An Apple spokesperson has issued a statement on the company’s investigation of the hacking of female celebrities’ cloud accounts and the theft of photos from their accounts. And Apple is, in essence, blaming the victims. Or at least, their security questions and passwords.

“We wanted to provide an update to our investigation into the theft of photos of certain celebrities,” the statement reads. “When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us."

Initial reports from security sources suggested that an exploit of a weakness in Apple's "Find My iPhone" API that allowed a brute force password attack. Apple has discounted those reports, and it blames the success of the attacker on what amounts to social engineering of the accounts—by trying to use personal data to guess passwords or answers to security questions for the accounts in question. "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords, and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

The Apple statement goes on to “advise all users to always use a strong password and enable two-step verification.” If the attacks did use the security questions of the victims to gain access to their accounts, the attack would have been thwarted by the two-step authentication process—which requires a recovery key to gain access to an account if a device is lost. Two-step verification requires a waiting period after initial request.