iCloud security to blame for celeb pictures flood?
iCloud security to blame for celeb pictures flood?

Launched in October 2011, iCloud was reported as having around 320 million users in a July 2013 set of figures from Apple.

The service is used to automatically store data - including music and pictures - from iOS devices, making the task of synchronising data file sets between mobile devices a lot easier. It also allows iPhone users to easily migrate their files to a new handset as and when Apple releases a new device.

Apple has not made any comments on the celebrity photo postings, but some celebrities are claiming their pictures are fakes, although Jennifer Lawrence and Kate Upton are reported as saying the pictures are real.

According to the International Business Times newswire, if the hacker isn't lying and the pictures were stolen from iCloud, "then it is highly unlikely that the hacker was able to breach Apple's security in general but targeted specific victims using a combination of social engineering and inherent flaws in Apple's system."

The newswire notes that there are there are three main methods open to the hacker - social engineering, cracking the password or use of Apple's `forgot my password' route, the latter of which can be compromised using a combination of a celebrity's email address and other data obtained relatively easily online.

The solution for anyone worried about iCloud security, concludes IBT, is to turn on two-step verification for an iCloud account, requiring users to supply a four-digit PIN - sent to the trusted device - when accessing the account from a device other than on trusted devices such as an iPhone.

Trend Micro's security evangelist Rik Ferguson agrees that a wide scale hack of Apple's iCloud is unlikely, but a targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page "would do the job just as well as any more complex hack."

Ferguson says that there are lessons for all users of the Internet from this emerging saga, including that if any online service offers options that increase your security, users should enable them.

"Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I'm willing to bet that a compromise of a service at the heart of your digital life will be considerably more so," he said, adding that users should not re-use their passwords on multiple systems.

Finally, Ferguson says that deleted may not always mean deleted, as some of these victims are discovering. Users should, he adds, familiarise themselves with the online services they use and work out if backups or shadow copies are taken and how they can be managed.

"In this case it seems that some of the victims may have believed that deleting the photos from their phones was enough, perhaps forgetting about Apple's Photo Stream," he explained.