But don’t worry, they were hacked by good guys working under Apple’s bug bounty program. Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samual Erb, and Tanner Barnes found a total of 55 vulnerabilities.
During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.
When I first saw the news I was aghast to learn that Apple only paid them US$55,000, but the blog post was updated to add that the team so far has gotten 32 payments totaling US$288,500. Still doesn’t seem enough to me. Apple needs to work on its internal security.