Well, the short answer is: yes, it could.
However, there are some simple things you can do to drastically minimize the possibility that it will happen to you.
Can the iCloud Leak happen with OneDrive: What Happened?
Apple is blaming the victims of the leak, claiming they used weak passwords that allowed the attacker(s) to easily guess their passwords and saying the Apple systems were perfectly secure.
However, Apple quietly patched the Find My Phone API shortly after the hack occurred. With that in mind, I’d say there’s a possibility that the attacker used a brute force attack called “iBrute” as other tech sites have suspected and the weak password accusation is a bit of a damage control measure by the Apple PR department to deflect some blame.
I’m sure there were a fair number of weak passwords, as Apple indicated, but that may have just made it easier for the attacker to crack the passwords. If the vulnerability wasn’t present, the leak may not have been as severe, it might have been detected while it was still in progress, or it might not have happened at all.
Another possibility is that someone used a spear-phishing attack or something similar to trick the celebrities into giving up their passwords.
Frankly, the general public will probably never know for sure.
In case you don’t know, a brute force attack is a trial-and-error method used to obtain information such as a user password. In a brute force attack, software is used to automatically try every password combination until one works.
A phishing attack is when you get an email from a business (in this case probably from apple) saying you need to update your account information/passwords/etc. Some of them can be quite convincing. A spear-phishing attack is when the attackers target a specific organization or group of people.
Can the iCloud Leak happen with OneDrive: Prevention
OK, now that you know what might (probably) have happened let’s talk about how to keep it from happening to you with OneDrive.
The old saying “an ounce of prevention is worth a pound of cure” is really true in this instance. To get your ounce of prevention, just do the following:
Use strong passwords: Use a strong password for your Microsoft account. This is simple and surprisingly effective because cracking a strong password can take thousands or even millions of years to try every possible combination to get the right password.
This is because of something called password entropy. If you don’t want the wordy explanation, below is a short animation from Intel via passwordday.org that shows how long it would take to crack a password based on it’s length
As you can see, simply having a little bit longer password can really lengthen the time it would take to crack it. As always, you should use a combination of letters, numbers, and special characters for maximum security.
If you want a few more tips about password security, hop over to the passwordday.org website that Intel sponsored. They have some good info in a pretty easy to digest (mostly picture) format.
Don’t use the same passwords: Another thing you can do is use different passwords for different things online. I know a lot of people have a hard time remembering passwords so they pick one or two and use them for everything.
However, if you do that, if one of the sites where you use a particular password gets hacked your account may be at risk on every other site where you use that same password.
It’s not uncommon for an attacker to try stolen usernames and passwords on popular sites like Chase or Facebook, just to see if they can get in.
If keeping track of all those passwords sounds like a chore, check out our review of Passpack. Passpack is an online password manager that you might find helpful.
Before you ask; yes, it’s secure.
Two-Factor authentication: Two factor authentication is a system where you need 2 pieces of information or items (known as factors) to prove you are who you say you are.
The two-factor system you’re almost certainly familiar with is the debit card/PIN number at an ATM where you need to have the card AND the PIN to draw money from the ATM.
The good news is that you can setup your Windows, Android or Apple smartphone to be that second factor by using a feature of your Microsoft account called two-step verification.
If you activate two-step verification, someone would need to have your password and the code generated by an app on your phone to log into an untrusted computer. Having only one without the other won’t work.
As you can imagine, two-factor authentication adds a lot of security to your account. The downside is that you will also need to have your phone and password every time you try to log into a untrusted computer.
If you want to trust a computer so you don’t need the code every time you log into it, just check the I sign in frequently on this device. Don’t ask me for a code check box.
In case you’re wondering, your Surface is already trusted if you’re using OneDrive so, you won’t need the code to access OneDrive from it.
In closing, just realize that nothing is 100% guaranteed, you could do the steps above and still get your OneDrive hacked. However, the odds of it happening are about 1 in 100 trillion (100,000,000,000,000) and it would take a very long time so, for all practical purpose, follow the steps above and your One Drive will be just fine.
Tim