As the dust settles on the widely-reported `nude celebrity' hacked photos from iCloud this week, two things are becoming apparent: firstly that the methodologies used by the hackers to obtain the images are almost certainly multi-faceted, and secondly, that Apple took its time before announcing on Tuesday - four days after the saga started developing - that its security had not been compromised.

Even though the story started brewing on Saturday it took Apple almost four days to respond to media enquiries as to what happened. With a new generation of iPhones and other devices scheduled for launch next Tuesday, most experts agree that - rightly or wrongly - the saga has overshadowed that launch, as witnessed by volatility in Apple's share price.

Apple claims that iCloud is defended by a two-factor authentication (2FA) process, but as reported by SCMagazineUK back in May, the iCloud activation lock was cracked.

According to Marc Rogers, a principal analyst with Lookout Mobile Security, whilst some of the celebrity photos are from existing sources or have been faked, a "significant percentage of them appear to be exactly what the original leaker claimed - intimate photos stolen from celebrities."

In his analysis, Rogers says that the attackers used several tools - ranging from commercial password recovery tools such as Elcomsoft's `Phone Password Breaker' to well known hacking tools such as `Jack the Ripper' on hardware built specifically to accelerate the cracking process.The Lookout analyst also points out that the 2FA protection is only required in three distinct situations: when logging into the `My Apple ID' Web site; making a purchase from a new device; and when getting Apple ID related help from Apple.

"Signing into iCloud in order to access say, your backed up or photos, does not require 2FA. In this case, enabling two-factor authentication would not have helped anyone involved in this latest leak," he said.

"This is an oversight on Apple's part, consequently we have reached out to them suggesting that it would be a better, safer, experience for users if they extended two-factor authentication to any service that exposes sensitive user data," he added.