Apple says its systems not to blame for celebrity photo breach

By Edwin Chan and Christina Farr SAN FRANCISCO (Reuters) - The week before a crucial launch of its new iPhone, Apple Inc said intimate photos of celebrities including Oscar-winner Jennifer Lawrence were leaked online through the apparent hacking of individual iCloud accounts. Apple rushed to restore confidence in its systems' security, saying the celebrity photo scandal that also ensnared swimsuit model Kate Upton, actress Kirsten Dunst and possibly dozens more was the result of targeted attacks on accounts storing personal data and not a direct breach of Apple systems. "We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," Apple said in a statement. "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find My iPhone." The celebrity hacking that came to light over the long Labor Day weekend nevertheless ranks among the highest-profile public fiascos for Apple in recent years. Apple's iCloud service allows users to store photos and other content and access it from any Apple device. Security in the cloud has been a paramount concern in past years, but that has not stopped the rapid adoption of services that offer reams of storage and management of data and content off smartphones and computers. Regardless of how the leaking of nude celebrity photos actually happened, the timing could not have been worse for Apple as it prepares to launch a new iPhone next week. It also underscored the longer-term risks for mobile users as smartphones increasingly become the repository for far more sensitive healthcare, banking and personal data. "Every great innovation is convenient but also a big opportunity for the bad guys in the world," said Marc Maiffret at security firm BeyondTrust. Cybersecurity experts say the perpetrators possibly gleaned the celebrities' email addresses and mounted a long-term phishing attempt - a relatively straightforward attack through which hackers gain access to users' accounts by getting them to click on a compromised URL or Internet link. The photos were posted on image-sharing forum 4Chan, prompting Lawrence's representatives to describe their release as a "flagrant violation of privacy" and contact law enforcement authorities. A WAKE-UP CALL TO ALL That the hacking could hit Lawrence, who is one of the biggest names in Hollywood, the star of the hugely popular "Hunger Games" films and the best actress Oscar winner, came as a wake-up call to both the famous and non-famous. "This feels like a brute-force attack and someone's using bad passwords," said Michael Fertik, chief executive of online image manager Reputation.com. "If you must take a nude photo use a non-obvious password." Hackers use so-called brute-force software to cycle through large numbers of possible passwords during log-in attempts. Fertike said hacked celebrities would likely have to live with the leaked photos remaining outside their management for the foreseeable future. The FBI said it is addressing the celebrity photo hacking, but added that any further comment "would be inappropriate at this time." Apart from any criminal charges that might be pursued under federal or state hacking laws, Lawrence and the other celebrities could bring civil lawsuits against the alleged hacker or hackers and those who shared the photos. "The way the celebrities were treating the photos, I don’t think there’s any doubt that the law will treat them as being private and the distribution of the photos was a violation of privacy," said Evan Brown, a technology and intellectual property attorney at InfoLawGroup in Chicago. In 2012, a Florida man was sentenced to 10 years in prison for hacking into online accounts of more than 50 people in the entertainment industry. He gained access to nude photos of actress Scarlett Johansson, who tearfully said she was "humiliated and embarrassed" in a video statement to the court. (Additional reporting by Jeffrey Dastin, Michael Parks, Andrew Chung and Patricia Reaney in New York, Eric Kelsey in Los Angeles; Writing by Mary Milliken; Editing by Tom Brown)