Apple and FBI are investigating the publication of nude celebrity photos online after Apple’s iCloud was allegedly hacked.

The private photographs of celebrities such as Jennifer Lawrence, Kate Upton, Kelly Brook and Rihanna were uploaded by hackers.

But Apple has so far remained tight-lipped about claims that hackers managed to access photographs automatically backed-up on its iCloud service.

A piece of software called iBrute has been linked to the alleged attack because of its ability to exploit a vulnerability in Apple's Find My iPhone service.

Apple had no limit on the number of password guesses, which allowed the malicious script to make multiple attempts at a fast rate until the correct password was identified.

But Apple has patched the flaw, and the service now has a five-attempt limit, according to Digital Spy.

There is still no concrete evidence that the images were stolen from iCloud and some commentators have suggested multiple breaches may have been used to access the photographs from the mobile phones of A-list celebrities including Jennifer Lawrence and Kate Upton.

Lawyers acting on behalf of Jennifer Lawrence and Kate Upton have threatened to prosecute anyone found disseminating or duplicating the illegally obtained images.

Calls for Apple to tighten security Read more about Apple’s iCloud How to restrict iCloud access in the enterprise

Should enterprise IT fear Apple iCloud?

Apple debuts two-factor authentication to protect against hackers

Introduction to iCloud Keychain: Security for password synchronisation Despite the lack of evidence of an iCloud leak, the incident has prompted calls for Apple to make two-factor authentication mandatory for all users of its services. Currently, two-factor authentication that improves security by requiring a one-time password is optional. But independent security consultant Graham Cluley said not all users know it is available. “It would be great to see Apple make such protection mandatory, rather than an opt-in choice for the few that know about it,” Cluley wrote in a blog post. The hack has also raised renewed concerns about the security of cloud-based backup and storage services.

Data transparency and biometrics But some security commentators say the shift from data stored in one physical location to seamless cloud synchronisation creates a near total lack of transparency about the location of data. “When you take an action on your phone, and it synchronises to your laptop and tablet, that data is almost certainly going somewhere else, stored and backed-up,” said Tim Erlin, director of security and risk at Tripwire. “Each of these locations and systems in which the data exists creates a vector for attack that must be protected. We are largely at the point where nothing you do on your iPhone can be considered private.” To stay ahead of hackers it is important to use a new trust model that incorporates technologies such as biometric authentication, said Raj Samani, chief technology officer in Europe for Intel-owned McAfee. “Biometric authentication replaces passwords, taking into account human attributes such as fingerprints, voice or even facial recognition to provide a higher level of security during the authentication process,” Samani said. Read more about cloud security Assessing cloud security controls key in repelling cloud attacks

Multifactor authentication key to cloud security success

SME cloud - blanket security or security blanket?

Government releases security guidance for cloud services

Most cloud services pose security and compliance risks to European businesses