Andy Greenberg, Wired:
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com.
Apple released an update for Find My iPhone fixing the flaw iBrute exploits, but not all iPhones, iPods, and iPads have been patched leaving them vulnerable. And where’s the patch to thwart tools like EPPB?
For now my recommendation is to stop using iCloud to backup your iPhone, iPod, or iPad and start backing up to your computer. Use a strong password for your computer and enable backup encryption as a precaution. Once you have backed up to your computer, delete your iCloud backup.