[randomfool]

From the article:

"Apple earlier this week said that after a 40-hour investigation, the company concluded that there was no breach of its data servers. The company has said it discovered a number of celebrity accounts were compromised by targeted attacks, using methods like phishing or correctly answering security questions to obtain their passwords."

So the stolen data was from Apple's servers, but was obtained by compromising individual logins.

Lesson #1: enable 2FA. now.

[nwh]

2FA does not protect iCloud data at all, it would have done nothing here.

[justizin]

My understanding is it just doesn't protect iCloud backups, which is what were compromised here - also why things deleted from the phone were still in the cloud.

[nwh]

That's mine too, an iCloud backup is pretty much keys to the kingdom. Could also just have been that they had access for a very long time and downloaded data multiple times in that period without being detected.

[f3llowtraveler]

Lesson #1: only use software that encrypts the data on the client side before storing it on the server.

[cliveowen]

Looks like in the end the weak link is always human.

[electromagnetic]

It's a classic "password" is not a good password situation. Peoples passwords are way too common, its not surprising celebrities got hacked they're going to be just as likely as using a weak password as any young adult.

[seanflyon]

Also sending plain text auth tokens is not secure.