Nik Cubrilovic has a great, in depth piece on celebrity data theft. Considering how much data everyone stores online these days, it's probably a worthwhile read for everyone. Of particular note how these accounts are compromised:
- Users who scour Facebook and other social media looking for targets and collecting as much information as possible. Data collection includes utilizing public record services and purchasing credit reports. Obtaining data on a target includes setting up fake profiles, friending or following friends of the target, being persistent with extracting information that might help answer secret questions, approaching male friends of the target, etc.
- Users who use the target data to retrieve passwords or authentication keys. There are numerous methods here and most have tutorials available online. The most common are RATs, phishing, password recovery and password reset. RATs are simply remote access tools that the user is either tricked into installing via private messages or in an email (link or an attachment) or that someone close to the target will install on their phone or computer with physical access. Phishing is sending the target an email with a password reminder or reset that tricks the user into entering their password into a site or form the attacker controls. Password reminder is gaining access to the users email account (again using secret questions or another technique) and then having a reminder link sent to access the cloud storage. Password reset is answering the date of birth and security question challenges (often easy to break using publicly available data – birthdays and favorite sports teams, etc. are often not secrets).
It's not simple brute force and phishing, but also a system built upon social engineering. Recall that password reset was how Sarah Palin's email was broken into years ago. It's fairly trivial, especially given how often those "password secrets" can be answered by a quick look at someone's Facebook profile.
I guess take this incident as a reason to consider how much personal data you're putting out there, and if it could be used against you. I know I immediately went to Facebook to double check some privacy settings and outright remove some data.