[64mb]

> "we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions"

> "None of the cases we have investigated has resulted from any breach in any of Apple’s systems"

Don't these lines contradict each other?

[res0nat0r]

No as I can try and guess your login credentials and that is a perfectly acceptable and valid workflow which isn't exploiting anything.

I think the issue is that the previously posted Find My Iphone code didn't rate limit invalid logins and this was used to bruteforce creds. This is probably the real underlying issue and not any type of buffer overflow / exploit etc.

[rtkwe]

Not really. There's a perfectly valid distinction between accounts compromised by poor password recovery processes and more general ways of compromising the system, ie attacks that require targeted information about the account being compromised and attacks that compromise many accounts at once.

[induscreep]

Answer: "Hack" was due to weak passwords and no 2-factor, not because of any weakness in Apple's systems.

[mbesto]

> Apple's systems

Systems aren't just technical (software), they involve human beings, feedback loops, interactions, etc. Apple's security systems are in fact weak, just not weaker than the norm.

Actually I think the Apple press release was poorly worded. This in particular:

>None of the cases we have investigated has resulted from any breach in any of Apple’s systems

There was indeed a breach in Apple's system, there just wasn't a system wide breach that compromised all accounts, just a select few.

[personZ]

It seems significantly more likely that the "hack" was in the account recovery system which allows -- via a couple of often easily discovered personal details -- a complete, immediate account takeover.

[64mb]

Ah, thanks for clearing that up.