The Verge’s Jacob Kastrenakes quoting a statement from Apple:
After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.
None that they’ve investigated.
“Oh, Jennifer Lawrence. Oh. Lawrence. I heard ‘Shmawrence’. Oh. Ohhh.”
Darrell Etherington’s parsing of the statement is probably spot on. Accounts were compromised, but the system was not hacked. But if your system allows for unlimited password guesses, it’s kind of an academic distinction.
UPDATE: Rich Mogull says the IBrute force attack — the Python script on GitHub mentioned in the link — was not used in the celebrity photo theft. The brute force method may still have been used.