Over 40 celebrities have iCloud accounts compromised and nude photos stolen

32 points by jdoliner ↗ HN
This might well wind up being the highest profile security breach we've ever seen in terms of national media coverage. The story is still developing but I'm interest to hear HN's thoughts on it as it does. How is Apple going to respond? Will this hurt their image and how?

Here's a few links to get you caught up: http://www.bgr.in/news/jennifer-lawrence-nude-photos-leaked-after-alleged-apple-icloud-hack/

http://www.theregister.co.uk/2014/08/31/jlaw_upton_caught_in_celeb_nude_pics_hack/

18 comments

[ 3.3 ms ] story [ 54.8 ms ] thread
I know a lot of people (@SwiftOnSecurity) are leading charge that this is an iCloud breach, but I'm thinking maybe not for a few reasons.

- A couple of photos seem to be taken with Android phones/web cams. I know this doesn't mean much, but makes it less likely to be a Photostream breach, as for that to happen, we'd likely only see photos taken with iPhone or iPad. This makes it much more likely to be from someone's personal backup. Could be iCloud, but not likely to be a Photostream exploit.

- Some videos in leak, and as far as I know, though I could be wrong, Photostream doesn't back up videos, only photos. So again likely a backup.

- Specifically with what look to be webcam examples, I don't want to downplay these celebrities tech knowledge, but to send webcam photos, I would guess email or something was used, not iMessage, etc. Again, likely to probably be from a backup.

My thoughts are that someone who has been overly friendly with a lot of female celebrities either had a really bad Apple ID password, so it was compromised on a device, where photos from a Photos.app backup were grabbed from. That, or some sort of stolen phone/laptop for the same person. I'm skeptical, but doesnt look like a wide spread Apple iCloud exploit yet.

If there is one man out there who has been "overly friendly" with all these women then...

a) Wow! Nice work dude. I'm genuinely impressed. However...

b) He will be ridiculously easy to track down and catch and the consequences will probably be pretty severe. Why would a man who is capable of boning two dozen Hollywood hotties bother to take that kind of risk?

"A couple of photos seem to be taken with Android phones/web cams. I know this doesn't mean much,"

I know this may seem a tad obvious, but a lot of people have photos that have been sent from other devices (via email/text) in their iCloud so I wouldn't base any conclusions off of that.

If I had to manage this kind of crisis, I would put all this celebrities together and tell that it was all part of a campaign against nude photos sharing and possibly deny the most dirty pics that leaked and never admit this happened.
Doesn't look like an iCloud hack to me too. More like a sloppy security setting on the part of the actresses, like too simple security questions or passwords too easy.

Have they any ties in terms of celebrity management? The leak of some credentials (personal emails) could have been obtained from some agency's unsecured server.

The possibility of an iCloud leak is very low at this moment.

What gives me the creeps is this:

"Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.

— Mary E. Winstead (@M_E_Winstead) August 31, 2014"

Why where the pics available if they were deleted? On the technical side I mean, are iCloud/Flickr/Google/FB supposed to keep an archive with all the pictures users delete?! Isn't that a severe accusation about iCloud services?! (if true of course).

> Why where the pics available if they were deleted?

Easily explained. When you delete a photo from an online site, it's often the case that the photo is moved from its original folder to the "deleted" folder and stored there. This is how Google Drive works (using a folder named "trash"). Then, if you're especially diligent, you can delete the contents of the "deleted" folder, in which case, and finally, the content is deleted.

> Isn't that a severe accusation about iCloud services?!

Consider the alternative: "I unintentionally deleted my magnum opus. Where did you put it? On a desktop machine, there's a trash bin -- where's yours?"

You need to realize that, no matter what strategy you choose, someone will find a reason to complain about it, and their own ignorance will never be the problem.

I see what you mean, you got a point there.

ps. Thanks for the Google Drive hint, didn't knew that since I moved away from dropbox recently to GD.

> ... since I moved away from dropbox ...

Me too. As soon as I saw a Dropbox message that I had exceeded their puny storage limit and needed to start sending them money, I dumped them.

Because online storage should be free? Companies can't survive without charging you, or turning you into an advertising commodity.

If you're not paying then "you're the product, not the customer".

Personally I would prefer to be a customer.

> Because online storage should be free?

No, because other services offer more for less.

> Companies can't survive without charging you, or turning you into an advertising commodity.

Yes, but when one shops, one chooses the best of competing alternatives. You know, like in capitalism?

> If you're not paying then "you're the product, not the customer".

Nice reductionist sentiment. Just be sure your sexual partner doesn't hear you saying this.

There's a little more to life than you seem to think.

Fair enough. I read your original post as if you were completely against companies charging for a service and that all such services should be free.
I have a feeling this story is far, far from being over.

And I'm very curious as to how the fuck this happens.

I haven't seen many theories in general, let alone theories with much evidence behind them about how this could have happened. Other than iCloud! No dropbox! No NSA!

So while I wait for more technical minds to weigh in, I figured I'd take a stab at an alternate theory for people to ponder (or hopefully more likely tear apart!)

tl;dr

Gaining covert access locally via a potential buffet of attack vectors. Feels like this article, but voyeur not espionage (or necessarily China/state-based obviously) http://www.nytimes.com/2012/02/11/technology/electronic-secu...

Theory:

- Original hacker is one w/ privileged network access, &/or proximity to sniff, &/or compromise device(s) physically at a place frequented by celebs over a long period of time(years).

- Hotels, spas, coffee houses, studio lots, awards, etc etc.

- Potential for many attack vectors to match any given skill set. From MITM, to malware, to phishing, to gathering PII for social eng to compromised charging stations.

- And gives a window of time to allow for fast data transfer pillaging via LAN.

- Also gives a window where on same network, at same time and place pry helps to avoid tripping some suspicious access detection alarms.

- OG hacker is prob up to lots of nefarious stuff and someone else popped their personal stash.

-- What lead me there and away from a single platform exploit, a la iCloud?

I tried making sense of what was known and a few assumptions.

- If it was a platform exploit, finding even 20 of these girls' actual login emails from which to locate their accounts on a service is a massive undertaking – unless you have some kind of privileged position to harvest them (hotel desk, gyms, award ceremonies, etc etc) -- I feel like the probability of all these girls having passed through same places – like hotels, spas, sundance, soho house, awards, festivals, etc etc – over the course of 2-3 years is way higher than someone managing to figure out 100 correct login emails for them.

- The attacks appeared to have happened over a long period of time. At least late 2011 to within the last month judging from exif data. So they avoided tons of software and hardware updates for bugs and security patches.

- I assume these celebs have TONS of photos on any of their devices at any given time. Being photographed and taking photographs are part of their lives. So we're talking thousands or tens of thousands. Which takes a lot of time to copy. And like all of us, their photos are unorganized which means it takes a lot of time to find the gems. The longer it takes the attacker to get access and pillage, the more they are exposed. They needed to get in quick and consistently, and get out very fast.

- Given the volume and (alleged) success rate of 100+ celebs, manual social engineering or brute is out.

I feel like the finger is being pointed in the wrong direction here. Were the images intentionally shared? No. Was it theft? Yes. However... you are a celebrity with no expectation of privacy, and privy to public attention and scrutiny. So is it illegal? Hell yes. Is it shocking? Not at all. Personally I feel like the blame should be placed on iCloud, and Android for making the default setting "save to the cloud". You want a solution, open a class action law suit against them both. I would be willing to bet that Microsoft is doing it too! Who really failed here, the end user, or the technology?
why do they take nude photos of themselves? I dont get it.