Over the weekend, naked and semi-nude photos of a number of celebrities, including Jennifer Lawrence, Kate Upton and Kirsten Dunst, appeared online after what initially seemed like a hacker attack on Apple's (AAPL) iCloud service, which backs up files from the iPhone. Yet despite a raft of articles and analysis from every conceivable corner of the Internet, it's still unclear exactly what happened.
There are a few theories. Just in the last week, for example, word surfaced that a weakness in the Find My Phone feature of iCloud allowed hackers to use brute force methods to crack user passwords. Typically, password systems lock users out after they enter several incorrect passwords, but Find My Phone did not. That bug was recently patched.
Another possibility that's been proposed by security experts: Perhaps hackers sniffed usernames and passwords over an open WiFi network, such as at a celebrity event.
For its part, Apple maintains that its own iCloud service was not breached, but instead that "certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet." In other words, the attacks could have been a result of compromising the victims email accounts or other techniques that were unrelated to iCloud's security protocols.
What we do know is that the photos were stolen not in one fell swoop, but over an extended period of time. As detailed in Business Insider, the photos were sold and traded in a forum known as AnonIB, an offshoot of the infamous 4Chan forum. Apple continues to investigate the breach, and various celebrities affected by the hack have issued their own statements as well. Ariana Grande claims that the alleged photos of her are completely fake, while Jennifer Lawrence called the photo theft "a flagrant violation of privacy," and her spokesperson threatened to prosecute whoever was found to be responsible.
Even if you're not a pop star or actress, you might be worried about your online security. The good news is that, at least at this point in the investigation, the hack appears to be unrelated to any security vulnerabilities in Apple's iCloud service. The bad news is that hackers can do a lot of damage by guessing or cracking your password. The single best way to mitigate this? Follow Apple's advice and enable two-factor authentication.
Two-factor authentication (sometimes called two-step verification) requires you to enter not just your password, but also a passcode texted to your phone if you attempt to access your account from a different device. So even if a hacker finds your password, it won't do him any good since he can't log into your account from his computer. Apple explains how to enable two-factor authentication. Turn it on -- you can be sure that Jennifer Lawrence has enabled it on her iCloud account by now.