Security experts have told Siliconrepublic.com that they believe the attacks were made possible by poor password security.
“It seems likely that those responsible for this attack utilised a script which had been posted to the popular code sharing site GitHub which implemented a brute force password guessing attach against an iCloud account via the ‘Find my iPhone’ feature,” said Dermot Williams, managing director of ThreatScape.
“This enabled one or more attackers to compromise a series of celebrity-owned accounts and sync with them to download their stored photos etc. My guess is that someone started with (or guessed) just one target users email address, compromised that account, and then obtained not only their stored photos and videos but also their contact list – providing a treasure trove of other celebrity email addresses which they could then target on iCloud to obtain further data (not all email addresses and individuals would lead to further Apple-device owners, or iCloud users but clearly a lot did).”
FULL POST
