Apple iCloud

Date: 2014-09-01

Apple iCloud service was subject to login brute force attack leading to the leak of celebrity private photos.

Apple did not follow the security best practices to prevent brute forced login attempts. Find my iPhone, a part of iCloud services, allowed unlimited login attempts. This allowed the attackers to guess simple passwords for known email addresses.

Later the private photos of victims, most of them being celebrities, were leaked in Internet.

Apple did not apologize.

Related evaluation points:

• Two-factor authentication
• Brute force login prevention

Links:

• Apple Media Advisory - Update to Celebrity Photo Investigation
• Apple patches ‘Find My iPhone’ exploit (ZDNet)
• Find My iPhone exploit may be to blame for celebrity photo hacks (Engadget)
• Was iCloud vulnerable... (Quora)