The fappening 2014: Hundreds of celeb nudes go online via icloud hack

Starting on August 31st 2014, handreds of nude photographs of famous celebrities staeted showing up on  4chan, Imgur and Reddit.  The subreddit known as “The Fappening” (a thread) dedicated to the leaks, became one of the fastest growing threads ever in Reddit history before it was banned. The hack  is presumably an easy two step process that could have been executed by anybody with access to the tools and as it turns out the tool is not very hard to get.One of the tools is sold by Moscow-based forensics firm Elcomsoft known as  Elcomsoft Phone Password Breaker which can be combined with  iBrute, the password-cracking software for iCloud released on Github over the last weekend

What the celbs had to say
Jill Scott
"I definitely took the first picture with a robe; weight loss chronicle, But the second, sorry freaks, is not me. I wish I had that space between my thighs."
"I will not be bowed," she posted. "I have earned every inch of my life. What you see, you cannot touch."
"I did nothing wrong and nothing that was YOUR snake concern. My photo was hacked; my PRIVACY INVADED."

Mary E Winstead
To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.
Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.
Becca Tobin
Merry XXXmas!

What Apple had to say...
(Apple acknowledged the hack but did not adress the vulnerability that was exploited by iBrute)
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved. To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

What the developers of iBrute had to say...
I’m really sorry that talk given by @hackappcom  and @abelenko on local @DefconRussia a group meeting (@chaos_construct event)  few days ago have had such nasty consequences. And blackhat community performed such weak, cheap and  ungrateful feedback. In  justification I can only mention,  that we only described the way  HOW to hack AppleID. Stealing private “hot” data is outside of our scope of interests. We discuss such methods of hacks in our’s narrow range, just to identify all the ways how privacy can by abused. For everyone, who was involved in this incident, I want to remind, that today we are living in  Brave New Global World, when privacy protection wasn’t ever so weak, and you have to consider, that all you data from “smart” devices could be accessable from internet,which is the  place of  anarchy, and, as result, could be source of  undesirable and unfriendly activity. So, weak “dictonary” passowrd (like P@$$w0rd), is not the best way to protect yourself in modern world. But it’s not your fault, it’s the total  problem of modern-being, that people use technology, without understanding all the risks and consequences. Not all  users are nerds (look  -  Jim Parsons account was not hacked!). 
And now, after all this you’ve experienced, we can  offer only  to start information security self-education. You may  follow us on twitter: @hackappcom  @abelenko   @defconrussia (ru) 
read popular news feeds:  Ycombinator hacker news   Reddit NetSec
and if  you want to go deeper, you better join local Defcon group.

What the security industry had to say...

This news is specifically referring to personal data of some celebrities and it is difficult at this time to ascertain the root cause and point of compromise. Incidents like these highlight the importance of data/access security vis-à-vis infrastructure security. Verizon Enterprise Solutions conducts several data breach investigations globally and in the widely-known Data Breach Investigation Report of 2014; we observed that Identity and authentication are still under assault and 2 out of 3 network breaches exploit weak or stolen password.
“Internet of things” is not a concept anymore – we see it widely in use already. With ever-increasing connected devices along with more and more humans it is becoming an intricate web of systems and humans. Public cloud is a boon only if it is used wisely and selectively. One of the important findings of DBIR is that attackers are compromising systems faster over time, but defenders are not getting much better/faster at discovering and responding to incidents.
- Mr. Ashish Thapar, Global Consulting & Integration Services (GCIS), Asia, Verizon Enterprise Solutions

Today, most organizations use 2-factor authentication (2FA) for most of their services and still get hacked into. The problem lies in the fundamentals of current communication methods which lack true mutual authentication of communicating peers (browser-web server, for example). Due to the lack of true mutual authentication it is not possible to know if communication and exchange of data occurs between authenticated peers - making attack vectors such as phishing and pharming and different MITM vectors feasible.

In order to enhance their security, enterprises need to go beyond standard methods (2FA, 3FA (biometric), OTP...) and look for stronger identity and authentication mechanism, a 4th factor which is not feasible to hack into. The next step would be to apply this security to all communicating peers. For example, an Apple's iCloud could potentially become an impregnable vault of personal data of its users by taking up this line of action - automatically leapfrogging them to the lead on cloud-based service providers.

In a globally connected flat-earth the internet dominates human enterprise – recording and disseminating information, executing financial transactions and providing news and entertainment. The Internet, has evolved from a public medium to enable user communication to support critical commercial and corporate transaction. This has inadvertently resulted in various security vulnerabilities. There are certain inherent flaws in the current/ contemporary security mechanisms that are deployed over the public internet today. Current solutions including SSL-VPN, digital certificates, VPN-IPSec or even multi-factor authentication are either not completely secure & not scalable or are cost intensive and haven't seen widespread use.

There is a need for a true mutual authentication, which ensures that the end user and server mutually authenticate each other every time they start an interaction and puts enterprises as well as the end users back in control of who are they interacting with.

- Mr. Sanjay Deshpande, CEO & Co-Founder, Uniken

What happened after - Phishing Attack
"After this massive leak, Apple is sending people a notification every time that people log in to iCloud. Hackers are using that same notification with a spoofed email to get people to change their passwords on a website that is not run by Apple.People who don't have this information about the internet have a greater chance of getting attacked and they need to be informed and careful.This stuff is scary and invasive and people need to protect themselves from whatever is out there." - Manna Kanuga, a freelance photographer