"When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source," they said. "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."
It seems that the celebrities in question fell victim to targeted phishing and social engineering.
The company has not commented on the existence of the iBrute tool for brute-forcing Apple ID passwords, nor on the patching of the flaw that allowed it to work.
According to Andy Greenberg, hackers actively posting nude selfies on the Anon-IB web forum have been openly saying that they have been using the (legal) Elcomsoft's Phone Password Breaker software to download the victims' entire iCloud backups, which include photos and videos, but also contacts, text messages, and application data.
It's also possible that they have been using iBrute or a similar tool to get to the victims' - and not only celebrities' - Apple ID and password. Armed with that information, using Elcomsoft's software is easy as pie. The software, which is often used by law enforcement, does cost quite a lot ($399), but bootleg copies can be found on bittorrent sites.
Apple advises all users to use strong passwords, and to enable two-step verification. You can also check out this helpful post by Nick DePetrillo for a step-by-step guide on how to set up two-factor authentication for iCloud (Apple ID) and Dropbox.
But, unfortunately, the two-step verification feature does not protect users against hackers installing their iCloud backups on new devices - for this, the attackers only need the Apple ID and password.
Chris Soghoian, ACLU's principal technologist and senior policy analyst has a few ideas for changes that tech companies should implement to prevent attacks like this happening.
"Apple, Google and the other big tech companies should acknowledge that millions of their customers regularly use their products to engage in sensitive, intimate activities," he noted. "These companies can and should offer a 'private photo' option for sensitive photos that prevents them from being uploaded to the cloud. More importantly, they should treat their customers like grownups and educate them about how they can use their products and services to engage in intimate activities, as safely as possible."
Finally, let me leave you with this warning: beware of online scams following the celebrity nude photo news.