Skip to main content

Countless celebrity nude photo leaks being blamed on supposed iCloud hack (Updated)

A plethora of reports are swirling around the internet that countless private celebrity photos have leaked (no, we’re not going to link you), and—what are as of right now baseless—rumors claim that someone found a vulnerability in Apple’s iCloud platform and exploited it to obtain the images. Of the celebrities reportedly involved are Jennifer Lawrence, Kate Upton, Avril Livigne, Mary Elizabeth Winstead, Mary Kate Olsen, Hillary Duff, and many others.

News of the leaked images first started spreading on a 4chan /b/ thread earlier today, where many users have made claims that the leaks are due to at least one person maliciously exploiting iCloud and various celebrities’ cell phones. Reports on 4chan also claim that the hacker has acquired videos as well and intends to sell them to TMZ for as much as six figures. Of course, most of this information is from an anonymous 4chan board, so take it with a heaping pile of salt.

But the fact remains that these private photos are definitely making the rounds, and many celebrities have taken to Twitter to seemingly confirm that at least some of them are indeed real. Most notably, Mary Winstead says she can only imagine the “creepy effort” that went into the leaks.

Photo Stream automatically syncs photos to iCloud as they’re taken, but it’s not yet known how the hacker—if they did indeed manage to hack iCloud—got ahold of so many different celebrities’ photos across so many accounts. Mary Winstead mentions that the leaked photos of hers were deleted “long ago,” which raises even more questions including whether or not a deleted iCloud photo is ever truly deleted. But that, of course, assumes that iCloud is the problem here.

As many have noted intending to prove that iCloud isn’t the source of these nudes, videos don’t work with My Photo Stream. You can, as of iOS 7, upload them to shared streams (and therefore iCloud) and, perhaps more importantly, iCloud will also upload them to the cloud when performing a full device backup. Having access to an iCloud account would mean that a hacker could effectively restore the account to a wiped phone.

Some celebrities have reported that they don’t even use an iPhone, which leads most to believe that the hacker got these files from multiple sources (which is probably likely anyway) or that some other cloud service could be the real culprit. Perhaps more interesting, however, is that some celebrities, namely Trisha Hershberger, have proven that their nudes are actually fake and, coincidentally, they don’t use an iPhone.

We’ve reached out to Apple for comment on the situation. In the meantime, now is a good time to remind you to turn on two-factor authentication on your iCloud account.

Update: A vulnerability in the Find My Phone service may have allowed hackers to brute-force themselves into celebrity accounts.

It’s still speculation at this point that iCloud is involved at all, but a vulnerability found in Find My iPhone could have permitted hackers to brute-force their way into accounts by guessing a huge number of passwords that fall in line with Apple’s criteria. In order for this method of attack to work, the accounts of the celebrities in question would have to have relatively weak passwords. But as many celebrities know each other and would have other celebrities’ contacts in their address books, it’s possible that contacts data could be used to identify the account email addresses of others, effectively creating a “chain” of hacks.

The program, being called “iBrute” and exploiting a flaw now patched that let the program guess an unlimited number of passwords without being locked out, hasn’t been linked directly to any attack on iCloud. But said security flaw that it took advantage of came to light and was fixed on the same day of the leak of countless private celebrity photos, so the timing is definitely a little uncanny.

Update 2: Apple has issued a statement to Re/code saying that they’re “actively investigating” whether or not iCloud was actually involved in leaking the private images. “We take user privacy very seriously and are actively investigating this report,” Natalie Kerris, spokesperson for Apple, said.

Update 3: As pointed out by Mashable, the iBrute program was released just three days before the leak of the first celebrity photo, which may not have been enough time for this specific vulnerability to have been exploited to the extent needed to leak hundreds of celebrities’ nude photos. On August 30th, Andrey Belenko and Alexey Troshichev, security researchers with viaForensics and HackApp, respectively, gave an in-depth report (link to presentation slides) at Defcon Russia on the state of iCloud security, and iBrute was their proof of concept.

In the presentation, viaForensics actually outlines how Find My iPhone isn’t the only security flaw here. Supposedly, hackers may have been able to guess a user’s iCloud Security Code offline, which therefore not triggering a lock out mechanism similar to one that was missing from Find My iPhone.

In terms of how this applies to the issue at hand, the iBrute Find My iPhone flaw being patched this morning may have simply been a result of this security talk and had nothing to do with the leaked images.

Update 4: Actress Kirsten Dunst appears to credit iCloud for her photos being leaked.

Update 5: The United States FBI is investigating the alleged iCloud hack, according to an FBI spokesperson (via The Telegraph):

[The FBI is] aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter. Any further comment would be inappropriate at this time.

Update 6: Apple has denied that iCloud was actually breached, and says that this was actually a “very targeted attack” on certain celebrities.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. jackerpot (@jackerpot) - 10 years ago

    But videos are not uploaded to iCloud, so how did the hacker get those?
    He either hacked the devices themselves (so no iCloud involved?) or he exploided multiple services (so iCloud may or may not be involved)

    • Tim Jr. - 10 years ago

      and the iCloud’s Photo Stream sync’s to the laptop, so there is no reason to think they got hacked on the laptop side of things. Thats usually the weakest link..

      • Tim Jr. - 10 years ago

        no reason to not think …

    • too456 - 10 years ago

      iCloud most definitely stores videos.
      http://support.apple.com/kb/ht4847: “When you back up your iOS device to iCloud, the most important data on your device is backed up automatically, including your Camera Roll photos, videos, and apps.”
      http://support.apple.com/kb/PH12519: “Here’s what iCloud backs up: Photos and videos in your Camera Roll”

      • Rodney Lim (@limrodney) - 9 years ago

        That is if you opt for iCloud Backup. Photo Stream only store photos.

        http://support.apple.com/kb/HT4486

        Which photo formats does My Photo Stream support?
        My Photo Stream supports JPEG, TIFF, PNG, and most RAW photo formats. My Photo Stream doesn’t work with video.

        Maybe some of the photos are from iCloud however some are taken with Samsung and Blackberry phones. Can those be linked to iCloud?

        At the end of the day, if you are a famous person and have simple passwords or security questions like “whats my dog name?” which anyone can easily google it. You are prone to get hacked. Be smart and vigilant. Security begins with yourself and I guess we can all agree we tend to take it for granted at times.

  2. Marklewood at Serenity Lodge - 10 years ago

    Hey, ya know what? There’s a simple solution. If you don’t want nude pictures of yourself on the Interner or elsewhere, then don’t take them. Simple. Easy as that.

    • You’ve got finger-pointing all wrong.

      • lkernan - 10 years ago

        That’s not his finger…

      • Michael Bing - 10 years ago

        Actually he does not. I don’t know why people feel the need to photobomb themselves and their tits on a daily basis. Like Marklewood said, if you don’t want your tits or sex acts to be seen, don’t put it in the sky…. it is really simple as that.

        If you really feel the need to be seen, join a porn movie.

    • Alex (@Metascover) - 10 years ago

      People should be free to take nude pictures with their phones without them being sent to everyone on the web.

      • jrox16 - 10 years ago

        That’s a fairly meaningless statement. That’s like saying “people should be able to walk around at night without ever there being the chance they’d get mugged.”

        No system is or will ever be 100% secure, period. Whether this was a weakness from something Apple missed, or users not being smart enough with their passwords, it doesn’t matter because ultimately, anything and everything can eventually be hacked. So the only winning move is, not to play. DO NOT take naked pictures of yourself or your mate with your networked device (or at all), period.

      • Jenny Gee - 10 years ago

        Like Jrox said. You can take all the naked pictures you want. Smart people do it all the time. If you don’t want it on the internet, then don’t save it to the internet in the first place! The Icloud and similar services store your information on countless servers who knows where.

    • I wonder if you would say the same thing about credit card numbers?

    • RockinMetal FanGirl - 10 years ago

      No, its better to just keep them on the device.

  3. Tony Mallory - 10 years ago

    Such fortuitous timing, with the new iPhone release being a week away….. Hmmm….

  4. standardpull - 10 years ago

    Or it’s a Dropbox hack. Or Picasa. Or who knows what. But anyone storing sensitive files in a cloud Drive service is a total fool.

  5. xbepax4224 - 10 years ago

    Who cares man, you got one life! Live it to the fullest. If they did that so what?
    The only important thing is we need to find out a flaw in icloud and solve the problem, let cops deal with that guy.

  6. Dillon Baio - 10 years ago

    If you have someone’s Apple ID and password, and they use iCloud backup, you can literally make your device a clone of theirs, data-wise. You can download their phone onto yours. So if it exists anywhere on their phone, you can have it on yours. You don’t have to use photostream or get their email or hack some database or anything. Just restore from their iCloud backup.

    • alexshkolnikov - 10 years ago

      Yes, you can. But the real person will be notified about that straght away with email/notification.

  7. Alex C (@exeehc) - 10 years ago

    Viola! Apple ID + password + old backup files in the cloud = old deleted photos / files / iMessages / emails / notes, etc..restored to another device.

    All that’s needed is, hack the Apple ID by brute force. Then its like going to an adult candy store.

    • dcj001 - 10 years ago

      Violin! Cello! Some people back up their devices to iCloud; some do not.

      Piccolo! Saxophone! Trombone!

    • Dan (@danmdan) - 10 years ago

      “Celebrities” are also not always knowledgeable about computer security and the necessity of having a difficult to guess password, and not just “password” or a family name.

  8. Steve Cess - 10 years ago

    Why… even take nude pictures and make homemade porn of yourself…..???? Who is at fault here….. Get a life people, do something constructive with your free time.

  9. zBrain (@joeregular) - 10 years ago

    is it even confirmed that it was from an iCloud bug? or is the media using the “Apple” name to get clicks again?

    btw. who is mary winstead?

  10. Guilherme Eberspächer - 10 years ago

    Couple of months ago, I restored my iPhone 5 and there was about 10 pictures of random people at “My Photo Stream”.

  11. Cody Woodward - 10 years ago

    I was doing sone research into this subject and I saw a bunch of the celebs with androids taking their “selfies”…. you know research for science….

    • Avenged110 - 10 years ago

      I can second this.

    • Natasha Neveu - 10 years ago

      I did research too and saw:
      Jennifer Lawrence
      Kaley Cuoco
      Kate Upton
      Brie Larson
      Becca Tobin
      Kristen Ritter
      Aubrey Plaza

      using iphones :) Want me to link pictures as a proof? Can’t be bothered to check the others…

      Don’t post bullshit for your “research for science” apple fanboy…

      • Cody Woodward - 10 years ago

        Master troll comment right here. Keep looking. I never said no one used an iPhone genius, I just said there’s quite a few with Androids too. So unless they took the photos with their androids then transferred them somehow to iCloud when they got a new device or something, then I don’t see the issue being at least exclusively iCloud. Also Videos were leaked. iCloud doesn’t store videos, so keep trolling fandroid user, you just look dumb.

  12. André Hedegaard Petersen - 10 years ago

    Thats odd, Android dosen’t use iCloud.
    And don’t celebrities earn enough money to buy iPhones, instead of Android phones?

    Sounds like a Samsung skint, just days ahead of iPhone 6 launch.

    • Aunty Troll (@AuntyTroll) - 10 years ago

      There was absolutely no reason what so ever to mention Android & Samsung but you chose to simply because you firmly believe that it is impossible that Apple are somehow infallible. History shows they aren’t.

      I’m an iPhone 5S owner but I’m not deluded, so do you realise how stupid your “don’t celebrities earn enough money to buy iPhones” comment is, when you consider that there are several Android phones which are more expensive than the iPhone?

      • André Hedegaard Petersen - 10 years ago

        I’m not deluded although I am a fan of Apple. I really enjoy their products, having changed over after +25 years of PC’s.
        Yes, I made the comments about Samsung, what of it?
        And yes, you’re right, Apple does make mistakes, no-ones perfect. But to make such a mistake as an iCloud flaw? Thats near impossible. Its not iCloud that failed, but people that hacked/accessed it.
        Anyway, iCloud isn’t the source of the leak here. So I don’t understand this article is even relevant.

      • Aunty Troll (@AuntyTroll) - 10 years ago

        Andre – I’m the same. 20 years of Windows, took the plunge to Apple earlier in the year and could never go back :) But to say that if someone hacks into it it’s the fault of the hacker and not the service which has been hacked is crazy man!

      • André Hedegaard Petersen - 10 years ago

        Aunty Troll, great, just like me, ex-Windows user :) Same here, never going back, although I can only play MS Flight Simulator on Windows.
        Anyway, as another user wrote:
        “If one were to theoretically download the leaked Kate Upton ZIP archive, one would find a “Getting Started.pdf” Dropbox Quick Start file in there”

        So its not an iCloud fail.

        You know, not even Fort Knox is secure, because someone has a key. Same with all services, someone has a key. But its not the system that failed.
        Thats like saying that the plane that was shot down over Ukraine, is the planes fault, because the engines&hull couldn’t withstand a surface-to-air missile.

    • standardpull - 10 years ago

      No one knows how these things were compromised. Maybe it’s Google Picasa or maybe these people lost their weak credentials via a hack against Twitter or maybe something else. All speculation is fair game.

  13. G - 10 years ago

    If one were to theoretically download the leaked Kate Upton ZIP archive, one would find a “Getting Started.pdf” Dropbox Quick Start file in there, along with the photos and videos. Just saying. In theory.

    • André Hedegaard Petersen - 10 years ago

      Link or it didn’t happen :)

      • G - 10 years ago

        I had posted a link to the Reddit discussion where subsequent links could be found, but apparently that crossed the line and the entire post was quietly deleted. So you’ll need to go looking.

      • André Hedegaard Petersen - 10 years ago

        Oh thats ok, I found it myself. Was basically curious, nothing in the pictures an adult hasn’t seen before.

  14. mrniels - 10 years ago

    Why take these kind of photo’s in the first place? You know this can happen!

  15. tomtubbs - 10 years ago

    “Leak” and “hack” may be the wrong words. You can download an iCloud backup that isn’t encrypted if you have the user’s email and password for iCloud => photos, but also messages and more.

    Be it a downloadable iCloud backup, or restoring to a new iPhone – this is a feature not a bug.
    Making 2 Factor Authentication mandatory might be useful, that and encrypting any iCloud backup.
    Moving away from 1 password to rule them all might be a good idea. (Fingerprint acceptable?)

  16. myforwik - 10 years ago

    As has been pointed out already… some of these leaks have dropbox files associated with them, including several having drop box guide pdf’s. So someone is either setting up dropbox, or the source was probably dropbox. I don’t use dropbox on iphone but I wonder if it syncs across devices so that if your apple id is taken , your dropbox login is taken as well?

  17. cdmoore74 - 10 years ago

    The power of the internet. There are no take backs here. Most people learn this the hard way.

    • André Hedegaard Petersen - 10 years ago

      Mary Winstead, such a whiner! Just accept it for what it is and get over yourself.
      Didn’t even know who the hell you were until your stupid tweet was on this page.

      As for the rest of the leaks, do people really care?
      And for the feminazis claiming that people that see the photos are “raping the women over and over”, just stfu and get a job or something!
      If I were a celeb, I’d be more offended by womens rights movements claiming crap than the pictures themselves.

      And to think that iCloud is being blamed, that is just ridiculous!

  18. raptormissle - 10 years ago

    Looks like iOS was the real Toxic Hellstew all along.

  19. Arash (@14webdev) - 10 years ago

    Oh ok, i’ll just take a naked pic of my self and uploaded to icloud because it sounds fluffy and friendly -_-

  20. Gino Pirollo - 10 years ago

    If you feel the need to take these pics/videos….thats the risk!
    Don’t blame the services…..hackers are breaking into the Pentagon …banks…you name it.

  21. Max Peterson - 10 years ago

    Or better yet, create a stronger password! I made mine with passwordturtle.com . They are a password generator that makes you passwords from common english phrases so theyre easy to remember and secure. I highly recommend them.

  22. Brian Shmo - 10 years ago

    I don’t know why this is suck a big deal. Enough for the for FBI to get involved. If you take these pictures, knowing the internet, you can’t assume but to get it hacked by someone now days. girls on aampmaps are more than willing and some of them are hotter than J law.

Author

Avatar for Stephen Hall Stephen Hall

Stephen is Growth Director at 9to5. If you want to get in touch, follow me on Twitter. Or, email at stephen (at) 9to5mac (dot) com, or an encrypted email at hallstephenj (at) protonmail (dot) com.