In September 2014, news first broke that somehow attackers were able to get access to private pictures of a number of high-profile Hollywood celebrities stored in Apple’s iCloud service. While justice isn’t always swift, on March 15, the U.S Department of Justice announced that it has charged 36-year-old Ryan Collins of Lancaster, Pa., in connection with a phishing scheme that led to the celebrity iCloud image disclosure.
The DOJ stated in a release that Collins was engaged in a phishing scheme to get usernames and passwords from November 2012 until the beginning of September 2014. Collins simply sent emails that appeared to be from Apple or Google requesting the usernames and passwords from the targeted victims. Once he had access to the victims’ accounts, Collins was able to gain personal information and also downloaded the contents of the victims’ Apple iCloud backups.
According to the DOJ, Collins was able to gain access to at least 50 iCloud accounts, mostly connected to female celebrities in the entertainment industry.
“By illegally accessing intimate details of his victims’ personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity, “David Bowdich, the assistant director in charge of the FBI’s Los Angeles Field Office, said in a statement. “We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information.”
In the immediate wake of the iCloud incident in 2014, Apple emphasized that its systems were not directly hacked. Now that the DOJ has charged an individual in the case, it is clear that Apple was in fact accurate, as it was a phishing scheme that led to the breach of user information.
Security experts contacted by eWEEK were not surprised that phishing was the root cause for the 2014 celebrity information disclosure.
“The revelation about the method used to hack the accounts, a phishing scheme, is only half surprising,” David Melamed, senior research engineer at CloudLock, told eWEEK. “At the time of the hack, there were multiple allegations that the celeb accounts were protected with weak passwords and some brute-force attack was used to compromise them.”
Melamed added that the phishing scheme used by the hacker is unfortunately not that surprising and is quite common, but it does dismiss accusations that iCloud’s security was breached.
Rob Sadowski, director of marketing at RSA, the Security Division of EMC, said the confirmation that the method used to gain unauthorized access to iCloud was phishing rather than an exploit may lessen some concerns about the security of Apple’s iCloud service. Sadowski added that the iCloud celebrity photo incident has increased the pressure on Apple and other cloud app service providers to offer more convenient strong authentication options to further protect users’ accounts and information with something stronger than a username and password.
Kevin Bocek, vice president of threat intelligence and security strategy at Venafi, noted that he’s not surprised that the celebrity picture hacker was tracked down and arrested.
“Apple, as does every other cloud provider, collects significant data on us and readily shares this under court order,” Bocek told eWEEK. ” It seems even this hacker would be surprised about the amount of data collected that can be used to track down and arrest bad guys.”
Casey Ellis, CEO and founder of Bugcrowd, is also among those not surprised that the iCloud attacker was caught. Given how public the incident was and the considerable embarrassment it caused, the DOJ would have invested significant resources into catching the perpetrator, he said.
Ellis added that it’s good to see that there are penalties for malicious hackers. That said, there is still some longer term impact as a result of the incident.
“Apple implemented a number of changes quite rapidly after the hack and definitely worked to make it harder in the future for an attacker,” Ellis told eWEEK. “As for the public, I know for a fact that more of my friends are thinking twice about using photo stream and iCloud post-hack.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.