Apple has released a statement in which it has denied that the recent celebrity photo hack resulted from a breach of iCloud or its Find My iPhone service. The company instead faults “a very targeted attack on user names, passwords and security questions.” Although Apple hasn’t yet detailed all the types of attacks that were used, at least one seems clear based on its statement: hackers likely guessed the answer to poorly chosen security questions.
A well-chosen security question can be answered only by the legitimate account owner. Although it is easy to fault e-mail users for choosing questions that are too easy to answer, sites are sometimes at least partially to blame. When a site offers questions such as “What is the name of your pet?” or “What was the name of your elementary school?” instead of allowing users to write their own security questions, they are essentially making the security question the weakest link to the account.
While it may be difficult to determine the exact password someone chose for their account, the security question, if chosen and answered poorly, significantly narrows down the list of possible answers. Thus, it is unsurprising that an attacker would in some cases choose to research the answer to a security question rather than trying to attack a password directly. When you are a celebrity, the situation is even worse. Information such as the name of your pet is probably public knowledge and can easily be found with a single Google search.
Until users learn to choose better security questions and answers and sites begin to do more to encourage unique questions and answers, these types of security breaches are likely to continue.