Over the weekend, reports emerged that a number of celebrities had their iCloud accounts compromised by unknown hackers, and personal photos leaked onto the internet. Apple says it is "actively investigating" the situation.
The exact details of the hack are unknown, but some security researchers believe Apple left iCloud vulnerable to a brute force password hacking attempt. Basically, hackers could use a piece of software to try every possible password combination over and over, making it just a matter of time before targeted accounts with short and weak passwords could be compromised.
Update: Apple has issued a statement acknowledging the breach and blaming it on a "very targeted attack on user names, passwords, and security questions" of certain high-profile iCloud users. The statement does not contain any details about what exactly occurred nor if any changes have been made on Apple's end to prevent similar breaches in the future.
TechRepublic has reached out to Apple for clarification on these points.
It is possible and even likely that this was largely a straight phishing attack where users were specifically targeted, with personal information used to reset passwords via "security questions." It is unclear if any brute force attacks were used at all.
However, Apple does offer a service called two-factor authentication. It's a common way to secure online accounts used by many companies, including Google, Dropbox, and Twitter.
It works by requiring a secondary passcode when logging into a new or unknown device. In the past, corporations could use a device like an RSA SecurID key fob to generate a secure code to go along with a password. Even if the password or the key fob were compromised somehow, it would be impossible for a hacker to compromise an account without both devices. In practice, this makes a remote hack nearly impossible.
These days, key code generators are being built into smartphone apps or work via SMS codes. For example, Google offers a special authenticator app for both the iPhone and Android smartphones that can be used both with Google's own services and third-party services like Wordpress.
Apple's two-step authentication service protects users by requiring a special secondary code that's sent to previously authenticated devices like iPhones and iPads. When you attempt to sign into Apple services on a device for the first time — say, when you purchase a new iPad — Apple will send a special four-digit code to your existing device that needs to be entered alongside your password.
Though Apple doesn't promote its two-step verification system very much — that may change following this weekend — once two-step authentication is activated, it will be required for login in any of these situations:
- When signing into appleid.apple.com to manage an Apple ID or iCloud account
- When making an iTunes, App Store, or iBooks Store purchase from a new device
- When getting Apple ID-related support from Apple
Apple uses both a proprietary code system that sends a pop-up to your iPhone or iPad device (Figure A) and an SMS-based system that can send codes to a pre-registered cell phone. There's also a secure recovery code that allows access if you lose or otherwise don't have access to all your other registered devices. This one-use recovery code should be kept in a secure location like a safety deposit box for emergency access to your accounts.
Verification code on an Apple device.
Two-step verification is easy to use and should be activated on every iCloud account, plus every other service that allows two-step authentication, including Twitter, Dropbox, Google, and more.
Here's how to set up two-step authentication on your Apple ID or iCloud account:
- Go to appleid.apple.com and log in with your Apple ID credentials (this is the same email address and password that you use to make purchases on the App Store)
- Select "Password and Security" on the left side
- Select "Get Started" under Two-Step Verification
Apple will then walk you through setting up the service, including verifying trusted devices like iPhones and iPads, as well as SMS-based services for backup verification. You will also get a 14-character Recovery Key that should be kept in a safe and secure location.
Users will need two of the following three things to log into their account — having only one could result in permanent lockout from your account:
- Your password
- A trusted device
- The recovery key
If you forget your password, you'll need a trusted device and your recovery key to reset it.
Though we don't know the exact details of the hack that compromised celebrity iCloud accounts and their personal privacy, it's likely that if two-step verification had been activated on their accounts, their data may not have been accessed by unauthorized users.
Do you use two-step verification with your accounts? Why or why not? Let us know in the comments below.
Updated 3:25 p.m. Sept. 2 with Apple's comment about the attack.
Jordan Golson is an Apple Columnist for TechRepublic. He also writes about technology and automobiles for WIRED and MacRumors. He has worked for Apple Retail twice and has been writing about technology since 2007.