By now you’ve likely heard that dozens of celebrity accounts on Apple’s iCloud service were recently accessed by unscrupulous persons, and embarrassing photos from those accounts posted on various web sites.
This should server as a reminder to everyone who uses web-based storage like iCloud that such services are extremely tempting targets for nefarious hackers.
In this case, the invader discovered that the ‘Find my Phone’ app had no protection against brute force (rapid, automated) login attempts. This was used, along with a list of common passwords, to learn the passwords of some targeted iCloud accounts, at which point all data stored on those accounts became available.
If you use cloud storage, make sure to use strong passwords; otherwise, you might as well assume everything you store there is publicly accessible.
The SANS InfoSec Handler’s Diary has more.
Update 2014Sep07: Ars Technica has a followup, in which Apple CEO Tim Cook admits Apple could have done more to prevent the incident, and talks about upcoming iCloud security changes. Over on Bruce Schneier’s blog, he reminds everyone that strong passwords would have protected the victims’ accounts, and to use an offline password manager.