Celebrity iCloud Leaks the Fault of Weak Passwords, Apple Says

The essentially spotless reputation of Apple's widely used iCloud service was dealt a serious blow this weekend when word emerged that several celebrities discovered that private photos of themselves had made their way onto the Internet at large. Word emerged yesterday via NBC News that Apple is working closely with the FBI to investigate the leaks, but this morning the Cupertino company claimed the leaks weren't really iCloud's fault. Instead, it was the fault of weak passwords.

Apple outlined its findings in a press release. It reads: "We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers' privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords, and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud(R) or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."

The leak most notably affected Oscar-winner Jennifer Lawrence, and celebrities such as Kate Upton, Kristen Dunst, and Mary E. Winstead also reported leaks. Other celebrities (or their representatives) — such as Ariana Grande, Victoria Justice, and gymnast McKayla Maroney — claimed that the photos circulating about on sites such as Reddit were fakes. Apple yesterday reported that it was "actively investigating" the reports. Nat Karris, speaking for Apple, said merely that "We take user privacy very seriously and are actively investigating this report."

Suspicions about iCloud's weaknesses emerged after a tool on Github was discovered that could allow some users to enter multiple passwords without getting locked out due to a flaw in Find My iPhone. The press release suggests that this wasn't the case. The news is especially bad for Apple is it emerged just on the eve of the company's highly anticipated September 9 event, which is rumored to focus on two new iPhones and (maybe) the long-rumored iWatch. Other rumors suggest that Apple might be on the verge of finally announcing mobile payment plan, which could pose problems since the service is almost certainly connected to iCloud.

Apple's press release also offered advice as to how to avoid such break-ins in the future. "To protect against this type of attack," it says, "we advise all users to always use a strong password and enable two-step verification." Apple stated that it is continuing to work with law enforcement officials "to help identify the criminals involved."

Follow this article's writer, Leif Johnson, on Twitter.