In May of this year we brought you the story of the Ransomware infiltrating iOS devices via iCloud’s “Find my iPhone” feature.  As we discussed in the article this meant that the cyber criminal now had full access to these individual’s iCloud accounts and all things stored there, including any questionable pictures.

However, in the US this hacking and device ransom received relatively little news coverage as the victims were overwhelmingly in Australia.  Questions were raised, at the time, as to whether a large Australian based company like a utility had been the victim of a data breach and hadn’t publicized the information yet or if some criminal element was in possession of a larger database of iCloud user information and was using Australia as a test case for a larger attack later or proof of concept that the credentials that had been acquired really worked.

Image from May’s iCloud Find my iPhone Ransomware

With this weekend’s release of nude celebrity photos it appears that the later option may be true.  Those closer to the actual details of the hack disagree as to whether the hackers used credentials collected through a previous data breach or if the hackers used a brute force attack against Apple’s “Find my iPhone” app.  Either way the “Find my iPhone” service is at the center of both the ransomware and the leaked photos.

A brute force attack uses programs that repeatedly guess passwords against a specific username (meaning you need to have the username); most software or apps only allow for 3 wrong guesses before you are locked out, thereby preventing brute force attacks.  As that is a fairly standard setup for most software this seems to be less likely than access gained through a previous data breach.

Interestingly we could not find any articles that even mentioned the previous iCloud hack from May; to us this seems like the first place to start looking as to how and when access has been acquired to these iOS devices.

If these two incidents are related and indicate a larger data breach of iCloud, iPhone users should make sure to change their passwords ASAP.  On a more general note it is wise to not upload nude pictures of yourself to any device that could be vulnerable, which means any device, unless of course you’re looking for a little more publicity.

[whohit]iCloudNudeCelebrities[/whohit]