The FBI is investigating a possible phishing scam that led to several celebrities' private, nude photos being stolen from their Apple iCloud accounts.
Law enforcement sources
confirmed to TMZ that FBI agents are looking into four of the targets: Kate Upton, Mary Elizabeth Winstead, Jennifer Lawrence, and Lea Michele. Upton's boyfriend, Justin Verlander, pitcher for the Detroit Tigers, is also reported to be in some of the photos, which were leaked widely on Sunday.
Representatives for all four women did not respond to TMZ's calls for comment on the investigation as the debate about digital security — most specifically iCloud — raged on.
Urgent: Do You Approve Or Disapprove of President Obama's Job Performance? Vote Now in Urgent Poll
On Friday, Apple CEO Tim Cook reiterated a company statement from earlier this week, saying iCloud's infrastructure was not compromised during the attack. Instead, he implied that the celeb's accounts were broken into via password-reset security questions and phishing.
Phishing is a longstanding con that tricks users into sending their login information to scammers masquerading as companies like Apple, Google, and Facebook. Denise Richards tweeted this week that several phishing attempts were made on her web accounts.
Cook
told The Wall Street Journal that Apple will do two things to improve security in the near term, saying, "When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece. I think we have a responsibility to ratchet that up. That's not really an engineering thing."
First, in roughly two weeks' time, Apple will begin sending email and push alerts to users whenever someone tries to change a password, restore iCloud data to a new device, or tries to log on to iCloud with a new device. This "awareness" measure should alert users whenever anyone tries to meddle with their account.
Second, Cook said the company will broaden the use of a common security measure known as "two-factor authentication," a two-step login process that requires both a password (something the user knows) as well as a second item like a one-time code sent via text (something the user has). Many have speculated that Apple's fingerprint scanner, Touch ID, introduced on the most iPhone 5S, could be harnessed to act as the second item for two-factor authentication.
Many have said that in addition to password reset and phishing, a third, software-based tactic could have also compromised iCloud. The third tactic was not addressed by Cook.
That tactic, known as a "brute-force attack," uses an automated program to repeatedly guess at a user's password. Companies commonly protect against brute-force attacks by limiting users to a low number of login attempts per hour or day. Sometimes, this protection, known as "rate limiting," locks the account after a certain number of failed login attempts.
Mashable.com reported that Apple's "Find My iPhone" app was previously wide open to brute force attacks, but implemented rate limiting on Monday.
The tech site also noted several other egregious weaknesses in Apple's iCloud security, including iCloud authentication tokens being stored in plaintext.
Urgent: Assess Your Heart Attack Risk in Minutes. Click Here.
© 2025 Newsmax. All rights reserved.