photos might have started earlier we can guess.
  • iBrute &Find my Phone – Coincidence or not, two days (or more precisely 36 hours) before the major leak, a glitch had been put on Github, stating that iCloud’s Find my phone app, was not protected (Apple has already patched the flaw) from brute force attacks, consequently being the cause of the incident.
  • The images were not stolen from an Apple service at all – Although this hypothesis is less believable, some speculate that pictures were not only stolen from iCloud, but from other similar services as well.
Apple’s course of action:
  • iBrute no longer usable – Shortly after announced, and sadly after the damage was done, Apple fixed Find my phone’s vulnerability to brute force attacks. Currently, if you mistake your password a certain amount of times, your account will be locked, marking the end of fun for hackers.
  • Raise awareness – The company is working on push notifications and verification codes (similar to captcha) to make users aware if someone is trying to change their passcode, used device or restore iData. Furthermore, an active promotion of the “two-factor notification”, which up til now was an often skipped procedure.
So what now?
At the end of the day, we can’t be too sure when convenience will get the best of us. It is unfortunate that security awareness was created only after someone got hurt (or in this case, a whole lot of people). In this time and day, sensitive data shouldn’t be thrown in the cloud without further consideration. If iCloud’s left a bad aftertaste in you after this leak, there are other similar services that offer full file encryption like Tresorit, SpiderOak, Wuala and more (to learn more about them, read the respective reviews)

Leave a Reply