iStock_000012767009XSmallOver Labor Day weekend, social media sites erupted with the news of hundreds of leaked celebrity photos. Several female celebrities were targeted in an apparent data breach, in which nude photos were stolen and made public. As the public panicked, wondering if their own data had been compromised as well, Apple released a statement clarifying the problem:

“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

The bad news is that, yes, hackers were able to access and steal personal data by unlocking their victims’ personal accounts. They accomplished this by repeatedly guessing passwords or security questions, rather than hacking into the network or cloud storage system as a whole.

The good news is that there was no sweeping data breach which allowed hackers access to Apple’s cloud storage system. Technically, this situation qualifies as personal data theft, but not an actual data breach.

So what is the takeaway lesson from this event? It underscores the importance of choosing security questions whose answers are difficult to guess, and when possible, setting a limit on how many times answers can be attempted before the account is locked. Likewise, we should all remember to choose passwords which are difficult to guess. Rather than simple words, or words followed by numbers, random symbols and a combination of capital and lowercase letters should be used.

The bottom line: This latest data theft event wasn’t the result of a security problem within a network or cloud storage system. It was the result of inadequate personal security measures, and is a good lesson on the importance of following data security protocol.