Apple has blamed a "very targeted attack" for the suspected breach of numerous celebrities' iCloud accounts, which resulted in nude photographs and videos being leaked to the 4chan image board. But some security experts have taken issue with Apple's explanation for the attacks. And they contend the company's iCloud service remains vulnerable to similar exploits.

Security experts say at least a dozen celebrities' personal photographs and videos have recently been publicly released, and the attackers have hinted that there may be more than 100 celebrity victims in total. Attorneys for actress Jennifer Lawrence and model Kate Upton have confirmed their clients were victims of the attacks, which many security experts have suspected resulted from attackers exploiting iCloud vulnerabilities, potentially by launching brute-force password-guessing attacks via the Find my iPhone API, although Apple has now patched that flaw.

But in a media advisory issued Sept. 2, just two days after the trove of celebrity images came to light via the 4chan image board, Apple said some celebrities' accounts - and photos and videos stored therein - "were compromised by a very targeted attack on user names, passwords and security questions."

"None of the cases we have investigated has resulted from any breach in any of Apple's systems, including iCloud or Find my iPhone," Apple said in its advisory.

An FBI investigation is continuing, and Apple says it hopes to pinpoint the identities of those who stole the images. Going forward, Apple has also urged all iCloud users to use strong credentials. "To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification," it says.

Questioning Apple's Take

Some commentators have accepted Apple's explanation, saying that if usernames and passwords were compromised, and users failed to activate two-factor authentication, then Apple is blameless. But others have questioned Apple's account. "Apple basically said that iCloud wasn't hacked ... it was iCloud accounts that were hacked. Using iCloud. That's different. I guess," says digital forensics researcher Jonathan Zdziarski via Twitter.

Zdziarski adds that Apple could have done much more to secure accounts, "like not allow infinite brute-force attempts, and verify logins from unknown IPs with a SMS or email code."

Apple didn't immediately respond to a request for comment about whether it planned to add those security features.

If Apple was logging access attempts, then any attackers who attempted to log onto iCloud would have had their IP address recorded, provided attackers weren't actively masking it. "Apple should have logs containing IP addresses of all parties connecting to their services and using this information; they should be able to quickly identify attackers executing large numbers of logon attempts," says Philip Lieberman, CEO of Lieberman Software.

But he says the breach "does beg the question of Apple's incompetence in security operations," since the iPhone manufacturer doesn't appear to have detected the attacks.

Apple Two-Factor: Not For Backups

In the wake of the celebrity image breach, Apple has recommended not only picking strong passwords, but using its two-factor authentication system to make it more difficult for would-be attackers to access a user's iCloud account.

But according to Australian software developer Nik Cubrilovik, Apple's two-factor system won't secure users against the types of cloud-ripping attacks that compromised the celebrity photos and videos, because it only protects "account details and updates," not backups. "Two-factor authentication for iCloud is useless in preventing passwords or authentication tokens being used to extract online backups," he contends.

Apple didn't immediately respond to a request for comment about that criticism of its iCloud system backup security. In the meantime, Lieberman says users must be aware "that they are using a consumer-grade service with Apple," and that "much more secure systems exist for file storage and should be used for sensitive data."

Hence it's caveat emptor for anyone using a consumer cloud service - especially celebrities and other high-profile targets.