Apple said Tuesday that hackers who posted hundreds of nude images of celebrities over the weekend didn’t penetrate its systems, but rather got access to the pictures through a “very targeted attack on user names, passwords and security questions.”

That type of attack, which ensnared celebrities including Jennifer Lawrence and Kate Upton, is known as a “brute-force attack,” in which hackers simply try a wide variety of username and password combinations in an attempt to gain access to a target’s account. It’s much simpler—and often less effective—than more complex attacks, but it can be effective if the targeted service doesn’t put a limit on the number of times a user can try to log in before it locks them out. In a brute-force attack, hackers often employ software specially written to come up with random combinations of usernames and passwords, vastly speeding up the process.

“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone,” Apple said, meaning the attack targeted individual users rather than Apple’s systems as a whole. “We are continuing to work with law enforcement to help identify the criminals involved.”

Apple also advised users to turn on what’s called Two-Step Verification, which adds an extra layer of protection to online accounts. Essentially, two-step verification means that after users enter their memorized password, the service to which they’re logging in text-messages them a secondary, randomly-generated code. Users gain access to their account only after that secondary code is entered.

Two-step verification can foil a brute-force attack because it’s nearly impossible for hackers to gain access to targets’ phones.

Write to Alex Fitzpatrick at alex.fitzpatrick@time.com.