While starlets scramble to deny which pictures are real and teens around the world rejoice, a fundamental flaw in Apple's security procedures has shown it's ugly head once again.
It took a series of very amateur-level mistakes to lead up to this leak.
iCloud's password requirements are too lax.
We all know that we need to have long and complicated passwords, but times have changed even recently. Intelligent password crackers using massive dictionaries now exist that can help crack some pretty complicated passwords, regardless of length, if it is made up of just words. Password crackers also know how humans think, and new crackers are adapted heuristically to help crack passwords via predicting how humans act. People usually lead off with words followed by a number at the end. PorscheCarrera111 would be cracked in seconds despite being a pretty long password.
I have no doubt that Jennifer Lawrence and Kate Upton are wishing that they had entered more complicated passwords at this point.
iCloud didn't check password attempt velocity.
This one is simple. iCloud let a cracker guess millions of times at a password without locking them out or asking them to verify information. This has now been patched, after this massive celebrity leak.
iCloud doesn't whitelist information for the service by default.
Modern secure services require IP addresses from the same source in order to access services. They could have further locked down the service with IMEI or Serial Numbers for mobile devices like tablets and phones.
Here is what happens if i try to sign on my account in Path of Exile, a free video game, from VikingVPN in Amsterdam (i live in Chicago).
iCloud doesn't notify users of the number of failed sign-in attempts since the last sign-in.
You might be a little quicker to delete your iCloud sync when you see 150,000 failed sign-in attempts.
And last but certainly not least...
iCloud is enabled by default, and doesn't notify the user.
The celebrities that had their accounts broken into have said that they deleted the photos long ago, and they probably did, from their phones. The iCloud sync that they weren't told about still happily stored aware their private media to be stolen at a later date. When you delete a photo locally, you are not asked if you want to also delete the media on iCloud, you have to manually go find it and delete it. That is, if you even know it is there to begin with.