On September 12, 2022, Apple released a set of security updates that fixed newly-identified zero day vulnerabilities in their devices. Apple acknowledged reports that these vulnerabilities may have been exploited by hackers, but did not go into greater detail.
Below, we’ll dig into the full history of Apple breaches, starting with the most recent.
September 2022: Apple Security Updates Address Zero-Day Vulnerabilities
On September 12, Apple released a batch of security updates to shore up their devices against newly identified zero-day vulnerabilities. The devices affected include Macs, iPhones, iPads, and more. This was the eighth such vulnerability identified so far in 2022.
Apple did not say whether this vulnerability had been exploited — only that they were aware of reports that it may have been.
August 2022: Apple Identifies and Patches Two Security Vulnerabilities
On August 17, Apple released an update to shore up iOS, iPadOS, and macOS against two security vulnerabilities: one in WebKit, which underpins Safari and other apps, and another in the kernel of the operating system itself.
Per Apple, the Webkit vulnerability could allow malicious web pages to execute code on the device. The operating system vulnerability could allow a malicious app “to execute arbitrary code with kernel privileges”, giving it broad power over the infected device. Apple acknowledged they were “aware of a report this issue may have been actively exploited” by malicious actors, but did not go into greater detail.
Fortunately, it appears the fix is already available. To ensure your devices are secure, go into your settings, check for updates, and update your device if necessary.
September 2021: Israeli Spyware Compromises Apple Devices
In September 2021, researchers discovered that a spyware called Pegasus had infected iPhones and other Apple Devices via a ‘zero click exploit’, granting the spyware broad power over a users’ device. Once infected, the spyware could record calls and messages and even turn the device camera and microphone on without the user knowing.
Pegasus was produced by the NSO Group, an Israel-based company that sells its spyware to governments such as Mexico and Saudi Arabia. Though this spyware would presumably be used to surveil terrorists and criminal enterprises, these governments have also used it to spy on activists, politicians, and journalists.
As of September 13, 2021, Apple has patched the exploit. The battle between legitimate companies and spyware developers such as the NSO Group is an ongoing one – with well-financed outfits such as this one out there, you can never be certain of your privacy. If you have not done so already, make sure to manually update any iOS device you own to protect your device.
January 2019: Google Discovers Data Exploit in iPhones
In January 2019, researchers at Google discovered a data exploit that affected an unknown number of iPhones. Through this exploit, users could get infected with monitoring spyware simply by visiting the wrong website on their iPhone. From there, hackers could access everything from their passwords to their address book to their messaging history.
Once discovered, these Google researchers reported the issue to Apple and Apple patched the exploit within ten days. It’s unclear how many iPhones were affected. According to Apple, the exploit only lasted for two months and affected a narrow set of users, seeded by “fewer than a dozen websites that focus on content related to the Uighur community.”
September 2015: XcodeGhost Malware Compromises 128m iPhone Users
In 2015, a group of hackers repackaged their own malicious version of Xcode, the app development tool for iOS and OS X. The hacked version, XcodeGhost, included malware that would provide the hackers with device information, including its unique identifier.
From there, XcodeGhost was used by app developers, mostly in China, to develop at least 4,000 apps. When users downloaded infected apps from the App Store, their devices were compromised. This breach affected 128 million iPhone users, including 18 million in the United States.
At the time, Apple did not disclose the extent of the breach to the affected iPhone users. There were internal discussions about doing so, but ultimately, Apple declined to inform those who were affected. The extent of the breach only came to light in May 2021, as part of Epic Games’ lawsuit against Apple.
August 2015: KeyRaider Malware Steals Data from 225k Jailbroken iPhones
KeyRaider, a form of malware that targeted jailbroken iPhones, gave attackers access to login credentials, private keys, certificates, and online purchase receipts from approximately 225,000 iPhone users. This gave attackers the ability to make unauthorized purchases and use these credentials to access personal data.
Only jailbroken devices were impacted by the malware. Although the size of the breach makes it one of the largest to impact Apple devices, this particular breach only affected users who made changes to their devices that were not strictly authorized by Apple.
September 2014: Hundreds of Celebrity Nude Photos Leaked in iCloud Incident
In September 2014, a group of hackers breached dozens of celebrity iCloud accounts by compromising their login credentials. From there, they stole hundreds of nude photos and posted them to online forum 4chan.
Apple denied that iCloud itself had been hacked, and stated that this attack resulted instead from a breach in passwords and security questions. From everything we can tell, this appears to have been a spear phishing attack: the attackers targeted specific people and made a concerted effort to gain their login credentials so they could break into their private accounts.
That doesn’t mean Apple has no stake in responsibility for the incident. After the attack, Apple hardened iCloud login security, requiring two-factor authentication to prevent future breaches of this nature.
July 2013: iOS Dev Center Hacked, Exposing 275k Developers
While this Apple data breach didn’t impact consumers directly, it did expose the data of the approximately 275,000 registered third-party developers using the Apple developer portal. Developer names and IDs were visible after the attacker exploited a vulnerability, and mailing and email addresses may have also been exposed.
However, the person claiming responsibility for the breach asserted that their intentions weren’t nefarious. Instead, they claimed that their goal was to expose bugs that could be exploited and that they reported everything they discovered to Apple to allow the company to take appropriate action. The person also states that after they alerted the tech giant to the bugs, the portal was taken offline.
Apple did confirm that the system was accessed by an unauthorized person. Additionally, the company stated that the personal information of the registered developers might have been exposed.
Some developers who may have been impacted were also required to perform password resets. While passwords were never explicitly listed as being exposed, the move suggests that password details may have either been visible to an attacker or password-related data was copied, though it isn’t clear if that was the case.
August 2012: Bluetoad leaks 12 Million Apple Device IDs
In August 2012, the hacker group AntiSec leaked 12 million Apple device IDs online. They claimed to have obtained this data after taking an FBI agent’s computer in March 2012. However, it turns out these device IDs were leaked not by the FBI, but by the app development company Bluetoad.
In any case, it does not appear that Apple played much of a role in this particular data leak – though its customers certainly were affected.
June 2010: AT&T Breach Exposes 114k iPad Users’ Email Addresses
In June 2010, two hackers exploited a vulnerability in AT&T’s phone network and stole the email addresses of 114,000 iPad users via a brute force attack. This vulnerability appears to be fully on the hands of AT&T – it happened through their network, not through Apple’s devices or services.
We did not find any earlier records of data breaches involving Apple.