Apple Allegedly Knew of iCloud Brute-Force Vulnerability Since March

blottsie writes Apple knew as early as March 2014 of a security hole that left the personal data of iCloud users vulnerable, according to leaked emails between the company and a noted security researcher. In a March 26 email, security researcher Ibrahim Balic tells an Apple official that he's successfully bypassed a security feature designed to prevent "brute-force" attacks. Balic goes on to explain to Apple that he was able to try over 20,000 passwords combinations on any account.

Re:Not Brute Force

[aardvarkjoe]

20,000 is not a brute force attack. That will only succeed if your password was 3 characters long.

I find it hard to believe anyone was actually vulnerable to this.

While you're correct that 20,000 attempts is too small to "brute-force" a password (by trying all combinations of characters), it's plenty to do a dictionary attack. If you can try 20,000 popular passwords on a whole bunch of accounts, you'll almost certainly be able to break some of them.