Over 40 celebrities have iCloud accounts compromised and nude photos stolen
This might well wind up being the highest profile security breach we've ever seen in terms of national media coverage. The story is still developing but I'm interest to hear HN's thoughts on it as it does. How is Apple going to respond? Will this hurt their image and how?
Here's a few links to get you caught up: http://www.bgr.in/news/jennifer-lawrence-nude-photos-leaked-after-alleged-apple-icloud-hack/
http://www.theregister.co.uk/2014/08/31/jlaw_upton_caught_in_celeb_nude_pics_hack/
18 comments
[ 3.3 ms ] story [ 54.8 ms ] thread- A couple of photos seem to be taken with Android phones/web cams. I know this doesn't mean much, but makes it less likely to be a Photostream breach, as for that to happen, we'd likely only see photos taken with iPhone or iPad. This makes it much more likely to be from someone's personal backup. Could be iCloud, but not likely to be a Photostream exploit.
- Some videos in leak, and as far as I know, though I could be wrong, Photostream doesn't back up videos, only photos. So again likely a backup.
- Specifically with what look to be webcam examples, I don't want to downplay these celebrities tech knowledge, but to send webcam photos, I would guess email or something was used, not iMessage, etc. Again, likely to probably be from a backup.
My thoughts are that someone who has been overly friendly with a lot of female celebrities either had a really bad Apple ID password, so it was compromised on a device, where photos from a Photos.app backup were grabbed from. That, or some sort of stolen phone/laptop for the same person. I'm skeptical, but doesnt look like a wide spread Apple iCloud exploit yet.
a) Wow! Nice work dude. I'm genuinely impressed. However...
b) He will be ridiculously easy to track down and catch and the consequences will probably be pretty severe. Why would a man who is capable of boning two dozen Hollywood hotties bother to take that kind of risk?
I know this may seem a tad obvious, but a lot of people have photos that have been sent from other devices (via email/text) in their iCloud so I wouldn't base any conclusions off of that.
Have they any ties in terms of celebrity management? The leak of some credentials (personal emails) could have been obtained from some agency's unsecured server.
The possibility of an iCloud leak is very low at this moment.
"Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.
— Mary E. Winstead (@M_E_Winstead) August 31, 2014"
Why where the pics available if they were deleted? On the technical side I mean, are iCloud/Flickr/Google/FB supposed to keep an archive with all the pictures users delete?! Isn't that a severe accusation about iCloud services?! (if true of course).
Easily explained. When you delete a photo from an online site, it's often the case that the photo is moved from its original folder to the "deleted" folder and stored there. This is how Google Drive works (using a folder named "trash"). Then, if you're especially diligent, you can delete the contents of the "deleted" folder, in which case, and finally, the content is deleted.
> Isn't that a severe accusation about iCloud services?!
Consider the alternative: "I unintentionally deleted my magnum opus. Where did you put it? On a desktop machine, there's a trash bin -- where's yours?"
You need to realize that, no matter what strategy you choose, someone will find a reason to complain about it, and their own ignorance will never be the problem.
ps. Thanks for the Google Drive hint, didn't knew that since I moved away from dropbox recently to GD.
Me too. As soon as I saw a Dropbox message that I had exceeded their puny storage limit and needed to start sending them money, I dumped them.
If you're not paying then "you're the product, not the customer".
Personally I would prefer to be a customer.
No, because other services offer more for less.
> Companies can't survive without charging you, or turning you into an advertising commodity.
Yes, but when one shops, one chooses the best of competing alternatives. You know, like in capitalism?
> If you're not paying then "you're the product, not the customer".
Nice reductionist sentiment. Just be sure your sexual partner doesn't hear you saying this.
There's a little more to life than you seem to think.
And I'm very curious as to how the fuck this happens.
I haven't seen many theories in general, let alone theories with much evidence behind them about how this could have happened. Other than iCloud! No dropbox! No NSA!
So while I wait for more technical minds to weigh in, I figured I'd take a stab at an alternate theory for people to ponder (or hopefully more likely tear apart!)
tl;dr
Gaining covert access locally via a potential buffet of attack vectors. Feels like this article, but voyeur not espionage (or necessarily China/state-based obviously) http://www.nytimes.com/2012/02/11/technology/electronic-secu...
Theory:
- Original hacker is one w/ privileged network access, &/or proximity to sniff, &/or compromise device(s) physically at a place frequented by celebs over a long period of time(years).
- Hotels, spas, coffee houses, studio lots, awards, etc etc.
- Potential for many attack vectors to match any given skill set. From MITM, to malware, to phishing, to gathering PII for social eng to compromised charging stations.
- And gives a window of time to allow for fast data transfer pillaging via LAN.
- Also gives a window where on same network, at same time and place pry helps to avoid tripping some suspicious access detection alarms.
- OG hacker is prob up to lots of nefarious stuff and someone else popped their personal stash.
-- What lead me there and away from a single platform exploit, a la iCloud?
I tried making sense of what was known and a few assumptions.
- If it was a platform exploit, finding even 20 of these girls' actual login emails from which to locate their accounts on a service is a massive undertaking – unless you have some kind of privileged position to harvest them (hotel desk, gyms, award ceremonies, etc etc) -- I feel like the probability of all these girls having passed through same places – like hotels, spas, sundance, soho house, awards, festivals, etc etc – over the course of 2-3 years is way higher than someone managing to figure out 100 correct login emails for them.
- The attacks appeared to have happened over a long period of time. At least late 2011 to within the last month judging from exif data. So they avoided tons of software and hardware updates for bugs and security patches.
- I assume these celebs have TONS of photos on any of their devices at any given time. Being photographed and taking photographs are part of their lives. So we're talking thousands or tens of thousands. Which takes a lot of time to copy. And like all of us, their photos are unorganized which means it takes a lot of time to find the gems. The longer it takes the attacker to get access and pillage, the more they are exposed. They needed to get in quick and consistently, and get out very fast.
- Given the volume and (alleged) success rate of 100+ celebs, manual social engineering or brute is out.
[1] http://www.politico.com/story/2014/08/russian-hacking-gang-u...
From a site affiliated with AnonIB, where celebrity nudes first surfaced:
https://web.archive.org/web/20140904115530/http://ibstol.wor... (NSFW)