Apple to beef up security measures after nude photo leak

Dark Web: Nudes traded like baseball cards
Dark Web: Nudes traded like baseball cards

Apple plans to roll out new security features in the coming weeks that are designed to counter the methods used in a mass theft of nude celebrity photos.

The company will use email and push notifications to alert users when someone tries to change an account password, restore cloud data on a new device, or connect an unfamiliar device to an existing Apple account.

Cook told The Journal that the new notifications would start in two weeks, and users would be empowered to take back the accounts immediately.

Apple also plans to widen its use of two-step authentication. That option, available on most email or file-sharing platforms, is a second, temporary password that usually arrives in the form of a text message.

Related story: Welcome to the Age of Hacks

Apple CEO Tim Cook explained the changes in an interview with The Wall Street Journal, his first public comments since private, nude photos of Jennifer Lawrence and other celebrities were leaked on the Internet. An Apple representative confirmed Cook's remarks to CNNMoney.

Apple (AAPL) has concluded hackers were able to force their way into the photo collections through phishing attempts, guessing passwords or figuring out answers to the celebrities' security questions.

Well-guarded systems only let users guess passwords a handful of times before blocking access. But until this week, Apple's iCloud service allowed people to guess passwords over and over again. It would never lock out. Eventually, hackers hit it right.

Here's what the cloud actually looks like
Here's what the cloud actually looks like

Apple assured the public the hackers did not break into the company's core computer systems, which house all of its users' data. So iCloud itself was not hacked.

What's wrong with iCloud? Although iCloud uses two-step authentication to keep hackers out of your account, there's currently a stupidly easy way around that.

Anyone can grab any Apple device, synchronize it with your iCloud account and download all of your private files. All it takes is your username and password. That sounds like a lot, but it's actually the very thing two-step authentication is meant to prevent. For iCloud, two-step authentication is currently useless.

That's why Cook is wrong to say the problem lies with users -- not Apple's system.

"When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," he told The Journal. "I think we have a responsibility to ratchet that up. That's not really an engineering thing."

But the two-step authentication problem is exactly an engineering problem. Apple did not respond to CNNMoney's requests for comment about that point.

Related Flipboard magazine: How safe are you?

The revelation that Apple can't keep your data private is terrible timing. The company is expected to unveil several products and services on Monday, all deeply interconnected with data sharing -- and requiring your trust.

CNNMoney Sponsors