icloud

A plethora of reports are swirling around the internet that countless private celebrity photos have leaked (no, we’re not going to link you), and—what are as of right now baseless—rumors claim that someone found a vulnerability in Apple’s iCloud platform and exploited it to obtain the images. Of the celebrities reportedly involved are Jennifer Lawrence, Kate Upton, Avril Livigne, Mary Elizabeth Winstead, Mary Kate Olsen, Hillary Duff, and many others.

News of the leaked images first started spreading on a 4chan /b/ thread earlier today, where many users have made claims that the leaks are due to at least one person maliciously exploiting iCloud and various celebrities’ cell phones. Reports on 4chan also claim that the hacker has acquired videos as well and intends to sell them to TMZ for as much as six figures. Of course, most of this information is from an anonymous 4chan board, so take it with a heaping pile of salt.

But the fact remains that these private photos are definitely making the rounds, and many celebrities have taken to Twitter to seemingly confirm that at least some of them are indeed real. Most notably, Mary Winstead says she can only imagine the “creepy effort” that went into the leaks.

Photo Stream automatically syncs photos to iCloud as they’re taken, but it’s not yet known how the hacker—if they did indeed manage to hack iCloud—got ahold of so many different celebrities’ photos across so many accounts. Mary Winstead mentions that the leaked photos of hers were deleted “long ago,” which raises even more questions including whether or not a deleted iCloud photo is ever truly deleted. But that, of course, assumes that iCloud is the problem here.

As many have noted intending to prove that iCloud isn’t the source of these nudes, videos don’t work with My Photo Stream. You can, as of iOS 7, upload them to shared streams (and therefore iCloud) and, perhaps more importantly, iCloud will also upload them to the cloud when performing a full device backup. Having access to an iCloud account would mean that a hacker could effectively restore the account to a wiped phone.

Some celebrities have reported that they don’t even use an iPhone, which leads most to believe that the hacker got these files from multiple sources (which is probably likely anyway) or that some other cloud service could be the real culprit. Perhaps more interesting, however, is that some celebrities, namely Trisha Hershberger, have proven that their nudes are actually fake and, coincidentally, they don’t use an iPhone.

We’ve reached out to Apple for comment on the situation. In the meantime, now is a good time to remind you to turn on two-factor authentication on your iCloud account.

Update: A vulnerability in the Find My Phone service may have allowed hackers to brute-force themselves into celebrity accounts.

It’s still speculation at this point that iCloud is involved at all, but a vulnerability found in Find My iPhone could have permitted hackers to brute-force their way into accounts by guessing a huge number of passwords that fall in line with Apple’s criteria. In order for this method of attack to work, the accounts of the celebrities in question would have to have relatively weak passwords. But as many celebrities know each other and would have other celebrities’ contacts in their address books, it’s possible that contacts data could be used to identify the account email addresses of others, effectively creating a “chain” of hacks.

The program, being called “iBrute” and exploiting a flaw now patched that let the program guess an unlimited number of passwords without being locked out, hasn’t been linked directly to any attack on iCloud. But said security flaw that it took advantage of came to light and was fixed on the same day of the leak of countless private celebrity photos, so the timing is definitely a little uncanny.

Update 2: Apple has issued a statement to Re/code saying that they’re “actively investigating” whether or not iCloud was actually involved in leaking the private images. “We take user privacy very seriously and are actively investigating this report,” Natalie Kerris, spokesperson for Apple, said.

Update 3: As pointed out by Mashable, the iBrute program was released just three days before the leak of the first celebrity photo, which may not have been enough time for this specific vulnerability to have been exploited to the extent needed to leak hundreds of celebrities’ nude photos. On August 30th, Andrey Belenko and Alexey Troshichev, security researchers with viaForensics and HackApp, respectively, gave an in-depth report (link to presentation slides) at Defcon Russia on the state of iCloud security, and iBrute was their proof of concept.

In the presentation, viaForensics actually outlines how Find My iPhone isn’t the only security flaw here. Supposedly, hackers may have been able to guess a user’s iCloud Security Code offline, which therefore not triggering a lock out mechanism similar to one that was missing from Find My iPhone.

In terms of how this applies to the issue at hand, the iBrute Find My iPhone flaw being patched this morning may have simply been a result of this security talk and had nothing to do with the leaked images.

Update 4: Actress Kirsten Dunst appears to credit iCloud for her photos being leaked.

Update 5: The United States FBI is investigating the alleged iCloud hack, according to an FBI spokesperson (via The Telegraph):

[The FBI is] aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter. Any further comment would be inappropriate at this time.

Update 6: Apple has denied that iCloud was actually breached, and says that this was actually a “very targeted attack” on certain celebrities.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

53 Responses to “Countless celebrity nude photo leaks being blamed on supposed iCloud hack (Updated)”

  1. But videos are not uploaded to iCloud, so how did the hacker get those?
    He either hacked the devices themselves (so no iCloud involved?) or he exploided multiple services (so iCloud may or may not be involved)

    Liked by 1 person

    • Tim Jr. says:

      and the iCloud’s Photo Stream sync’s to the laptop, so there is no reason to think they got hacked on the laptop side of things. Thats usually the weakest link..

      Like

    • too456 says:

      iCloud most definitely stores videos.
      http://support.apple.com/kb/ht4847: “When you back up your iOS device to iCloud, the most important data on your device is backed up automatically, including your Camera Roll photos, videos, and apps.”
      http://support.apple.com/kb/PH12519: “Here’s what iCloud backs up: Photos and videos in your Camera Roll”

      Liked by 1 person

      • That is if you opt for iCloud Backup. Photo Stream only store photos.

        http://support.apple.com/kb/HT4486

        Which photo formats does My Photo Stream support?
        My Photo Stream supports JPEG, TIFF, PNG, and most RAW photo formats. My Photo Stream doesn’t work with video.

        Maybe some of the photos are from iCloud however some are taken with Samsung and Blackberry phones. Can those be linked to iCloud?

        At the end of the day, if you are a famous person and have simple passwords or security questions like “whats my dog name?” which anyone can easily google it. You are prone to get hacked. Be smart and vigilant. Security begins with yourself and I guess we can all agree we tend to take it for granted at times.

        Like

  2. Marklewood at Serenity Lodge says:

    Hey, ya know what? There’s a simple solution. If you don’t want nude pictures of yourself on the Interner or elsewhere, then don’t take them. Simple. Easy as that.

    Like

  3. Tony Mallory says:

    Such fortuitous timing, with the new iPhone release being a week away….. Hmmm….

    Liked by 2 people

  4. standardpull says:

    Or it’s a Dropbox hack. Or Picasa. Or who knows what. But anyone storing sensitive files in a cloud Drive service is a total fool.

    Liked by 4 people

  5. xbepax4224 says:

    Who cares man, you got one life! Live it to the fullest. If they did that so what?
    The only important thing is we need to find out a flaw in icloud and solve the problem, let cops deal with that guy.

    Like

  6. Dillon Baio says:

    If you have someone’s Apple ID and password, and they use iCloud backup, you can literally make your device a clone of theirs, data-wise. You can download their phone onto yours. So if it exists anywhere on their phone, you can have it on yours. You don’t have to use photostream or get their email or hack some database or anything. Just restore from their iCloud backup.

    Liked by 1 person

  7. Viola! Apple ID + password + old backup files in the cloud = old deleted photos / files / iMessages / emails / notes, etc..restored to another device.

    All that’s needed is, hack the Apple ID by brute force. Then its like going to an adult candy store.

    Like

  8. Steve Cess says:

    Why… even take nude pictures and make homemade porn of yourself…..???? Who is at fault here….. Get a life people, do something constructive with your free time.

    Like

  9. is it even confirmed that it was from an iCloud bug? or is the media using the “Apple” name to get clicks again?

    btw. who is mary winstead?

    Like

  10. Couple of months ago, I restored my iPhone 5 and there was about 10 pictures of random people at “My Photo Stream”.

    Like

  11. I was doing sone research into this subject and I saw a bunch of the celebs with androids taking their “selfies”…. you know research for science….

    Liked by 5 people

    • Avenged110 says:

      I can second this.

      Like

    • I did research too and saw:
      Jennifer Lawrence
      Kaley Cuoco
      Kate Upton
      Brie Larson
      Becca Tobin
      Kristen Ritter
      Aubrey Plaza

      using iphones :) Want me to link pictures as a proof? Can’t be bothered to check the others…

      Don’t post bullshit for your “research for science” apple fanboy…

      Like

      • Master troll comment right here. Keep looking. I never said no one used an iPhone genius, I just said there’s quite a few with Androids too. So unless they took the photos with their androids then transferred them somehow to iCloud when they got a new device or something, then I don’t see the issue being at least exclusively iCloud. Also Videos were leaked. iCloud doesn’t store videos, so keep trolling fandroid user, you just look dumb.

        Like

  12. Thats odd, Android dosen’t use iCloud.
    And don’t celebrities earn enough money to buy iPhones, instead of Android phones?

    Sounds like a Samsung skint, just days ahead of iPhone 6 launch.

    Liked by 2 people

    • There was absolutely no reason what so ever to mention Android & Samsung but you chose to simply because you firmly believe that it is impossible that Apple are somehow infallible. History shows they aren’t.

      I’m an iPhone 5S owner but I’m not deluded, so do you realise how stupid your “don’t celebrities earn enough money to buy iPhones” comment is, when you consider that there are several Android phones which are more expensive than the iPhone?

      Like

      • I’m not deluded although I am a fan of Apple. I really enjoy their products, having changed over after +25 years of PC’s.
        Yes, I made the comments about Samsung, what of it?
        And yes, you’re right, Apple does make mistakes, no-ones perfect. But to make such a mistake as an iCloud flaw? Thats near impossible. Its not iCloud that failed, but people that hacked/accessed it.
        Anyway, iCloud isn’t the source of the leak here. So I don’t understand this article is even relevant.

        Like

      • Andre – I’m the same. 20 years of Windows, took the plunge to Apple earlier in the year and could never go back :) But to say that if someone hacks into it it’s the fault of the hacker and not the service which has been hacked is crazy man!

        Like

      • Aunty Troll, great, just like me, ex-Windows user :) Same here, never going back, although I can only play MS Flight Simulator on Windows.
        Anyway, as another user wrote:
        “If one were to theoretically download the leaked Kate Upton ZIP archive, one would find a “Getting Started.pdf” Dropbox Quick Start file in there”

        So its not an iCloud fail.

        You know, not even Fort Knox is secure, because someone has a key. Same with all services, someone has a key. But its not the system that failed.
        Thats like saying that the plane that was shot down over Ukraine, is the planes fault, because the engines&hull couldn’t withstand a surface-to-air missile.

        Like

    • standardpull says:

      No one knows how these things were compromised. Maybe it’s Google Picasa or maybe these people lost their weak credentials via a hack against Twitter or maybe something else. All speculation is fair game.

      Liked by 1 person

  13. G says:

    If one were to theoretically download the leaked Kate Upton ZIP archive, one would find a “Getting Started.pdf” Dropbox Quick Start file in there, along with the photos and videos. Just saying. In theory.

    Liked by 1 person

  14. mrniels says:

    Why take these kind of photo’s in the first place? You know this can happen!

    Like

  15. tomtubbs says:

    “Leak” and “hack” may be the wrong words. You can download an iCloud backup that isn’t encrypted if you have the user’s email and password for iCloud => photos, but also messages and more.

    Be it a downloadable iCloud backup, or restoring to a new iPhone – this is a feature not a bug.
    Making 2 Factor Authentication mandatory might be useful, that and encrypting any iCloud backup.
    Moving away from 1 password to rule them all might be a good idea. (Fingerprint acceptable?)

    Like

  16. myforwik says:

    As has been pointed out already… some of these leaks have dropbox files associated with them, including several having drop box guide pdf’s. So someone is either setting up dropbox, or the source was probably dropbox. I don’t use dropbox on iphone but I wonder if it syncs across devices so that if your apple id is taken , your dropbox login is taken as well?

    Like

  17. cdmoore74 says:

    The power of the internet. There are no take backs here. Most people learn this the hard way.

    Like

    • Mary Winstead, such a whiner! Just accept it for what it is and get over yourself.
      Didn’t even know who the hell you were until your stupid tweet was on this page.

      As for the rest of the leaks, do people really care?
      And for the feminazis claiming that people that see the photos are “raping the women over and over”, just stfu and get a job or something!
      If I were a celeb, I’d be more offended by womens rights movements claiming crap than the pictures themselves.

      And to think that iCloud is being blamed, that is just ridiculous!

      Like

  18. raptormissle says:

    Looks like iOS was the real Toxic Hellstew all along.

    Like

  19. Oh ok, i’ll just take a naked pic of my self and uploaded to icloud because it sounds fluffy and friendly -_-

    Like

  20. Gino Pirollo says:

    If you feel the need to take these pics/videos….thats the risk!
    Don’t blame the services…..hackers are breaking into the Pentagon …banks…you name it.

    Like

  21. Max Peterson says:

    Or better yet, create a stronger password! I made mine with passwordturtle.com . They are a password generator that makes you passwords from common english phrases so theyre easy to remember and secure. I highly recommend them.

    Like

  22. Brian Shmo says:

    I don’t know why this is suck a big deal. Enough for the for FBI to get involved. If you take these pictures, knowing the internet, you can’t assume but to get it hacked by someone now days. girls on aampmaps are more than willing and some of them are hotter than J law.

    Like