[iaw]

Re: 1) 2FA wasn't in use by these individuals. If you read the Apple release they not only neglect to mention 2FA as a source of the breach but actively encourage users to sign up for it. If 2FA was in place I doubt that this vector would have been successful.

That being said, I think the culpability is on Apple here as much as it is on the individuals responsible for obtaining the links. Security questions were never good security and companies need to start moving away from failed models.

[dpweb]

Security questions are just horrible. 2FA is good, but these celebs have people that handle their social media, so even if the technical leaks are plugged, things would just move to social eng. tactics, bribe an assistant, etc.. Probably a number of people have a celebs Twitter password.

Pretty worthless statement by APPL. "happpens all the time", "not our fault", etc.. They should be called out for security questions in the 1st place if that's what they use at all. Even after Sarah Palin which was greatly publicized. These companies learn nothing.