Following the breach of celebrities' nude photos, there's a widespread misperception that if only victims had used strong passwords and Apple's two-factor authentication system, they would have been protected.

The celebrity photo breach resulted in an estimated 700 nude and other highly personal images from about 25 celebrities being released. In response, Apple issued a statement confirming that it experienced "a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet."

Apple then added: "To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification."

In general, strong passwords are good. They can slow down brute-force password-guessing attacks. But that's not how Apple's celebrity customers appear to have been compromised. Security expert Nik Cubrilovik, for one, has combed through months of posts to image board and community sites favored by celebrity photo hackers, and says the majority of tutorials that members post for each other reference the use of freely available tools that that allow anyone in possession of a valid Apple username and account password to download iCloud backups for that account.

Apple Alerts: A Start

Apple doesn't offer two-factor authentication to restrict access to iCloud backups, nor has the company said it plans to do so, although Apple has promised to implement a warning system when it sees signs of account hijacking.

I've reached out to Apple multiple times, requesting comment on why it isn't addressing the iCloud backup vulnerability being actively exploited by attackers, but have yet to hear back.

Marc Rogers, principal security researcher at mobile anti-virus vendor Lookout Security, says the warning system is a needed step in the right direction. "It's true that alerts alone won't stop attackers, however knowing when accounts have been attacked is an incredibly important step in being able to prosecute the attackers, and that in turn will have an effect on the attacks," Rogers tells me. "It's worth noting that this is much bigger than Apple - it's an industrywide topic - though obviously Apple will always be a target because it's so popular with people, and that then attracts the bad guys."

Better Security Through Lying

Apple hackers have also been exploiting the company's password-reset functionality, which allows users to answer secret questions to change an account password.

But secret questions have limits. The 2012 hack attack against presidential candidate Mitt Romney's Hotmail account, for example, allegedly reset the password after the hacker correctly entered the name of Romney's "favorite pet," which had been recorded in numerous news stories.

The takeaway here is simple, if counterintuitive: "Lying can protect your iCloud account," says independent security expert Graham Cluley. Just keep track of your answers, preferably in a password manager:

"@stevewerby: Credit card company: What's your mother's maiden name? Me: Donkey Kong Bumper Boat. Them: Uh, yes. What? Me: I'm in security."

Creepy Attackers: Worse Than You Think

Celebrities aren't the only victims of image hackers. Indeed, attackers are also using social engineering attacks, remote-access Trojans, cloud backup-retrieval tools and password resets to harvest photos and videos from a wide variety of devices, be they an iPhone or iPad, Android smart phone or tablet, or a teenage girl's laptop webcam.