Wired on how iCloud accounts may have been hacked


Andy Greenberg for Wired:

If a hacker can obtain a user's iCloud username and password with iBrute, he or she can log in to the victim's iCloud.com account to steal photos. But if attackers instead impersonate the user's device with Elcomsoft's tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.

Basically it seems first you need someone's account email and then bust their password. Using a dedicated/private email address for iCloud, a strong password, and 2-factor verification would seem to make this sort of thing very difficult.