Today, I want to visit back in ⏲time to a famous security incident to emphasize the importance of ⛓️‍💥basic security practices, as I still know and believe people are not following these basic security practices and may fall into the trap of phishing attacks. I won’t delve further into the incident itself, as it could potentially be sensitive for certain individuals. What I want to emphasize are the mitigation strategies so people can avoid similar incidents in future, as usually, these simple mistakes lead to larger incidents.

I am speaking about the 2014 incident, where private photos of multiple 🪆women celebrities were leaked online in an imageboard named 4chan . The leak was initially identified as a security flaw in iCloud(Apple service) or iCloud API . But Apple has claimed that it was due to a very targeted phishing attack(named Spear Phishing ).

So before talking about Spear Phishing . But first, let’s talk about Social Engineering . Social Engineering is a way to psychologically manipulate a person to reveal or disclose some information, in the context of cybersecurity it's usually in the form of passwords, personal/personal sensitive data or confidential data . For example, a person could send you an 📲SMS and ask you to click on the link to receive a reward, but what you get isn’t a reward, but rather malware or a compromise of your data. So, now back to spear phishing. It is a type of social engineering where personalized or targeted emails or SMS to a specific person to reveal sensitive information(like passwords, bank/financial details etc). There are different types of phishing attacks, which I can write more on the rest in future posts.

So now that you have a basic understanding of the attack itself. Let’s talk about how was it used in this incident. There aren’t many details on how the photos were leaked. Some details reveal that a hacker had created a fake email address named “appleprivacysecurity” and has sent these victims an 📲SMS or 🖨email to reset their iCloud password with a sense of urgency, which is usually used in phishing attacks to distract the victim from thinking a lot. Which led the victims to hand over their iCloud passwords to the hacker.

So to protect yourself from future incidents like this in future, certain measures I recommend,

2FA⚔️: which would have not been a buzz word in 2014 like its now in every platform. But still people don’t activate this. Not to go into more details, but the best forms of 2FA are hardware authentication device(Like Yubikey), Authenicator apps(like google authenticator, Microsoft authenticator), SMS/text message etc.

Use strong passwords🔨: The more complex your password is, the harder it is to guess/crack via dictionary attacks(more on this later) or any similar attacks. Use more than 12 characters with a combination of letters, number and special characters. Passphrases are also a good form to create complex passwords and easier to remember. Also, keep it a secret, which comes to my next point.

Use a good password manager📑: I recommend Keepass, as its open source and as regular security updates/patches. It maybe intimidating in the beginning, but once you got hold of it, its easy to use. They have a desktop application. There are also mobile application which works with the keepass database file

If you know any other measures or actions, let us know✒️